FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Announcements » FUDforum 2.6.12 Released
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
FUDforum 2.6.12 Released [message #23582] Wed, 23 March 2005 09:22 Go to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
FUDforum 2.6.12 has been released, for the most part it is the same as RC3 with a few minor fixes. Additionally this release addresses a minor security issue, details of which can be found below.

Changes:
  1. Updated Russian translation.
  2. Some minor code cleanup.
  3. Fixed login redirection.
  4. Fixed splitting of a topic into a new forum.



Security Disclosure

Credit for the discovery goes to Rasmus Lerdorf.

In pre-2.6.12RC1 versions of the forum the error_dialog() that is being used to log error messages stored the HTTP_HOST ($_SERVER['HTTP_HOST']) without encoding special characters and then displaying this information in the admin error log viewer control panel.
(The data is being stored inside a text file, so there is no danger of SQL injection).

Technically it shouldn't be an issue since the webserver supposed to ensure that the host only contains valid characters. Alas, like many assumptions this one was wrong. On Apache 1/2 the host is not being at all validated and can contain things like HTML data and still complete a request to the primary virtual host on that IP/Server.

This means that if you are using Apache and your forum is running on a dedicated IP address or is setup as a primary virtual host for an IP then it is possible to inject HTML into the admin error log viewer control panel by putting HTML into the HOST header of the HTTP request. However, even in Apache not all characters are allowed within the header and chars such as / and many others are disallowed. Which means the type of HTML that could be injected is fairly limited.

If you don't want to upgrade the forum, then the patch to just fix the security issue is available at:
http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=3353

I would like to thank Rasmus for discovering this problem and promptly notifying me of it, as well as not publicizing the issue until a fix was made available.


FUDforum Core Developer
Re: FUDforum 2.6.12 Released [message #23804 is a reply to message #23582] Wed, 30 March 2005 03:19 Go to previous messageGo to next message
lstep is currently offline  lstep   France
Messages: 50
Registered: June 2003
Karma: 0
Member
add to buddy list
ignore all messages by this user

I have an error while trying to upgrade from FUD version 2.7.x and 2.9.x to FUD 2.6.12. After executing the upgrade.php script and logging, I get the following:
Checking if SQL permissions to perform the upgrade are avaliable
Disable the forum
Forum is now disabled
Beginning the file upgrade process
Begining to decompress the archive
Finished decompressing the archive
File Upgrade Complete
Any changed files were backed up to: "/data/myfudNONBROWSABLE/errors/.backup/"

Beginning SQL Upgrades
SQL Upgrades Complete
Adding GLOBAL Variables
Compiling theme default
Undefined template: "post_html_quote_start_p1" inside "isearch.inc.t"


And it stops at that line. I don't really know in what state is my FUD, but I can connect on it, and it's written FUDforum 2.6.12 at the bottom.
I'm using PostGreSQL 7.4.6-3, with PHP 4.3.10-9 on a Debian Linux.
Re: FUDforum 2.6.12 Released [message #23813 is a reply to message #23804] Wed, 30 March 2005 09:56 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
Hmm works fine here... that template is found inside post_proc.tmpl which is being inlined by isearch.tmpl.

FUDforum Core Developer
Re: FUDforum 2.6.12 Released [message #23816 is a reply to message #23813] Wed, 30 March 2005 11:03 Go to previous messageGo to next message
lstep is currently offline  lstep   France
Messages: 50
Registered: June 2003
Karma: 0
Member
add to buddy list
ignore all messages by this user

Ilia wrote on Wed, 30 March 2005 16:56

Hmm works fine here... that template is found inside post_proc.tmpl which is being inlined by isearch.tmpl.

Right, I look into './thm/default/tmpl/post_proc.tmpl', it is there, BUT, I'm not using this theme, but the path_info one (./thm/path_info/tmpl/post_proc.tmpl). I mean I use that thing that makes nice urls Smile
This file is nearly empty.
Re: FUDforum 2.6.12 Released [message #23818 is a reply to message #23816] Wed, 30 March 2005 11:26 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
That's because it grabs the templates from the post_proc inside the default directory.

FUDforum Core Developer
Re: FUDforum 2.6.12 Released [message #23865 is a reply to message #23818] Sat, 02 April 2005 17:11 Go to previous messageGo to next message
lstep is currently offline  lstep   France
Messages: 50
Registered: June 2003
Karma: 0
Member
add to buddy list
ignore all messages by this user

Ilia wrote on Wed, 30 March 2005 18:26

That's because it grabs the templates from the post_proc inside the default directory.


Hmm, I looked into that file too (NONBROWSABLE from web directory/include/theme/default/post_proc.inc), and there's no trace of this "template" ("post_html_quote_start_p1").

Do you kwow anything I can see/try to find out what's wrong? (I cannot add any messages to my FUD now Sad
Re: FUDforum 2.6.12 Released [message #23872 is a reply to message #23865] Sun, 03 April 2005 13:03 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
You are looking @ a compiled file, you should looks inside the post_proc.tmpl file.

FUDforum Core Developer
Re: FUDforum 2.6.12 Released [message #23887 is a reply to message #23816] Sun, 03 April 2005 17:20 Go to previous messageGo to next message
lstep is currently offline  lstep   France
Messages: 50
Registered: June 2003
Karma: 0
Member
add to buddy list
ignore all messages by this user

Ok, I "sort of" finally managed to upgrade. The problem is that my default theme for my FUD is using path_info, and not 'default'. When looking into the templates for path_info, there's no trace of this 'post_html_quote_start_p1'.

So, I changed back (using the theme manager) to default (instead of path_info) and ran the uprade process, which worked fine. But I still can't use anymore the path_info stuff because as soon as something tries to rebuild that theme, it gives the same error.

To summarize, if you want to test by yourself this bug:
1) Install a version < 2.6.12 (I tried 2.6.7 and 2.6.9)
2) Change the default theme to use the template set 'path_info'. (rebuild it Smile
3) Try now to upgrade using the 2.6.12 upgrade script

Note: I haven't changed any of the themes/templates in any way, they have always been the standard/default ones.
Re: FUDforum 2.6.12 Released [message #23898 is a reply to message #23887] Mon, 04 April 2005 15:38 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
fixed in cvs.

FUDforum Core Developer
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: FUDforum 2.6.10 Released
Next Topic: FUDforum 2.6.13RC1 Released
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Oct 21 01:03:28 EDT 2017

Total time taken to generate the page: 0.00845 seconds