Big Fat Security Bug
Status: Inactive
Brought to you by:
eugee
Menu
▾
▴
#23 Big Fat Security Bug
I've noticed that you've by default blocked 127.0.0.1
and localhost on the script, which is good, however,
accessing 127.255.255.254 and any IP addresses in
between that and 127.0.0.1 is also localhost, meaning
it displays the same page as it would if you accessed
127.0.0.1. I have been testing this bug out on multiple
configurations of the script and they are all
vulnerable - the servers I tested it on gave me a
cPanel page saying this page has not been configured.
You will want to stop people from accessing the IP
range of 127.0.0.1 to 127.255.255.254.
When you fix this bug you may also want to consider
stopping people from accessing the 192.168.x.x,
10.x.x.x and 172.16.x.x IP ranges. I have been
attempting to fix this situation but have not had any
luck yet. If I find a way to patch this I will post the
new code.
Logged In: NO
This is not a real vulnerability to the cpanel and plesk
hosting enviroments which I have tested. The page your
seeing is saying "There is no website configured at this
address." In plesk it says "This is the Plesk default page
If you see this page it means:
1) hosting for this domain is not configured
or
2) there's no such domain registered in Plesk."
Basically its saying there is NOTHING configured to use that
specific port. Its the same thing you will get if there was
an ip address in the server that hasnt been set up with a
domain yet.
If your concerned about your security I will go head and
make a patch. LOL, a patch such as this is real real easy
to make in php. I dont believe you where trying hard enough
but I'll see what i can do to help you block those ranges.
P.S. Im not affiliated with PHProxy in any way just another
user of the script.
Reguards,
Russell
SIProxy Admin
Logged In: NO
Hi,
Sorry for not replying so fast.
Heres your ip solution for 127.0.0.*
Heres the code you need to input.
$this->url_segments['host'] =
preg_replace('@127.*@i', '127.0.0.1', $this-
>url_segments['host']);
Put it below this code in the script.
foreach ($this->banned_hosts as $host);
It doesnt truely block it, well it does I guess. If any url
is inputed with 127. it will change the url to 127.0.0.1
which you can then block. Just one line to enter a whole
lot easier.
The other ip ranges I wouldnt worry about. I think those
ports are blocked by default. I can be wrong though. If
you find a need that those ports should be blocked please
contact me and I will help you set up a couple new lines of
code.
rnajar
at
plateautel
dot
com
Reguards,
Russell Najar
SIProxy Admin.
Logged In: NO
http://www.securityfocus.com/bid/12115
When submitting a private IP-adres (e.g. 192.168.1.1), release 0.5b2 displays following error: "URL Error (1): An error has occured while trying to browse through the proxy.
The URL you're attempting to access is blacklisted by this server. Please select another URL."