| Author |
Message |
sambeckett
Corporal
Joined: Jun 25, 2003
Posts: 63
|
 Posted:
Tue Oct 07, 2003 4:49 pm |
  |
|
   |
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Tue Oct 07, 2003 5:35 pm |
|
Hi'ya its the mailattach which was addressed months ago actually. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
  |
|
sambeckett
Corporal
Joined: Jun 25, 2003
Posts: 63
|
| Posted:
Tue Oct 07, 2003 5:39 pm |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Tue Oct 07, 2003 5:45 pm |
|
Hi'ya like I said above, this was resolved months ago. Francisco and I had worked together to fix this issue, to which his was fix applied. Check the mailattach.php and you'll see this:
| Quote: |
if (isset($userfile) AND $userfile != "none" AND !ereg("/", $userfile) AND !ereg("\.\.", $userfile) AND !ereg("%", $userfile)) {
if (ini_get(file_uploads) AND $attachments == 1) {
$updir = "tmp";
@copy($userfile, "$updir/$userfile_name");
@unlink($userfile);
}
} |
That has been in place for a long time now. Hence why folks with the newest mailattach.php cannot get it to traverse directories. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
chatserv
General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
| Posted:
Tue Oct 07, 2003 5:48 pm |
|
The article mentions nuke 6.x and like Zhen mentioned most likely refers to the old problem yet it gets posted now  |
_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources |
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Tue Oct 07, 2003 5:57 pm |
|
|
|
|
frog-man
Nuke Cadet
Joined: Oct 08, 2003
Posts: 6
|
| Posted:
Wed Oct 08, 2003 6:53 am |
|
Hi,
this has already been posted here :http://nukecops.com/postt11335.html.
I'm sorry Zhen-Xjell,I like your work but your patch doesn't patch my hole. And it will stop all normal uploads with a server under Linux/Unix system !
The function that will stop it is :
!ereg("/", $userfile)
under Linux, the $userfile value will be something like /home/temp/TEMPNAMEFILE . So there's 3 caracters "/" in $userfile, and the upload is topped.
But there is no check on $userfile_name. If register_globals is ON, we can choose ourself the name,t eh path and the extention of the file... so we can upload any file where we want.
My solution is :
if (isset($userfile) AND $userfile != "none" AND !ereg("/", $userfile) AND !ereg("\.\.", $userfile) AND !ereg("%", $userfile) AND !isset($_REQUEST["userfile_name"])) {
if (ini_get(file_uploads) AND $attachments == 1) {
$updir = "tmp";
@copy($userfile, "$updir/$userfile_name");
@unlink($userfile);
}
but my solution will stop normal uploads too.
I just see that phpnuke 6.9 have the same hole. I'll work soon on a new mailattach.php that will allow normal uploads and stop the hole.
I don't know why Francisco don't want to hear me... I've send a mail 1 month before send the text to bugtraq but no reply.
My first patch (that will only patch the hole) can be found on http://www.phpsecure.info (there's an english version). It is for phpnuke 6.7 but will work for version before and after (like 6.9).
Sorry for my bad english.
bye
frog |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Wed Oct 08, 2003 9:26 am |
|
frog welcome to the site. Its a pleasure to have you on board. Last night is the first time I was browsing your advisory, however, my laptop decided to crash and I didn't get it back online til a few moments ago. I will read your reply tonight and check this out in more detail. However, tonight I have a previous engagement I need to attend to. So if I skip tonight, I'll be back on it tomorrow.
Our patch releases are sent to Francisco. My initial look at your patch has me feeling uneasy. Its because the use of userfile_name isn't recommended by php.net. That doesn't mean it won't work.
Lets sync up in a day or two.
Thanks |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Wed Oct 08, 2003 9:39 am |
|
Oh yes also as an after thought, can you send these initial reports to me going forward too? I don't like to wait for this to go public before we work on issuing the patches into the distro. Thanks frog. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
frog-man
Nuke Cadet
Joined: Oct 08, 2003
Posts: 6
|
| Posted:
Thu Oct 09, 2003 6:18 am |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Oct 09, 2003 6:19 am |
|
No problems, we'll also be working on the advisories. Just if you can going forward notify me at zx@nukecops.com. Thanks |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
frog-man
Nuke Cadet
Joined: Oct 08, 2003
Posts: 6
|
| Posted:
Thu Oct 09, 2003 8:36 am |
|
Ok I've made a new mailattach.php and I've sent a mail. |
|
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Oct 09, 2003 8:43 am |
|
Ok I will check in the afternoon my time because I'm running off to a meeting. If you get a bounce back, feel free to send it to laudanp - at - yahoo - dot - com. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
Zhen-Xjell
Nuke Cops Founder
Joined: Nov 14, 2002
Posts: 5939
|
| Posted:
Thu Oct 30, 2003 1:16 am |
|
| frog-man wrote: |
| Ok I've made a new mailattach.php and I've sent a mail. |
Well I think you've got my reply right? I'm good with using your patch on this. Ultimately I myself don't like mailattach.php very much anyway. |
_________________
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops: [de] [en] [wiki] |
|
|
|
Jeruvy
Lieutenant
Joined: Jul 09, 2003
Posts: 293
|
| Posted:
Thu Oct 30, 2003 5:21 pm |
|
Has this been added to the CVS or the beta site? |
_________________
J.
j e r u v y a t y a h o o d o t c o m |
|
 |
|
|
|
