Menu

#56 (Heavy Security bug) PHP Insertion in 0.92b

0.9xb
closed-fixed
Juan M.
security (14)
9
2004-10-24
2004-08-11
Anonymous
No

There is no user input sanization in two parts of the
code that can be used to create a .php file. This is a
high risk vulnerability that should be patched ASAP.

I sent (few days ago) an email to natasab with a Proof
of concept and explained where are the lines of code to
patch. But I've got no response yet, maybe he is on
holidays.

Temporal solution, modify this lines of code:

add_comment.php
line 105:
$comments_file= $gid_dir . $gid . "_" .
$phid;
Modify with:
$comments_file= $gid_dir . $gid . "_" .
intval($phid);

functions.php, construct_comment_line()
line 699-700:
$linea=$linea . $data_array['mail'] .
$SEPARATOR;
$linea=$linea . $data_array['web'] .
$SEPARATOR;
Modify with:
$linea=$linea .
htmlspecialchars($data_array['mail']) . $SEPARATOR;
$linea=$linea .
htmlspecialchars($data_array['web']) . $SEPARATOR;

I've posted a proof of concept at bugtraq.

Discussion

  • Juan M.

    Juan M. - 2004-08-29
    • priority: 5 --> 9
    • assigned_to: nobody --> natasab
    • summary: PHP Insertion in 0.92b --> (Heavy Security bug) PHP Insertion in 0.92b
    • status: open --> open-fixed
     

  • Juan M.

    Juan M. - 2004-08-29

    Logged In: YES
    user_id=868982

    Thank you!

    This bug was solved in 0.92.2b release.

    Please if you have a version previous to 0.92.2, please
    UPDATE yapig.

     

  • Juan M.

    Juan M. - 2004-10-24
    • status: open-fixed --> closed-fixed
     

  • Juan M.

    Juan M. - 2004-10-24

    Logged In: YES
    user_id=868982

    This bug has been repaired in 0.92.2 and 0.93.

     

Log in to post a comment.