FUDforum: FUDforum Announcements » FUDforum 2.6.12 Released

Home » FUDforum » FUDforum Announcements » FUDforum 2.6.12 Released

Show: Today's Messages :: Polls :: Message Navigator

FUDforum 2.6.12 Released [message #23582]

Wed, 23 March 2005 14:22

Ilia

Messages: 13241
Registered: January 2002

Karma:

Senior Member
Administrator
Core Developer

FUDforum 2.6.12 has been released, for the most part it is the same as RC3 with a few minor fixes. Additionally this release addresses a minor security issue, details of which can be found below.

Changes:

Updated Russian translation.
Some minor code cleanup.
Fixed login redirection.
Fixed splitting of a topic into a new forum.

Security Disclosure

Credit for the discovery goes to Rasmus Lerdorf.

In pre-2.6.12RC1 versions of the forum the error_dialog() that is being used to log error messages stored the HTTP_HOST ($_SERVER['HTTP_HOST']) without encoding special characters and then displaying this information in the admin error log viewer control panel.
(The data is being stored inside a text file, so there is no danger of SQL injection).

Technically it shouldn't be an issue since the webserver supposed to ensure that the host only contains valid characters. Alas, like many assumptions this one was wrong. On Apache 1/2 the host is not being at all validated and can contain things like HTML data and still complete a request to the primary virtual host on that IP/Server.

This means that if you are using Apache and your forum is running on a dedicated IP address or is setup as a primary virtual host for an IP then it is possible to inject HTML into the admin error log viewer control panel by putting HTML into the HOST header of the HTTP request. However, even in Apache not all characters are allowed within the header and chars such as / and many others are disallowed. Which means the type of HTML that could be injected is fairly limited.

If you don't want to upgrade the forum, then the patch to just fix the security issue is available at:
http://cvs.prohost.org/c/index.cgi/FUDforum/chngview?cn=3353

I would like to thank Rasmus for discovering this problem and promptly notifying me of it, as well as not publicizing the issue until a fix was made available.

FUDforum Core Developer

Report message to a moderator

[Message index]

		FUDforum 2.6.12 Released By: Ilia on Wed, 23 March 2005 14:22
		Re: FUDforum 2.6.12 Released By: lstep on Wed, 30 March 2005 08:19
		Re: FUDforum 2.6.12 Released By: Ilia on Wed, 30 March 2005 14:56
		Re: FUDforum 2.6.12 Released By: lstep on Wed, 30 March 2005 16:03
		Re: FUDforum 2.6.12 Released By: Ilia on Wed, 30 March 2005 16:26
		Re: FUDforum 2.6.12 Released By: lstep on Sat, 02 April 2005 22:11
		Re: FUDforum 2.6.12 Released By: Ilia on Sun, 03 April 2005 17:03
		Re: FUDforum 2.6.12 Released By: lstep on Sun, 03 April 2005 21:20
		Re: FUDforum 2.6.12 Released By: Ilia on Mon, 04 April 2005 19:38

Previous Topic:	FUDforum 2.6.10 Released
Next Topic:	FUDforum 2.6.13RC1 Released

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sun Nov 24 10:03:22 GMT 2024

Total time taken to generate the page: 0.03956 seconds