|
From: Jannis H. <jhe...@us...> - 2004-10-15 13:03:14
|
Update of /cvsroot/php-blog/serendipity In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv13322 Modified Files: comment.php exit.php serendipity_functions.inc.php Log Message: Attempt to make sure s9y is no longer vulnerable to HTTP-Response-Splitting attacks. As HTTP message headers require CLRF (rfcs require it), this should fix the problems. I may be wrong though, so please don't trust me here. Should we pack up a new beta when this is the final fix for the problem? Read more about this at http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf Thanks to Chaotic Evil for telling us before telling bugtraq ;) Index: serendipity_functions.inc.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/serendipity_functions.inc.php,v retrieving revision 1.441 retrieving revision 1.442 diff -u -d -r1.441 -r1.442 --- serendipity_functions.inc.php 13 Oct 2004 09:24:45 -0000 1.441 +++ serendipity_functions.inc.php 15 Oct 2004 13:02:59 -0000 1.442 @@ -1501,7 +1501,8 @@ $query = "UPDATE {$serendipity['dbPrefix']}entries SET allow_comments = '" . ($switch == 'disable' ? 'false' : 'true') . "' WHERE id = '". (int)$entry_id ."' $admin"; serendipity_db_query($query); - header('Location: '. $_SERVER['HTTP_REFERER']); + if (strpos($_SERVER['HTTP_REFERER'], "\r") === false && strpos($_SERVER['HTTP_REFERER'], "\n") === false) + header('Location: '. $_SERVER['HTTP_REFERER']); } else { die('What are you up to? You need to be an admin to close comments'); } Index: exit.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/exit.php,v retrieving revision 1.9 retrieving revision 1.10 diff -u -d -r1.9 -r1.10 --- exit.php 13 Sep 2004 20:30:41 -0000 1.9 +++ exit.php 15 Oct 2004 13:02:59 -0000 1.10 @@ -22,8 +22,8 @@ // No entry-link ID was submitted. Possibly a spammer tried to mis-use the script to get into the top-list. $url = str_replace('&', '&', base64_decode($_GET['url'])); } - -header('Location: ' . $url); +if (strpos($url, "\r") === false && strpos($url, "\n") === false) + header('Location: ' . $url); exit; /* vim: set sts=4 ts=4 expandtab : */ ?> Index: comment.php =================================================================== RCS file: /cvsroot/php-blog/serendipity/comment.php,v retrieving revision 1.48 retrieving revision 1.49 diff -u -d -r1.48 -r1.49 --- comment.php 24 Sep 2004 13:02:55 -0000 1.48 +++ comment.php 15 Oct 2004 13:02:52 -0000 1.49 @@ -8,6 +8,7 @@ if (isset($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type'])) { serendipity_deleteComment($serendipity['GET']['delete'], $serendipity['GET']['entry'], $serendipity['GET']['type']); + if (strpos($_SERVER['HTTP_REFERER'], "\r") === false && strpos($_SERVER['HTTP_REFERER'], "\n") === false) header('Location: '. $_SERVER['HTTP_REFERER']); die(); } |
