 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
How to fix new discovered flaws in Reviews module |
 |
 Posted: Tue Jun 08, 2004 2:01 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
Here is the original advisory:
http://bichosoft.webcindario.com/advisory-05.txt
http://groups.google.com/groups?selm=ca3hg2%24216i%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain
There are 2 problems in Reviews module index.php , one of them leading to full path disclosure (in Windows servers only) and secons has XSS capabilities. Here is the fix:
Fist, open index.php fom "/modules/reviews" and locate this code fragment (~line 524):
| Code: |
function showcontent($id, $page) {
global $admin, $uimages, $prefix, $db, $module_name;
$id = intval($id);
$page = intval($page);
include ('header.php');
OpenTable();
if (($page == 1) OR ($page == "")) {
$db->sql_query("UPDATE ".$prefix."_reviews SET hits=hits+1 WHERE id='$id'");
}
$result = $db->sql_query("SELECT * FROM ".$prefix."_reviews WHERE id='$id'");
$myrow = $db->sql_fetchrow($result);
$id = intval($myrow['id']);
$date = $myrow['date'];
|
Now add additional sanitize code, so final result will be as:
| Code: |
function showcontent($id, $page) {
global $admin, $uimages, $prefix, $db, $module_name;
$id = intval($id);
$page = intval($page);
include ('header.php');
OpenTable();
if (($page == 1) OR ($page == "")) {
$db->sql_query("UPDATE ".$prefix."_reviews SET hits=hits+1 WHERE id='$id'");
}
$result = $db->sql_query("SELECT * FROM ".$prefix."_reviews WHERE id='$id'");
$myrow = $db->sql_fetchrow($result);
$id = intval($myrow['id']);
//-- Fix by waraxe http://www.waraxe.us --------
if(empty($id)) die('Wrong ID!');
//------------------------------------------------------
$date = $myrow['date'];
|
Next we will patch the xss hole. So find this code fragment from "/modules/Revies/index.php" (~line 418):
| Code: |
function postcomment($id, $title) {
global $user, $cookie, $AllowableHTML, $anonymous, $module_name;
include("header.php");
cookiedecode($user);
OpenTable();
|
And add additional security code, so finally you will have:
| Code: |
function postcomment($id, $title) {
global $user, $cookie, $AllowableHTML, $anonymous, $module_name;
include("header.php");
cookiedecode($user);
//-- xss prevention by waraxe, refference: http://www.waraxe.us/? modname=sa&id=002
$title = htmlentities(urldecode($title));
//--------------------------------------------------------------------------
if(empty($id)||!(is_numeric($id)))
{
die('Wrong ID!');
}
else
{
$id = intval($id);
}
OpenTable();
|
Congratulations, you have now one step closer to flawless nuke  |
|
|
|
|
|
|
|
|
| Posted: Wed Jun 09, 2004 1:42 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
2 many steps to flawless nuke  |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Thu Jun 10, 2004 4:45 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
More bugfixes in Reviews module will be published soon, stay tuned!  |
|
|
|
|
www.waraxe.us Forum Index -> How to fix
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 207
Members: 0
Total: 207
