PDA

View Full Version : really dangerous bug!!!! to Charter


zaartix
12-11-2004, 04:14 AM
Plz, give me you'r email, i'll send you link to danger bug

zaartix
12-11-2004, 04:14 AM
or better send email to me on zaartix @no-spam@ yandex.ru

zaartix
12-11-2004, 04:20 AM
result of this bug - anyone can view content of any file.
for example this is a part of your http://www.phpdig.net/forum/sendmessage.php file:
<?php
include("//hide\\");
header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.phpdig.net/forum/");
exit();
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 3.0.3 - Licence Number L*1*2*6*

in this code i've hide full path and license number

Charter
12-11-2004, 10:44 AM
Argh, noooooooooo... :cry:

In search.php find:

extract(phpdigHttpVars(
array('query_string'=>'string',
'refine'=>'integer',
'refine_url'=>'string',
'site'=>'string', // set to integer later
'limite'=>'integer',
'option'=>'string',
'lim_start'=>'integer',
'browse'=>'integer',
'path'=>'string'
)
));

And replace with:

extract(phpdigHttpVars(
array('query_string'=>'string',
'refine'=>'integer',
'refine_url'=>'string',
'site'=>'string', // set to integer later
'limite'=>'integer',
'option'=>'string',
'lim_start'=>'integer',
'browse'=>'integer',
'path'=>'string'
)
),EXTR_SKIP);

Special thanks to zaartix for finding this! Watch this (http://www.phpdig.net/forum/showthread.php?t=1573) thread for updates!

zaartix
12-11-2004, 10:55 AM
no problems, man :)

ZoRaC
12-11-2004, 12:44 PM
Charter,
I've taken my phpDig down, so please send out a new mail when the bug is completly fixed and a fix is ready for download. :)

Thanks! :)

Charter
12-12-2004, 03:10 AM
http://www.phpdig.net/forum/showthread.php?t=1608

tomas
12-12-2004, 05:15 AM
hi charter,

maybe you forgot these lines setting the "EXTR_SKIP" flag:

admin/spider.php:
extract(phpdigGetSiteFromUrl($id_connect,trim($url),$linksper,$linksper_fla g,$limit,$limit_flag,$usetable));
extract(phpdigTempFile($url_indexing,$result_test_http,$relative_script_pat h.'/admin/temp/'));

admin/update.php:
extract($a_result);
extract($num_result);
extract($this_exclude);

libs/function_phpdig_form.php:
extract($result);



kind regards
tomas

Charter
12-12-2004, 11:00 AM
Not every extract without the EXTR_SKIP is a problem.

tomas
12-12-2004, 12:43 PM
hi charter,

ok - the problem occurs only in arrays.

for those who do not want to upgrade - is anything done with changing the
flag to EXTR_SKIP?

would you email me a partly pattern to search in apache-logs for a possible hack?

please delete the forum entries with the links to members sites using phpdig because this would be the crackers-dream - getting a list where to have all this fun (knowing this my link-entry was phpdig-website ;-)


thanx
tomas

Charter
12-12-2004, 02:14 PM
The problem occurred for another reason, but that's all, no details. People need to upgrade or face possible exploits. To search your logs, just check for anyone accessing your important files. For example, grep on config.php and other important files and review the output for suspicious requests. You will know it if you see it. Also check for any file starting with a string of numbers, that file being writable or in a writable location. If you find such a file and it is not your content, review the file, then delete the file and again check your logs for any requests to the file. As for the PhpDig link entry set via the vB control panel, only admins or mods can see it.