07/01/03, 03:59
Program: Bookmark4U V.1.8.3
website: http://bookmark4u.sourceforge.net/
Vendor status: Informed (30 days ago)
Problem: Source injection
Files affected:
inc/dbase.php
inc/config.php
inc/common.load.php (?)
Proof of concept:
dbase.php?prefix=http://...
Solution:
The security of the inc/ directory is based on Apache authentication.
file: inc/.htaccess (deny from all)
Some default configurations (debian woody for example) have this
authentication disabled so the files can be accessed.
Edit your httpd.conf and turn the option AllowOverride from None
to AuthConfig. Restart apache.
Note: INSTALL.txt doesn't say nothing about it.
----------------------------------------------------------------------
Program: Active PHP Bookmarks (APB) V1.1.01
website: http://www.lbstone.com/apb/
Vendor status: Informed (30 days ago)
Problem: 1) Source injection
2) Bookmarks and groups can be added without user registration
1) Source injection
Files affected:
File:Line:Code
templates/head.php:14:include($APB_SETTINGS['template_path'] .
"head_design.php");
apb_common.php:41:include_once($APB_SETTINGS['apb_path'].'apb_bookmark_class.php');
apb_common.php:42:include_once($APB_SETTINGS['apb_path'].'apb_group_class.php');
apb_common.php:43:include_once($APB_SETTINGS['apb_path'].'apb_view_class.php');
apb_common.php:506:include($APB_SETTINGS['template_path'] . 'head.php');
apb_common.php:520:include($APB_SETTINGS['template_path'] . 'foot.php');
apb_view_class.php:48:include($APB_SETTINGS['template_path'] .
$this->outer_file);
Proof of concept:
head.php?APB_SETTINGS%5Btemplate_path%5D=http://...
Solution:
Add the next lines:
$APB_SETTINGS['apb_dir_name'] = 'bookmarks/';
// Change this value (apb_dir_name) if needed with your installation
dir
$APB_SETTINGS['apb_path'] = $DOCUMENT_ROOT . '/' .
$APB_SETTINGS['apb_dir_name'];
$APB_SETTINGS['template_path'] = $APB_SETTINGS['apb_path'] . 'templates/';
to the beginning of the files:
templates/head.php
abp_common.php
and apb_view_class.php (Line 47, before the include (output function))
2) Bookmarks and groups can be added without user registration
Files affected:
add_bookmark.php
Description:
The variable $APB_SETTINGS[auth_user_id] is not defined and can be
passed through GET or POST to execute the form with any user id.
Proof of concept:
Load the form with ?APB_SETTINGS%5Bauth_user_id%5D=1
Submit the resultant form with the same variable, for example changing
the action property of the form tag and adding it the next input:
<input type="hidden" name="APB_SETTINGS%5Bauth_user_id%5D" value="1">
Solution:
The easiest (and dirty) solution:
Add to the beginning of the add_bookmarks.php file the next lines:
if (($PHP_AUTH_USER!="xxxxxx") || ($PHP_AUTH_PW!="xxxxxx")) {
header('WWW-Authenticate: Basic realm="Authorization Required"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
Change "xxxxxx" with your username and password.
----------------------------------------------------------------------
itzhak <itzhak@2500hz.net>
2500Hz Labs <www.2500hz.net>
Greetings: aViNash, pantarhei, neuronal and Asejua
website: http://bookmark4u.sourceforge.net/
Vendor status: Informed (30 days ago)
Problem: Source injection
Files affected:
inc/dbase.php
inc/config.php
inc/common.load.php (?)
Proof of concept:
dbase.php?prefix=http://...
Solution:
The security of the inc/ directory is based on Apache authentication.
file: inc/.htaccess (deny from all)
Some default configurations (debian woody for example) have this
authentication disabled so the files can be accessed.
Edit your httpd.conf and turn the option AllowOverride from None
to AuthConfig. Restart apache.
Note: INSTALL.txt doesn't say nothing about it.
----------------------------------------------------------------------
Program: Active PHP Bookmarks (APB) V1.1.01
website: http://www.lbstone.com/apb/
Vendor status: Informed (30 days ago)
Problem: 1) Source injection
2) Bookmarks and groups can be added without user registration
1) Source injection
Files affected:
File:Line:Code
templates/head.php:14:include($APB_SETTINGS['template_path'] .
"head_design.php");
apb_common.php:41:include_once($APB_SETTINGS['apb_path'].'apb_bookmark_class.php');
apb_common.php:42:include_once($APB_SETTINGS['apb_path'].'apb_group_class.php');
apb_common.php:43:include_once($APB_SETTINGS['apb_path'].'apb_view_class.php');
apb_common.php:506:include($APB_SETTINGS['template_path'] . 'head.php');
apb_common.php:520:include($APB_SETTINGS['template_path'] . 'foot.php');
apb_view_class.php:48:include($APB_SETTINGS['template_path'] .
$this->outer_file);
Proof of concept:
head.php?APB_SETTINGS%5Btemplate_path%5D=http://...
Solution:
Add the next lines:
$APB_SETTINGS['apb_dir_name'] = 'bookmarks/';
// Change this value (apb_dir_name) if needed with your installation
dir
$APB_SETTINGS['apb_path'] = $DOCUMENT_ROOT . '/' .
$APB_SETTINGS['apb_dir_name'];
$APB_SETTINGS['template_path'] = $APB_SETTINGS['apb_path'] . 'templates/';
to the beginning of the files:
templates/head.php
abp_common.php
and apb_view_class.php (Line 47, before the include (output function))
2) Bookmarks and groups can be added without user registration
Files affected:
add_bookmark.php
Description:
The variable $APB_SETTINGS[auth_user_id] is not defined and can be
passed through GET or POST to execute the form with any user id.
Proof of concept:
Load the form with ?APB_SETTINGS%5Bauth_user_id%5D=1
Submit the resultant form with the same variable, for example changing
the action property of the form tag and adding it the next input:
<input type="hidden" name="APB_SETTINGS%5Bauth_user_id%5D" value="1">
Solution:
The easiest (and dirty) solution:
Add to the beginning of the add_bookmarks.php file the next lines:
if (($PHP_AUTH_USER!="xxxxxx") || ($PHP_AUTH_PW!="xxxxxx")) {
header('WWW-Authenticate: Basic realm="Authorization Required"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}
Change "xxxxxx" with your username and password.
----------------------------------------------------------------------
itzhak <itzhak@2500hz.net>
2500Hz Labs <www.2500hz.net>
Greetings: aViNash, pantarhei, neuronal and Asejua