lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070414183424.1462.qmail@securityfocus.com>
Date: 14 Apr 2007 18:34:24 -0000
From: Lostmon@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: sitex multiple vulnerabilities

Hello !

Original article:http://lostmon.blogspot.com/2007/04/posible-patch-for-sitex.html
vendor url: http://sitex.bjsintay.com/

osvdb id:33158,33159,33160,33161
http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html
http://www.securityfocus.com/archive/1/archive/1/461305/100/0/threaded
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234

after study this vulns i found a simple posible patch :

some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php , and multiple others params. 

the most of those flaws could be solve by a simple patch for "emergency" before the vendor 
release a update or a patch 

open includes/functions.php

arround line 12-13 we have this code

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = - 

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) 	foreach ($_POST as $k => $v) 	$$k = $v;
if (!empty($_GET)) 		foreach ($_GET as $k => $v) 	$$k = $v;
if (!empty($_SERVER)) 	foreach ($_SERVER as $k => $v) 	$$k = $v;
if (!empty($_COOKIE)) 	foreach ($_COOKIE as $k => $v) 	$$k = $v;
if (!empty($_SESSION)) 	foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars, will be over-written
#################################################################


you can change for this other :

################################################################
// stop XSS  function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = - 

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) 	foreach ($_POST as $k => $v) 	$$k = StopXSS($v);
if (!empty($_GET)) 		foreach ($_GET as $k => $v) 	$$k = StopXSS($v);
if (!empty($_SERVER)) 	foreach ($_SERVER as $k => $v) 	$$k = StopXSS($v);
if (!empty($_COOKIE)) 	foreach ($_COOKIE as $k => $v) 	$$k = StopXSS($v);
if (!empty($_SESSION)) 	foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will be over-written

#####################################################################

and the most of xss flaws now are solved :D

Thnx for your time !!!

Thnx to OSVDB !!!

-- 
atentamente:
Lostmon (lostmon@...il.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ