16
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 16, 2005, 12:48:51 PM »
Yes that fix will work.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: 1 2
17
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 15, 2005, 12:50:22 PM »
(whee, 3 in a row)
Just to be clear, I want to state that in an effort to remain impartial to popular management systems, I am not naming alternatives, nor am I badmouthing CodeGrrl's scripts. I am just alerting potential users of those scripts of vulnerabilities that have been found and documented.
Just to be clear, I want to state that in an effort to remain impartial to popular management systems, I am not naming alternatives, nor am I badmouthing CodeGrrl's scripts. I am just alerting potential users of those scripts of vulnerabilities that have been found and documented.
18
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 15, 2005, 12:44:58 PM »
[quote name='Mura' date='Nov 14 2005, 05:54 PM']I know other CodeGrrl scripts, as they are now, assume register_globals is turned on, so it's likely that these will break when it's turned off. If so, they can probably be fixed by adding this somewhere:
According to the PHP online manual, extract breaks an array into individual variables. The "EXTR_SKIP" flag prevents PHP from clobbering existing variables with the extracted data:
Code: [Select]
extract($_GET, EXTR_SKIP);
extract($_POST, EXTR_SKIP);I'm told that doesn't compromise security, but Johan can probably say whether or not it really does better than I can. ^^[post=\"115778\"]<{POST_SNAPBACK}>[/post]
[/quote]According to the PHP online manual, extract breaks an array into individual variables. The "EXTR_SKIP" flag prevents PHP from clobbering existing variables with the extracted data:
Code: [Select]
Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.Basically what it's saying is when you use it on $_GET and $_POST, ALWAYS add the EXTR_SKIP flag to make sure the get and post data doesn't overwrite your existing variables. Of course not using "register_globals" is encouraged by the PHP folks, but this appears to be a decent fix.
19
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 15, 2005, 12:38:04 PM »
[quote name='Firefly' date='Nov 14 2005, 05:51 PM']Thanks for opening up the thread.
I have a question on this issue. I don't use Fanbase, but my two hostees do. Now, the issue is with the part of the protection.php?
Yes, that is the problem code there.
I have a question on this issue. I don't use Fanbase, but my two hostees do. Now, the issue is with the part of the protection.php?
Code: [Select]
// This is the page to show when the user has been logged out
$logout_page = "$siteurl";[post=\"115777\"]<{POST_SNAPBACK}>[/post]
[/quote]Yes, that is the problem code there.
20
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 14, 2005, 08:25:10 PM »
*bump*
important changes to post.
important changes to post.
21
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 14, 2005, 03:41:45 PM »
An error in several GodeGrrl PHP scripts has been found that can potentially let a malicious web user read any file on your website, upload their own files, or otherwise cause mischief and mayhem. The vulnerable scripts are:
PHPCurrently version 2.0 and prior
PHPQuotes version 1.0 and prior
PHPCalendar version 1.0 and prior
PHPClique version 1.0 and prior
PHPFanBase version 2.1 and prior
REMEDIES:
If you have the ability to edit the php.ini file (PHP configuration file) on your webserver, set the "register_globals" variable to "off".*
If you do not have the ability to edit the configuration file, consider using an alternate script system until a new version is provided that fixes the vulnerability.
OR, if you are an uber PHP guru, you can edit protection.php yourself to make sure the siteurl variable has not been tainted.
References:
http://secunia.com/advisories/17542/
http://www.frsirt.com/english/advisories/2005/2402
*NOTE: I do not know if setting "register_globals" to "off" will break any of the scripts.
EDIT: That will teach me to multi-task while trying to process someone else's code. I incorrectly diagnosed the problem from the security advisories above. Text of post changed to reflect actual threat. Thread opened for discussion and sharing of suggestions of how to ensure the siteurl variable is not tainted.
PHPCurrently version 2.0 and prior
PHPQuotes version 1.0 and prior
PHPCalendar version 1.0 and prior
PHPClique version 1.0 and prior
PHPFanBase version 2.1 and prior
Quote
Input passed to the "siteurl" parameter in "protection.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.
REMEDIES:
If you have the ability to edit the php.ini file (PHP configuration file) on your webserver, set the "register_globals" variable to "off".*
If you do not have the ability to edit the configuration file, consider using an alternate script system until a new version is provided that fixes the vulnerability.
OR, if you are an uber PHP guru, you can edit protection.php yourself to make sure the siteurl variable has not been tainted.
References:
http://secunia.com/advisories/17542/
http://www.frsirt.com/english/advisories/2005/2402
*NOTE: I do not know if setting "register_globals" to "off" will break any of the scripts.
EDIT: That will teach me to multi-task while trying to process someone else's code. I incorrectly diagnosed the problem from the security advisories above. Text of post changed to reflect actual threat. Thread opened for discussion and sharing of suggestions of how to ensure the siteurl variable is not tainted.
22
News and Announcements / Senior Staff Changes
« on: October 24, 2005, 12:24:11 PM »
(in his best Guns N' Roses voice)
"Welcome to the Jungle!!!"
"Welcome to the Jungle!!!"
Pages: 1 2