Print

[VinNieDaMac]

Code: [Select]

Warning: ob_start() has been disabled for security reasons in /home/www/samurailegends/samurailegends.busybits.com/include/init.inc.php on line 33

Warning: ob_start() has been disabled for security reasons in /home/www/samurailegends/samurailegends.busybits.com/index.php on line 646

Warning: Cannot modify header information - headers already sent by (output started at /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php:1246) in /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php on line 893

Warning: Cannot modify header information - headers already sent by (output started at /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php:1246) in /home/www/samurailegends/samurailegends.busybits.com/include/functions.inc.php on line 51
Thats what it says at the top, this didn't happen until this morning and I didn't change anything.

http://samurailegends.busybits.com/

[VinNieDaMac]

Also if it's because of the host, can anyone recommend another free PHP webhost that coppermine would work on.  Thanks in advance.

[krkeegan]

Hmm, I have never heard of a security hole in the buffer before.

But yeah it looks like you may want to find another host.

Does this affect your site or are the warnings just poppin up? Maybe you could remove the offending line in php?

Kevin

[maxim2112]

Might be related to this vunerability which was sent out to bugtraq this morning:

+-----------------------------------------+
| RST/GHC >> Coppermine << ADVISORY       |
| Product: Coppermine Photo Gallery       |
| Version: 1.3.x                          |
| URL: http://coppermine.sourceforge.net/ |
+-----------------------------------------+

[Product Description]
"Coppermine Photo Gallery is a picture gallery script. Users can upload pictures
with a web browser (thumbnails are created on the fly), rate pictures, add
comments and send e-cards. The admins can manage the galleries and batch add
pictures that have been uploaded on the server by FTP. Support for multimedia
files has been added recently" (from official site description).

[Summary]
The lack of sanitizing of user defined variables may result in undesirable
consequences such as IP spoofing or XSS attack.

[Details]
Generally users of Coppermine Gallery can post comments. Remote address &
x-forwarded-for variables are logged for admin's eyes.
X-Forwarded-for variable does not pass throu any filtration before logging into
database. User can define/redefine this variable.

Vulnerable script:  include/init.inc.php

Code: [Select]

if (isset($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR'])) {
         $hdr_ip = stripslashes($HTTP_SERVER_VARS['HTTP_X_FORWARDED_FOR']);
} else {         
         $hdr_ip = $raw_ip;
}


User with access to comments module can spoof x-forwarded-for variable and
realize XSS attack (as example to get admin's cookie).

[krkeegan]

Hadn't seen that yet. I still don't see how this relates to the output buffer?

Kevin

[Joachim Müller]

The error

Warning: ob_start() has been disabled for security reasons in /home/www/samurailegends/samurailegends.busybits.com/include/init.inc.php on line 33

Warning: ob_start() has been disabled for security reasons in /home/www/samurailegends/samurailegends.busybits.com/index.php on line 646

Warning: Cannot modify header information - headers already sent by (output started at /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php:1246) in /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php on line 893

Warning: Cannot modify header information - headers already sent by (output started at /home/www/samurailegends/samurailegends.busybits.com/themes/hardwired/theme.php:1246) in /home/www/samurailegends/samurailegends.busybits.com/include/functions.inc.php on line 51

is not related to the bugtraq advisory. We are aware of the advisory made on bugtrack and are working on a fix that will be published soon (as a maintenance release).

Joachim