Re: Vulnerability Summary CVE-2008-3296

incidentally, there are a few other places where $_POST['fct'] & $_GET['fct'] are used in the core, we should look into those areas too.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Topic


Re: Vulnerability Summary CVE-2008-3296

wtravel - that looks rather good to me as well.

Topic


Re: Vulnerability Summary CVE-2008-3296

Vaughan's solution will work. Another solution to prevent this problem is to validate user input for $_POST['fct'] to see if the requested directory even exists. In order to do this a few lines should be added as well as a new constant to the language file(s):

File: modules/system/admin.php

Add after line: include_once XOOPS_ROOT_PATH.'/class/xoopsmodule.php'; (line 56?)

// Check if function call does exist (security) require_once XOOPS_ROOT_PATH."/class/xoopslists.php"; $admin_dir = XOOPS_ROOT_PATH.'/modules/system/admin'; $dirlist = XoopsLists::getDirListAsArray($admin_dir); if ($fct && !in_array($fct,$dirlist)) { redirect_header(XOOPS_URL.'/',3,_INVALID_ADMIN_FUNCTION); exit(); }


Remove the following lines below the line: $class = 'even';
require_once XOOPS_ROOT_PATH."/class/xoopslists.php"; $admin_dir = XOOPS_ROOT_PATH.'/modules/system/admin'; $dirlist = XoopsLists::getDirListAsArray($admin_dir);


Constant _INVALID_ADMIN_FUNCTION needs to be defined in the language file.

Best regards,

wtravel



Re: Vulnerability Summary CVE-2008-3296

  • 2008/7/26 3:35:22
  • Tom

Quote:

Does impress have a security list that users can subscribe to?



I'm not aware of one for users, we do have internal mailing lists for getting things out to developers like this. Which enables us to act quicker.

It would perhaps be a good idea for one to made. I suppose the question would be what's the general thought about this from other members of the community?



Re: Vulnerability Summary CVE-2008-3296

  • 2008/7/26 3:29:13
  • Tom

News posted on ImpressCMS.

Quote:

Good idea Tom. Also the people here need to know of the patch as well.

http://www.securityfocus.com/bid/30330/info



I've E-mailed them with the fix.



Re: Vulnerability Summary CVE-2008-3296

Does impress have a security list that users can subscribe to?

I am subscribed to the drupal security list and the site emails me if there are issues. In fact i get a lot of emails from drupal about security issues. Although this is the main reason i don't use drupal anymore. To many patches... Seemed like twice or three times a week i half to update my drupal sites. Err...

Thank god for impress!



Re: Vulnerability Summary CVE-2008-3296

yes that's correct, as is_admin is checked before the script continues.

but non the less, it's a potential problem.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Vulnerability Summary CVE-2008-3296

Trabis has posted over on xoops that only a webmaster could pull off this hack.

Xoops post dealing with this issue.



Re: Vulnerability Summary CVE-2008-3296

corrected a bug in my above post.. i missed a closing bracket off both the preg_replace functions.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Vulnerability Summary CVE-2008-3296

Good idea Tom. Also the people here need to know of the patch as well.

http://www.securityfocus.com/bid/30330/info



Re: Vulnerability Summary CVE-2008-3296

  • 2008/7/26 3:04:11
  • Tom

Is anyone dealing with packaging a new version for 1.0?

Perhaps we should make this news also.



Re: Vulnerability Summary CVE-2008-3296

Thank you sir... That was fast! Thanks sato-san for bringing this to the community's attention!



Re: Vulnerability Summary CVE-2008-3296

it should do yes.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Vulnerability Summary CVE-2008-3296

Man thank you for that patch. Will this patch work for 2.0.18 as well Vaughan?



Re: Vulnerability Summary CVE-2008-3296

hmmm and yep i think icms is vulnerable also from the looks of it.

we can protect from this though.

open modules/system/admin.php

find near beginning of file >

if (isset($_POST['fct'])) { $fct = trim($_POST['fct']); } if (isset($_GET['fct'])) { $fct = trim($_GET['fct']); }


replace with

if (isset($_POST['fct'])) { $fct = preg_replace('/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i', '', trim($_POST['fct'])); $fct = '"'.preg_replace('/\$/', '\\\$', $fct).'"'; } if (isset($_GET['fct'])) { $fct = preg_replace('/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i', '', trim($_GET['fct'])); $fct = '"'.preg_replace('/\$/', '\\\$', $fct).'"'; }


the 1st part of the above will remove all special commands & prevent piping etc.

the 2nd part will make sure it is only passed as 1 argument.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


???

Thanks for the link... This looks like a big problem??? NO?

Maybe this should be removed. To help prevent attacks on peoples sites?





Re: Can a MySQL query corrupt a table?

Oh, yes, PHPMyadmin...

My customer got hosting from another company. They gave user & pass. Then changed them and I don't have them. I requested them to the customers, waiting for response. No Phpmyadmin, no FTP service, no nothing. I can't even install phpmyadmin by myself.

Plan is bakcup whole database, then bakcup damaged table, then attempt automatic repair

If you can't understand what I'm saying, you're not geek enough
ISegura.es


Re: Can a MySQL query corrupt a table?

I don't know if a query can have that effect.

Have you tried the relevant phpmyadmin functions to examine the tables? (check, repair, analyze, optimize)

Something else to check is that the MySQL data files that contain the tables have the right permissions and owner. I've had odd errors when those attributes got messed up when copying the files from one computer to another.



Can a MySQL query corrupt a table?

Yep, that's the question.

I don't mean "drop" a table, or "remove data" of a table or anyhting like that. i mean error 1016: can't open file.

Sounss like a hardware failure, but is it possible to make this happen via software? I'm sure it's hardware failure, but I'll have to demonstrate it to a customer of mine.




 Top