Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: Patch for v. 1.4.2x (preserves BBCode img & url tags)  (Read 30499 times)

0 Members and 1 Guest are viewing this topic.

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Patch for v. 1.4.2x (preserves BBCode img & url tags)
« on: March 11, 2009, 05:15:08 pm »

[ Edit: scroll down for the effective hack - Ludo ]

I've finally accomplished a workaround to sanitize only BBCode containing exploits addressed by 1.4.21.

This hack will strip only img and url BBCode tags containing http://[host]/[path]/delete.php, supposing that exploits rely on executing that file (please let me know if I'm wrong).

OPEN
include/functions.php

FIND (in function bb_decode)

Code: [Select]
static $bbcode_tpl = array();
BEFORE, ADD
Code: [Select]
global $CONFIG;
FIND
Code: [Select]
return $text;
BEFORE, ADD
Code: [Select]
if (strpos($text, $CONFIG['ecards_more_pic_target']."delete.php") !== false) $text = strip_tags($text, "<b><u><i><span>");
SAVE AND CLOSE
« Last Edit: May 06, 2009, 09:30:44 am by Ludo »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.20 BBCode exploits fix (preserves unmalicious BBCode)
« Reply #1 on: March 11, 2009, 05:48:16 pm »

please let me know if I'm wrong
You're wrong: do what you suggested and I'll hack your site in less than a minute. Reason: you can't sanitize against redirection. What should keep me from settings up a redirect (e.g. by using tinyurl or similar services) that points to delete.php on your server. The URI will look innocent, so you can't sanitize it. The only way of sanitizing properly would be allowing only local images and URLs (from the domain the gallery runs on), assuming that you have control over redirects on your server. This would of course not be true for freehost, where you run on subdomains like http://example.free.fr
Logged

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: 1.4.20 BBCode exploits fix (preserves unmalicious BBCode)
« Reply #2 on: March 11, 2009, 06:01:34 pm »

you can't sanitize against redirection.
Sigh, I didn't figure out that way of hacking... :-[ :'(
It looked too easy to work out...  ;D
« Last Edit: March 13, 2009, 11:11:06 am by Ludo »
Logged

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: Patch for v. 1.4.2x (preserves BBCode img & url tags)
« Reply #3 on: March 12, 2009, 09:00:45 pm »

I tried successfully a different approach, which - as far as I tested - ensures protection from mentioned exploits without any inconvenience concerning gallery functionality.
Basically, it relies on switching main form (editForm) in usermgr.php from GET to POST method, and then checking for $_POST instead of $_GET/$_REQUEST in delete.php when change_group or add_group action is triggered. This prevents from any request sent by query string to get executed.
When applying this patch to v. 1.4.21 and newer, you must restore previous version of bb_decode function in include/functions.inc.php, by replacing actual version with code below:
Code: [Select]
function bb_decode($text)
{
        $text = nl2br($text);

        static $bbcode_tpl = array();
        static $patterns = array();
        static $replacements = array();

        // First: If there isn't a "[" and a "]" in the message, don't bother.
        if ((strpos($text, "[") === false || strpos($text, "]") === false))
        {
                return $text;
        }

        // [b] and [/b] for bolding text.
        $text = str_replace("[b]", '<b>', $text);
        $text = str_replace("[/b]", '</b>', $text);

        // [u] and [/u] for underlining text.
        $text = str_replace("[u]", '<u>', $text);
        $text = str_replace("[/u]", '</u>', $text);

        // [i] and [/i] for italicizing text.
        $text = str_replace("[i]", '<i>', $text);
        $text = str_replace("[/i]", '</i>', $text);

        // colours
        $text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
        $text = str_replace("[/color]", '</span>', $text);

        // [i] and [/i] for italicizing text.
        //$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
        //$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);

        if (!count($bbcode_tpl)) {
                // We do URLs in several different ways..
                $bbcode_tpl['url']  = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
                $bbcode_tpl['email']= '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';

                $bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
                $bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);

                $bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
                $bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);

                $bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
                $bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);

                $bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
                $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);

                $bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);

                // [url]xxxx://www.phpbb.com[/url] code..
                $patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
                $replacements[1] = $bbcode_tpl['url1'];

                // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
                $patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
                $replacements[2] = $bbcode_tpl['url2'];

                // [url=xxxx://www.phpbb.com]phpBB[/url] code..
                $patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
                $replacements[3] = $bbcode_tpl['url3'];

                // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
                $patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
                $replacements[4] = $bbcode_tpl['url4'];

                // [email]user@domain.tld[/email] code..
                $patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
                $replacements[5] = $bbcode_tpl['email'];

                // [img]xxxx://www.phpbb.com[/img] code..
                $bbcode_tpl['img']  = '<img src="{URL}" alt="" />';
                $bbcode_tpl['img']  = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);

                $patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
                $replacements[6] = $bbcode_tpl['img'];

        }

        $text = preg_replace($patterns, $replacements, $text);

        return $text;
}

Is there in this perspective any security hole or operation fault I didn't notice? Anyway, here is the mod:

OPEN
usermgr.php

FIND
Code: [Select]
print '<form method="get" action="delete.php" name="editForm">'."\n";
CHANGE TO
Code: [Select]
print '<form method="post" action="delete.php" name="editForm">'."\n";

OPEN
delete.php

FIND
Code: [Select]
$user_id = str_replace('u', '', $_GET['id']);
CHANGE TO
Code: [Select]
$user_id = str_replace('u', '', $_POST['id']);
FIND (line 673)
Code: [Select]
// set this user's group
BEFORE, ADD
Code: [Select]
if (isset($_POST['group'])) {
FIND (5 times)
Code: [Select]
$_REQUEST['group']
CHANGE TO
Code: [Select]
$_POST['group']
FIND (line 678)
Code: [Select]
print '</b></td>';
REPLACE WITH
Code: [Select]
}
          print '</td>';


SAVE AND CLOSE ALL FILES
« Last Edit: November 08, 2009, 03:34:15 pm by Ludo »
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: 1.4.20 BBCode exploits fix
« Reply #4 on: March 13, 2009, 12:38:39 am »

Basically, it relies on switching main form (editForm) in usermgr.php from GET to POST method, and then checking for $_POST instead of $_GET/$_REQUEST in delete.php when change_group or add_group action is triggered. This prevents from any request sent by query string to get executed.

As suggested in this old article--> http://shiflett.org/articles/cross-site-request-forgeries

When the exploit was posted in this forum I read a little bit about CSRF. I didn't quote that article because I thought there is missing point there. (I'm not programmer, I don't know the missing point...just wondering) I mean, I don't think that such and old solution would fill that hole, right Devs?  ???
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

cof

  • Coppermine newbie
  • Offline Offline
  • Posts: 1
Re: 1.4.20 BBCode exploits fix
« Reply #5 on: March 13, 2009, 08:13:40 am »

That is more advanced than anything I would think about...

I just upgraded to 1.4.21 (nice work on a quick release, guys) and then discovered my links gone (and then the reasoning).

What I'm wondering is am I vulnerable on a non-multiuser site? My thought is that if I have comments turned on then yes, so what I'm thinking of doing until a more elegant solution is found is having an alternate bb_decode function for album descriptions.

I encode links in my album descriptions where there is a relevant blog posting and since it is a closed system, there should be no way for an outside user to create an album and use this exploit. Meanwhile, comments will still not include link or image tags as they used to, but I'm ok with that anyway.

Thoughts?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.20 BBCode exploits fix
« Reply #6 on: March 13, 2009, 08:54:30 am »

@Ludo: that's part of the correct approach that needs looking into in detail. Thanks for providing your suggestions.
However, as suggested in the article that Fabricio refered to,
Quote
POST requests can also be forged, so do not consider a strict use of $_POST to be sufficient protection.
This being said: using POST would be better than using GET, but this would not completely solve the problem, but only would make it a bit harder to come up with a working exploit.
The real solution is to make sure that the actual form has been used and  that it was submit on purpose. This can be accomplished using a session token, as described in the article.

@Fabricio: thanks for providing that article - I haven't read it before, but it describes exactly what we're trying to do as a permanent counter-measure against CSRF.

@cof: as suggested in other threads: if you're the only user of your gallery (i.e. the only person who could use bbcode), you can savely uncomment the security fixes from cpg1.4.21 and allow usage of the missing bbocde tags, as you'll be the only person capable of using them. There's no hidden exploit that we're aware of that could be used against you in that environment.
Once again: if another user or guest can post/publish anything on your gallery (be it a comment or a file he could upload or a personal gallery that he could create from within the coppermine user interface), you'd be vulnerable if you allowed the bbcode tags [ i m g ] and [ u r l ]. In that situation, you mustn't uncomment the fixes performed in include/functions.inc.php.
Only if you can be absolutely sure that there can be no user interaction as far as using those potentially dangerous bbcodes are concerned, it's safe to re-allow those bbcodes.
Logged

Fabricio Ferrero

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: 00
  • Offline Offline
  • Gender: Male
  • Posts: 1996
  • From San Juan, Argentina, to the World!
    • http://fabricioferrero.com/
Re: 1.4.20 BBCode exploits fix
« Reply #7 on: March 13, 2009, 09:17:44 am »

@Fabricio: thanks for providing that article - I haven't read it before, but it describes exactly what we're trying to do as a permanent counter-measure against CSRF.
I'm happy to hear it. I thought you were aware of it. Anyways, maybe it helps a little bit to dev team to find a final solution to CSRF issue. ;)
Logged
Read Docs and Search the Forum before posting. - Soporte en español
--*--
Fabricio Ferrero's Website

Catching up! :)

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: 1.4.20 BBCode exploits fix
« Reply #8 on: March 13, 2009, 09:22:38 am »

@Ludo: that's part of the correct approach that needs looking into in detail. Thanks for providing your suggestions.
You're welcome, I worked it out for my sake ;)

Quote
However, as suggested in the article that Fabricio refered to,This being said: using POST would be better than using GET, but this would not completely solve the problem, but only would make it a bit harder to come up with a working exploit.
The real solution is to make sure that the actual form has been used and  that it was submit on purpose. This can be accomplished using a session token, as described in the article.
Sure, and I think it could be done relatively easily. Well, instead of using session tokens, I early figured out to extend captcha mod to usermgr.php: I could resume working on it.
But in this theoretical perspective, each and every form would need to be secured against potential forging, while - practically speaking - no CPG forms forging exploit is known so far, isn'it it? Then, if my fix can address the actual exploits without losing BBCode img and url tags, isn't this - at present - a better balance between security and functionality?
« Last Edit: March 13, 2009, 09:52:56 am by Ludo »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.20 BBCode exploits fix
« Reply #9 on: March 13, 2009, 10:51:45 am »

The reports of exploits will start rolling in soon probably.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: 1.4.20 BBCode exploits fix
« Reply #10 on: April 17, 2009, 10:19:02 am »

Shouldn't it be enough to disable bbcode processing of the tags 'url' and 'img' for admins in admin mode only?
I don't know which forms for 'regular' users are affected by this exploid. Maybe an attacker can delete some comments or pictures/albums from a particular user?

If the exploit affects admins only, here my suggestion:
Code: [Select]
function bb_decode($text)
{
        $text = nl2br($text);

        static $bbcode_tpl = array();
        static $patterns = array();
        static $replacements = array();

        // First: If there isn't a "[" and a "]" in the message, don't bother.
        if ((strpos($text, "[") === false || strpos($text, "]") === false))
        {
                return $text;
        }

        // [b] and [/b] for bolding text.
        $text = str_replace("[b]", '<b>', $text);
        $text = str_replace("[/b]", '</b>', $text);

        // [u] and [/u] for underlining text.
        $text = str_replace("[u]", '<u>', $text);
        $text = str_replace("[/u]", '</u>', $text);

        // [i] and [/i] for italicizing text.
        $text = str_replace("[i]", '<i>', $text);
        $text = str_replace("[/i]", '</i>', $text);

        // colours
        $text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
        $text = str_replace("[/color]", '</span>', $text);

        // [i] and [/i] for italicizing text.
        //$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
        //$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);

        if (!count($bbcode_tpl)) {
            // We do URLs in several different ways..
            if (!GALLERY_ADMIN_MODE) {
                $bbcode_tpl['url'] = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
            } else {
                // **** WARNING *******************************************************
                // The [url] tag can be used for a serious attack against your website.
                // So [url] tags are no longer processed to show links.
                // This simple action here is not an ideal solution but is necessary.
                // Now, [url] tags are processed as follows:
                // [url=link]text[/url] shows 'text' with a dummy image for the link.
                // [url]link[/url] shows 'link' as plain text with a dummy image.
                // The following line is the original line that processed [url]:
                // $bbcode_tpl['url']  = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
                // ********************************************************************
                // See this thread on the Coppermine forum for more information:
                // http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
                // Please read this thread carefully before deciding to process [url].
                // ********************************************************************
                $url_removed = '{URL}';  // put the image URL in the tooltip/mouse-over
                $bbcode_tpl['url'] = '{DESCRIPTION}<img src="images/descending.gif" alt="" title="' . $url_removed . '" />';
            }
            $bbcode_tpl['email'] = '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';

            $bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
            $bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);

            $bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
            $bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);

            $bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
            $bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);

            $bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
            $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);

            $bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);

            // [url]xxxx://www.phpbb.com[/url] code..
            $patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
            $replacements[1] = $bbcode_tpl['url1'];

            // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
            $patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
            $replacements[2] = $bbcode_tpl['url2'];

            // [url=xxxx://www.phpbb.com]phpBB[/url] code..
            $patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
            $replacements[3] = $bbcode_tpl['url3'];

            // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
            $patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
            $replacements[4] = $bbcode_tpl['url4'];

            // [email]user@domain.tld[/email] code..
            $patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
            $replacements[5] = $bbcode_tpl['email'];

            // [img]xxxx://www.phpbb.com[/img] code..
            if (!GALLERY_ADMIN_MODE) {
                $bbcode_tpl['img']  = '<img src="{URL}" alt="" />';
            } else {
                // **** WARNING *******************************************************
                // The [img] tag can be used for a serious attack against your website.
                // So [img] tags are no longer processed to show the specified images.
                // This simple action here is not an ideal solution but is necessary.
                // Now [img] tags will show a dummy image instead as a placeholder.
                // ********************************************************************
                // The following line is the original line that processed [img]:
                // $bbcode_tpl['img'] = '<img src="{URL}" alt="" />';
                // ********************************************************************
                // See this thread on the Coppermine forum for more information:
                // http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
                // Please read this thread carefully before deciding to process [img].
                // ********************************************************************
                $img_removed = '{URL}';  // put the image URL in the tooltip/mouse-over
                $bbcode_tpl['img'] = '<img src="images/thumbnails.gif" alt="" title="' . $img_removed . '" />';
            }
            $bbcode_tpl['img']  = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);

            $patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
            $replacements[6] = $bbcode_tpl['img'];
        }

        $text = preg_replace($patterns, $replacements, $text);

        return $text;
}

It doesn't fix the vulnerability but is a work-around. The tags can be used but the output only isn't displayed to the admin (in admin mode).
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.20 BBCode exploits fix
« Reply #11 on: April 17, 2009, 12:21:58 pm »

The state of the admin mode vs user mode is invalid in this case: after all, it just toggles the visibility of the admin menu, nothing else. Subsequently, the vulnerability exists for admins in user mode as well.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: 1.4.20 BBCode exploits fix
« Reply #12 on: April 17, 2009, 12:37:42 pm »

I tested the code in my test gallery. If the admin is in user mode, the exploit (from milw0rm) doesn't work anymore. If it's a behavior of my testbed only, you could check against IS_ADMIN instead of GALLERY_ADMIN_MODE?
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: 1.4.20 BBCode exploits fix
« Reply #13 on: April 17, 2009, 08:01:26 pm »

Hm, maybe. But after all, it's a workaround, not an actual fix.
Logged

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: 1.4.20 BBCode exploits fix
« Reply #14 on: April 21, 2009, 09:20:07 am »

Shouldn't it be enough to disable bbcode processing of the tags 'url' and 'img' for admins in admin mode only?
My fix solves the issue properly without any inconvenience about gallery functionality, why accomplish a workaround that at least disables BBCode tags for admins?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15760
Re: 1.4.20 BBCode exploits fix
« Reply #15 on: April 21, 2009, 09:38:36 am »

why accomplish a workaround that at least disables BBCode tags for admins?
Your fix is good for now, but:
using POST would be better than using GET, but this would not completely solve the problem, but only would make it a bit harder to come up with a working exploit.
my fix can address the actual exploits
I'm never dealt with hacking web applications. So I don't know how hard it is to fake a POST request. But as Joachim said: maybe an exploit comes, that uses the security hole using POST instead of GET.

I just want to post another way, how users can get the affected bbcode tags back, too. Because I disable the vulnerable tags for admins, my fix should be more secure, but cuts some features for the admin.

As I said: it's a workaround, not a fix. Sorry for hijacking your thread :-[
Logged

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: 1.4.20 BBCode exploits fix
« Reply #16 on: April 21, 2009, 10:18:22 am »

maybe an exploit comes,
Every fix, including official security updates, is meant to address an actual issue.
When a new exploit rolls in, a new patch gets accomplished, and so on: no fix protects against future exploits, otherwise there wouldn't have been 21 minor releases...

Quote
Sorry for hijacking your thread
Don't worry, it's not mine at all  ;)
« Last Edit: April 21, 2009, 10:24:03 am by Ludo »
Logged

Ludo

  • Contributor
  • Coppermine addict
  • ***
  • Offline Offline
  • Gender: Male
  • Posts: 706
    • E+GiElle
Re: Patch for v. 1.4.2x (preserves BBCode img & url tags)
« Reply #17 on: May 06, 2009, 09:40:18 am »

This patch is actually a mod: could this topic be moved to mod board?
Logged

nemesis13

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Re: Patch for v. 1.4.2x (preserves BBCode img & url tags)
« Reply #18 on: October 10, 2009, 06:41:45 pm »

I tried successfully a different approach, which - as far as I tested - ensures protection from mentioned exploits without any inconvenience concerning gallery functionality.
Basically, it relies on switching main form (editForm) in usermgr.php from GET to POST method, and then checking for $_POST instead of $_GET/$_REQUEST in delete.php when change_group or add_group action is triggered. This prevents from any request sent by query string to get executed.
When applying this patch to v. 1.4.21 and newer, you must restore previous version of bb_decode function in include/functions.inc.php, by replacing actual version with the code below:
Code: [Select]
function bb_decode($text)
{
        $text = nl2br($text);

        static $bbcode_tpl = array();
        static $patterns = array();
        static $replacements = array();

        // First: If there isn't a "[" and a "]" in the message, don't bother.
        if ((strpos($text, "[") === false || strpos($text, "]") === false))
        {
                return $text;
        }

        // [b] and [/b] for bolding text.
        $text = str_replace("[b]", '<b>', $text);
        $text = str_replace("[/b]", '</b>', $text);

        // [u] and [/u] for underlining text.
        $text = str_replace("[u]", '<u>', $text);
        $text = str_replace("[/u]", '</u>', $text);

        // [i] and [/i] for italicizing text.
        $text = str_replace("[i]", '<i>', $text);
        $text = str_replace("[/i]", '</i>', $text);

        // colours
        $text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
        $text = str_replace("[/color]", '</span>', $text);

        // [i] and [/i] for italicizing text.
        //$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
        //$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);

        if (!count($bbcode_tpl)) {
                // We do URLs in several different ways..
                $bbcode_tpl['url']  = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
                $bbcode_tpl['email']= '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';

                $bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
                $bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);

                $bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
                $bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);

                $bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
                $bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);

                $bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
                $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);

                $bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);

                // [url]xxxx://www.phpbb.com[/url] code..
                $patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
                $replacements[1] = $bbcode_tpl['url1'];

                // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
                $patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
                $replacements[2] = $bbcode_tpl['url2'];

                // [url=xxxx://www.phpbb.com]phpBB[/url] code..
                $patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
                $replacements[3] = $bbcode_tpl['url3'];

                // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
                $patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
                $replacements[4] = $bbcode_tpl['url4'];

                // [email]user@domain.tld[/email] code..
                $patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
                $replacements[5] = $bbcode_tpl['email'];

                // [img]xxxx://www.phpbb.com[/img] code..
                $bbcode_tpl['img']  = '<img src="{URL}" alt="" />';
                $bbcode_tpl['img']  = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);

                $patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
                $replacements[6] = $bbcode_tpl['img'];

        }

        $text = preg_replace($patterns, $replacements, $text);

        return $text;
}

Is there in this perspective any security hole or operation fault I didn't notice? Anyway, here is the mod:

OPEN
usermgr.php

FIND
Code: [Select]
print '<form method="get" action="delete.php" name="editForm">'."\n";
CHANGE TO
Code: [Select]
print '<form method="post" action="delete.php" name="editForm">'."\n";

OPEN
delete.php

FIND
Code: [Select]
$user_id = str_replace('u', '', $_GET['id']);
CHANGE TO
Code: [Select]
$user_id = str_replace('u', '', $_POST['id']);
FIND (line 673)
Code: [Select]
// set this user's group
BEFORE, ADD
Code: [Select]
if (isset($_POST['group'])) {
FIND (5 times)
Code: [Select]
$_REQUEST['group']
CHANGE TO
Code: [Select]
$_POST['group']
FIND (line 678)
Code: [Select]
print '</b></td>';
REPLACE WITH
Code: [Select]
}
          print '</td>';


SAVE AND CLOSE ALL FILES

I have edit all files, but it don`t work, because I still see the placeholder image (http://coppermine-gallery.net/demo/cpg14x/images/thumbnails.gif).  :(
Logged

nemesis13

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 37
Re: Patch for v. 1.4.2x (preserves BBCode img & url tags)
« Reply #19 on: October 10, 2009, 08:00:18 pm »

OK, I edit all files new and it works - but: when I want to create a new folder, this message appears:

Quote
Parse error: parse error, unexpected T_CASE in /var/www/web168/html/galerie_ordner/delete.php on line 688

Logged
Pages: [1] 2   Go Up
 

Page created in 0.14 seconds with 19 queries.