lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 25 Oct 2006 19:47:31 -0000
From: josecarlos.norte@...il.com
To: bugtraq@...urityfocus.com
Subject: SMF fgets off-by-one issue and filter size evasion


SMF fgets off-by-one issue and filter size evasion

Author: Jose Carlos Norte
Discovered by: Jose Carlos Norte
Risk: Medium
Type: DoS
Version: ALL

1. Introduction

Simple machines forum is a popular scalable free bulletin board system written in php over mysql database, the url of the project:

http://www.simplemachines.org/


2. The problem

Smf can allow the users to have a remote avatar, this avatar is shown in the topics where the user send messages.

The problem is that smf checks the remote avatar for test if the size is in a valid range.

>From Sources/Subs.php (1578 yo 1069):

function url_image_size($url)
{
	// Get the host to pester...
	preg_match('~^\w+://(.+?)/(.*)$~', $url, $match);

	// Can't figure it out, just try the image size.
	if ($url == '' || $url == 'http://' || $url == 'https://')
		return false;
	elseif (!isset($match[1]))
		return @getimagesize($url);

	// Try to connect to the server... give it one full second.
	$temp = 0;
	$fp = @fsockopen($match[1], 80, $temp, $temp, 1);

	// Successful?  Continue...
	if ($fp != false)
	{
		// Send the HEAD request.
		fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" . 'Connection: close' . "\r\n" . 'Host: ' . $match[1] . "\r\n\r\n");
		// Read in the HTTP/1.1 or whatever.
		$test = substr(fgets($fp, 11), -1);
		fclose($fp);

		// See if it returned a 404/403 or something.
		if ($test < 4)
			return @getimagesize($url);
	}

	// Didn't work.
	return false;
}

a remote server is modified, can send false values to head requests, and a 999999999999x9999999999 will bypass the filter,
aditionally, if the server don't do any response against head requests, php script will stop in fgets until php kill it,
on time_limit, the result is that any topic where the malicious user send a message becomes unreadable for all users.

3. SOlution 

changue function to:

function url_image_size($url)
{
	return false;
}

and don't try to check the size of remote images!

I was unable to contact smf developer team, again.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ