FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum Development » Bug Reports » Icon bug.
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Icon bug. [message #13937] Sat, 01 November 2003 05:49 Go to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
Simple solution is to disable icons if the posted icon string contains "..".

It may be possible to access images on other sites if the site hosting the fudforum has some sort of redirection script set up.

Edit:
(Removed disruptive icon example).

[Updated on: Sat, 01 November 2003 19:47]

Report message to a moderator

Re: Icon bug. [message #13938 is a reply to message #13937] Sat, 01 November 2003 05:55 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
There also appears to be an HTML-insertion vulnerability here. Now what?
Re: Icon bug. [message #13939 is a reply to message #13937] Sat, 01 November 2003 06:12 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
Another HTML insertion bug.
SQL buggy. [message #13945 is a reply to message #13937] Sat, 01 November 2003 17:35 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
In 2.5.3RC3, at least, there is a *sql insertion bug in the merge thread(and probably split thread, as well) feature.

The problem is in the handling of the sel_th[] form element.

I don't know if it's exploitable or not, but you'd need to be a moderator(or an admin, but that's sort of pointless then) to see the bug.
Re: SQL buggy. [message #13947 is a reply to message #13945] Sat, 01 November 2003 18:19 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
Another SQL injection vulnerability in the upload feature:

If you upload a file as an attachment, save the page, and manipulate the value of the "file_array" element(make a new array, serialize, base 64 encode), you can insert an unescaped statement at the end of another SQL statement.

Example file_array element setting:

YToxOntpOjI1O3M6MTI6IjE7KTAwJ2wnbCcoIiI7fQ==

Will should cause an error to be entered in the fudforum error log, which you can see to verify the problem exists.
Re: Icon bug. [message #13948 is a reply to message #13937] Sat, 01 November 2003 18:22 Go to previous messageGo to next message
AzaToth is currently offline  AzaToth   Sweden
Messages: 125
Registered: October 2003
Karma: 0
Senior Member

If this is correct, I suggest to lock this thread, until it's verified and/or corrected.
Re: Icon bug. [message #13952 is a reply to message #13938] Sat, 01 November 2003 19:01 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Xodnizel wrote on Sat, 01 November 2003 00:55

There also appears to be an HTML-insertion vulnerability here. Now what?



Where?


FUDforum Core Developer
Re: SQL buggy. [message #13953 is a reply to message #13945] Sat, 01 November 2003 19:05 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Xodnizel wrote on Sat, 01 November 2003 12:35

In 2.5.3RC3, at least, there is a *sql insertion bug in the merge thread(and probably split thread, as well) feature.

The problem is in the handling of the sel_th[] form element.

I don't know if it's exploitable or not, but you'd need to be a moderator(or an admin, but that's sort of pointless then) to see the bug.


Addressed. Mind you it is even if you were to inject some stuff into MySQL nothing would happen. And like you said you'd need to be a priveledged user already.


FUDforum Core Developer
icon10.gif  Re: Icon bug. [message #13954 is a reply to message #13952] Sat, 01 November 2003 19:07 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
Here? I'll see if it works...
" alt="icon10.gif">" />  Re: Icon bug. [message #13955 is a reply to message #13952] Sat, 01 November 2003 19:08 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
I tried it on my forum and it worked...
Re: Icon bug. [message #13957 is a reply to message #13937] Sat, 01 November 2003 19:14 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
ok, icon validation is now in place.

FUDforum Core Developer
Re: SQL buggy. [message #13961 is a reply to message #13947] Sat, 01 November 2003 20:07 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Xodnizel wrote on Sat, 01 November 2003 13:19

Another SQL injection vulnerability in the upload feature:

If you upload a file as an attachment, save the page, and manipulate the value of the "file_array" element(make a new array, serialize, base 64 encode), you can insert an unescaped statement at the end of another SQL statement.

Example file_array element setting:

YToxOntpOjI1O3M6MTI6IjE7KTAwJ2wnbCcoIiI7fQ==

Will should cause an error to be entered in the fudforum error log, which you can see to verify the problem exists.


I've added additional checks, but the problem is actually less serious, only the key value is used, the value is not used in SQL.


FUDforum Core Developer
Re: Icon bug. [message #13964 is a reply to message #13937] Sat, 01 November 2003 20:51 Go to previous messageGo to next message
Xodnizel   United States
Messages: 73
Registered: May 2003
Karma: 0
Member
Hmm. This is the error message that lead me to say what I said:

(index.php) 1064: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';)00'l'l'(",27)' at line 1
Query: SELECT a.id,a.fsize,a.original_name,m.mime_hdr FROM neofud_attach a LEFT JOIN neofud_mime m ON a.mime_type=m.id WHERE a.id IN(1;)00'l'l'(",27)
Re: Icon bug. [message #13965 is a reply to message #13964] Sat, 01 November 2003 20:59 Go to previous message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
That show no longer be possible given the recent changes I've made.

FUDforum Core Developer
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Cant login!!
Next Topic: Broken Links with pathinfo 2.6.0RC2
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 11:53:37 GMT 2024

Total time taken to generate the page: 0.02789 seconds