Date: Sun, 12 Jun 2005 13:40:08 +0200
From: exon <exon@...e.se>
To: bugtraq@...urityfocus.com
Subject: Re: Arbitrary code execution in eping plugin


oliver@...ersquad.de wrote:
> Hello,
> 
> the problem is in function eping_validaddr() in functions.php where the host is checked if it is valid as the name says...
> But the only check is to see if it is a valid ip adress for eping, here is the code:
> 
> --------------8<-----------------------------------------8<-------------------------------------
> function eping_validaddr($eping_hosttocheck)
> {
> If (ereg("(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)", $eping_hosttocheck))
>    {
>        return true;
>    }
>    else
>    {
>        return false;
>    }
> --------------8<-----------------------------------------8<-------------------------------------
> 
> I am sorry but I am a coder and my eyes are bleeding when looking at stuff like that so here is my suggestion for replaceing the if-statement:
> if(preg_match("/^[0-9]{2,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?$/", $eping_hosttocheck))
> 

Your suggestion would block 1.1.1.1 which is a valid IP, while letting 
through 999.999.999.999 which isn't. It's a bad regex for finding valid 
IP's.

Implementing an inet_aton()-like function would be several orders of 
magnitude faster than a preg_match() and several times more accurate.

> So only IP-Adresses are allowed and no kind of code injection is possible.
> 
> And everyone who thinks 'will he ever stop writeing?' will be disappointed:
> The same vulnerability also exists in the eTrace modul from E107. It looks like the same Author of the ePing modul.
> The only difference is the you have to search for 'etrace' instead of 'eping' in the files
> 
> Greetings from Germany
> Oliver
> 

Powered by blists - more mailing lists