There is no user input sanization in two parts of the
code that can be used to create a .php file. This is a
high risk vulnerability that should be patched ASAP.
I sent (few days ago) an email to natasab with a Proof
of concept and explained where are the lines of code to
patch. But I've got no response yet, maybe he is on
holidays.
Temporal solution, modify this lines of code:
add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" .
$phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" .
intval($phid);
functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] .
$SEPARATOR;
$linea=$linea . $data_array['web'] .
$SEPARATOR;
Modify with:
$linea=$linea .
htmlspecialchars($data_array['mail']) . $SEPARATOR;
$linea=$linea .
htmlspecialchars($data_array['web']) . $SEPARATOR;
I've posted a proof of concept at bugtraq.
Logged In: YES
user_id=868982
Thank you!
This bug was solved in 0.92.2b release.
Please if you have a version previous to 0.92.2, please
UPDATE yapig.
Logged In: YES
user_id=868982
This bug has been repaired in 0.92.2 and 0.93.