FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » FUDforum Announcements » FUDforum 2.6.12 Released
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Return to the default flat view Create a new topic Submit Reply
FUDforum 2.6.12 Released [message #23582] Wed, 23 March 2005 09:22 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma:
Senior Member
Administrator
Core Developer
add to buddy list
ignore all messages by this user
FUDforum 2.6.12 has been released, for the most part it is the same as RC3 with a few minor fixes. Additionally this release addresses a minor security issue, details of which can be found below.

Changes:
  1. Updated Russian translation.
  2. Some minor code cleanup.
  3. Fixed login redirection.
  4. Fixed splitting of a topic into a new forum.



Security Disclosure

Credit for the discovery goes to Rasmus Lerdorf.

In pre-2.6.12RC1 versions of the forum the error_dialog() that is being used to log error messages stored the HTTP_HOST ($_SERVER['HTTP_HOST']) without encoding special characters and then displaying this information in the admin error log viewer control panel.
(The data is being stored inside a text file, so there is no danger of SQL injection).

Technically it shouldn't be an issue since the webserver supposed to ensure that the host only contains valid characters. Alas, like many assumptions this one was wrong. On Apache 1/2 the host is not being at all validated and can contain things like HTML data and still complete a request to the primary virtual host on that IP/Server.

This means that if you are using Apache and your forum is running on a dedicated IP address or is setup as a primary virtual host for an IP then it is possible to inject HTML into the admin error log viewer control panel by putting HTML into the HOST header of the HTTP request. However, even in Apache not all characters are allowed within the header and chars such as / and many others are disallowed. Which means the type of HTML that could be injected is fairly limited.

If you don't want to upgrade the forum, then the patch to just fix the security issue is available at:
http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=3353

I would like to thank Rasmus for discovering this problem and promptly notifying me of it, as well as not publicizing the issue until a fix was made available.


FUDforum Core Developer
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: FUDforum 2.6.10 Released
Next Topic: FUDforum 2.6.13RC1 Released
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Dec 18 11:47:54 EST 2017

Total time taken to generate the page: 0.00738 seconds