[Phpslash-devel] Next release

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I fixed one bug and added the files and configuration that Nathan needed 
to get timezones running on Macs.  I vote one more RC.

--Matt

On Thu, 20 Feb 2003, Joe Stewart wrote:

> Hey folks,
> 
> This is the reason I'm wanting to get 0.7 released.  0.65 was released 
> with the url block vulnerability.  The fix was only committed to the 
> stable cvs for the 0.62 release.
> 
> It wasn't a real big deal for most sites as the block admin probably already 
> had file access too.
> 
> Anyway do you guys have much to commit?  If so, go ahead.
> 
> The changes I've done since RC3 release:
> 
> 	- registration login - Minor change to use the session variable 
> "challenge" instead of generating a new challenge.  
> 	- comment name is kept in the session
>         - comment IP should work with register_globals off
> 	- Norwegian translation
> 	- removed the hack to use loginblocks.  It doesn't seem to be 
> needed anymore and was other login problems.  This seems to have a side 
> effect that you can't log back in immediately after logging out.  
> This has pissed me off in the past and I would like to fix soon.
> 
> Do these things warrant another RC? or go ahead and release?
> 
> Depending on the fix for the last one I'm thinking release.
> 
> thanks,
> 
> Joe
> 
> On Tue, Feb 04, 2003 at 06:09:34PM -0000, tobozo wrote:
> > Hey Joe,
> > 
> > remember this ?
> > http://lwn.net/2001/0517/a/phpslash.php3
> > 
> > guess what .. the same hole is back on phpslash ;-))
> > 
> > I didn't look at the code, just tried to enter "config.php3" as
> > a url in the URL Block field (blockAdmin.php3) and the whole
> > file got displayed as text, this can lead to a hack of phpslash
> > and give file access blah blah blah ...
> > 
> > same problem, same solution : use parse_url()
> > 
> > I suppose this would apply to Block_render_rss too, as long
> > as the target file was rss compliant ;-))
> > 
> > if you're okay I'm going to submit another security bulletin
> > on this, this is just a matter of copying the first one
> > anyway ;-)  (after a month of course)
> > 
> > be well
> > 
> > tobozo
> > 
> > 
> > Date:	 04 February 2003 11:46:13 -0000
> > 
> >                                   sAvAte inc.
> >                             Serial Savate System
> > 
> > <[( advisory )]>---------------------------------------<[(
> >  xxxxxxxxxxx4.adv.en
> > 
> > 
> > Program: PHPSLASH
> > Homepage: http://www.phpslash.org
> > Author Contacted: 04/feb/2003
> > Answer: ????????? (JoeStewart)
> > Patch : Being prepared
> > Version tested: 0.7.x
> > Found by : tobozo
> > 
> > 
> > - Problem description:
> >   ~~~~~~~~~~~~~~~~~~~~
> > 
> > Url and rss block types can access the filesystem when a path is
> > specified by the administrator.
> > 
> > The method used in Block_render_url.class does not check
> > if the $url variable contains a valid url scheme.
> > 
> > No parsing is really done to check integrity of the url
> > scheme, neither the content of the url and file name.
> > 
> > Same thing happens with Block_render_rss.class, but effect is
> > less critical as the local target file has to be rss compatible
> > to meet any security issue.
> > 
> > 
> > - Impact:
> >   ~~~~~~~
> > 
> > If a path to a file is specified (ex : /etc/passwd), the
> > file will be read and its content stored in the cache
> > exactly as if it was a remote file on a given url.
> > 
> > 
> > - Exploit:
> >   ~~~~~~~~
> > 
> > Login as admin with GOD permissions
> > Access the BLOCKS admin section
> > (blockAdmin.php3) and
> > create a new block with the following information :
> > 
> > Title : notTrusted
> > Type : url
> > Site Location : whatever
> > Source URL : config.php3
> > Expire Length : 0
> > Owned by section : home
> > Data : (empty)
> > Order number : whatever
> > 
> > It will display the content of the config.php3 as text in
> > the block of the main page.
> > 
> > It might become an issue if blockAdmin.php3 gives
> > add/edit/remove permission to some users that are
> > not supposed to access the filesystem.
> > 
> > 
> > Fix :
> > ~~~~~
> > 
> > Replace the function parse() in the Block_render_url.class
> > and use parse_url() and a regex before sending $url to
> > the file() function.
> > 
> > 
> >   function parse($block_info) {
> > 
> >      $url = $block_info["source_url"];
> >      $errors = $block_info["block_options"]["errors"];
> > 
> >     /* check for url structure before opening it (you don't want
> >       /etc/passwd to be validated here -- tobozo -- */
> >     $urlParts = parse_url($url);
> > 
> >     if( (empty($urlParts)) or (!$urlParts) ) {
> >       $this->output = "Block_render_url.class:: Parse error reading [$url]";
> >       logwrite("URL Block ".$block_info['title']."(".$block_info['id'].")",
> > $this->output);
> >       return;
> >       }
> > 
> >     $scheme         = $urlParts[scheme];
> >     $HostName       = $urlParts[host];
> > 
> >     if(empty($scheme))  {
> >       $this->output = "Block_render_url.class:: Missing protocol declaration
> > [$url]";
> >       logwrite("URL Block ".$block_info['title']."(".$block_info['id'].")",
> > $this->output);
> >       return;
> >       }
> > 
> >     if(empty($HostName)){
> >       $this->output = "Block_render_url.class:: No hostname in [$url]";
> >       logwrite("URL Block ".$block_info['title']."(".$block_info['id'].")",
> > $this->output);
> >       return;
> >       }
> > 
> >     if (!eregi("^(ht|f)tp",$scheme)) {
> >       $this->output = "Block_render_url.class:: No http:// or ftp:// in
> > [$url]";
> >       logwrite("URL Block ".$block_info['title']."(".$block_info['id'].")",
> > $this->output);
> >       return;
> >       }
> > 
> > 
> >     /* have to silence 'implode' and 'file' because you don't want
> >        the errors showing up on the main page */
> >     $ary = @file($url);
> >     $size = count($ary);
> > 
> >     $string = @implode("",$ary);
> > 
> >      if (strlen($string) < 1) {
> >         $this->output = "Block_render_url.class:  $url contained no data.";
> >         logwrite("URL Block
> > ".$block_info['title']."(".$block_info['id'].")", $this->output);
> > 
> >          switch ($errors) {
> > 
> > 	    case "on":
> > 	       // display the error message ( already in this->output).
> >                break;
> > 	    case "off":
> > 	       // don't display the error text
> >                $this->output = $block_info["cache_data"];
> > 	       break;
> > 	    case "debug":
> > 	    default:
> > 	       // only display the error text if debug mode is on
> > 	       if(!$this->psl['debug']) {
> >                   $this->output = $block_info["cache_data"];
> > 	       }
> > 	       break;
> > 	 }
> > 
> >          return false;
> >      }
> >      $this->output = $string;
> >      return true;
> >   }
> > 
> > 
> > 
> > 
> > - Workaround :
> >   ~~~~~~~~~~~~
> > 
> > 1) check for all possible protocols
> > 2) check for url content (host)
> > 
> > 
> > - Code:
> >   ~~~~~
> > Tested on http://phpsecure.info/phpsecure (successfully)
> > 
> > - Contact us:
> >   ~~~~~~~~~~~
> > http://phpsecure.info
> > 
> > to...@us...
> > 
> > - Greetings:
> >   ~~~~~~~
> > 
> > The phpSlash Team, Frogm@n
> > 
> > [EOF]
> > 
> > 
> 

-- 
----------------------------------------------------------------
Matthew Leingang                http://www.math.rutgers.edu/
Rutgers University              lei...@ma...
Department of Mathematics       "This signature needs no quote."