1. Важное и срочное обновление IPB 3.4.5 - https://nulled.cc/threads/243375/

Possible XSS Issue Addressed in IP.Board

Тема в разделе "IPB", создана пользователем SNap!, 27 апр 2007.

Статус темы:
Закрыта.
Модераторы: Maybe
  1. SNap!

    SNap! Прохожие

    It has come to our attention that a bug in Internet Explorer 6 and 7 can allow an XSS (cross-site scripting) attack by forcing uploaded image and PDF files to run as HTML which could allow an attack to run code through a user's browser. It should be noted that the XSS damage is significantly mitigated by the "HttpOnly" cookies which were introduced in IP.Board 2.2.0. This means that sensitive cookies in IP.Board 2.2.0 and higher cannot be read by JavaScript which could be crafted using this bug.

    Although this is a significant flaw within Internet Explorer, we have made a work around to resolve this issue by scanning uploaded files for possible malicious code. If a file is found to contain code that should not exist, such as HTML or JavaScript in an image file, the upload will be denied.

    The download packages for IP.Board as of this date have been updated to include the patch. To patch an existing installation of IP.Board 2.1.x or 2.2.x, download the appropriate patch file:

    Simply upload the class_upload.php file for your appropriate version into the ips_kernel directory overwriting the existing file.
     

    Вложения:

  2. Alx^

    Alx^ Постоялец

    Регистр.:
    11 ноя 2006
    Сообщения:
    77
    Симпатии:
    49
    можно изменения для 2.2.2 ? :)
    а то файл уже модифицировал (ток не помню что иммено) =)
     
  3. Alx^

    Alx^ Постоялец

    Регистр.:
    11 ноя 2006
    Сообщения:
    77
    Симпатии:
    49
    Уже нашёл сам ручное исправление!


    Найти:
    Код:
            //-------------------------------------------------
            // Make safe?
            //-------------------------------------------------
    Ниже добавить:
    Код:
           $renamed = 0;
    Найти:
    Код:
     
                    $FILE_TYPE                 = 'text/plain';
                    $this->file_extension      = 'txt';
    
    Ниже добавить:
    Код:
                    $renamed = 1;
    Найти:
    Код:
     
                @chmod( $this->saved_upload_name, 0777 );
            }
    
    Ниже добавить:
    Код:
     
            //-------------------------------------------------
            // Check XSS inside file
            //-------------------------------------------------
     
            if( !$renamed )
            {
                $this->check_xss_infile();
     
                if( $this->error_no )
                {
                    return;
                }
            }
    
    Найти:
    Код:
                        // Potential XSS attack with a fake GIF header in a JPEG
                        @unlink( $this->saved_upload_name );
                        $this->error_no = 5;
                        return;
                    }
                }
    
    Ниже добавить:
    Код:
     
            }
        }
     
     
        /*-------------------------------------------------------------------------*/
        // INTERNAL: Check for XSS inside file
        /*-------------------------------------------------------------------------*/
     
        /**
        * Checks for XSS inside file.  If found, sets error_no to 5 and returns
        *
        * @param void
        */
     
        function check_xss_infile()
        {
            // HTML added inside an inline file is not good in IE...
     
            $fh = fopen( $this->saved_upload_name, 'rb' );
     
            $file_check = fread( $fh, 512 );
     
            fclose( $fh );
     
            if( !$file_check )
            {
                @unlink( $this->saved_upload_name );
                $this->error_no = 5;
                return;
            }
     
            # Thanks to Nicolas Grekas from comments at [URL="http://www.nulled.ws/redirector.php?url=http://www.splitbrain.org/"]www.splitbrain.org[/URL] for helping to identify all vulnerable HTML tags
     
            else if( preg_match( "#&lt;script|<html|<head|<title|<body|<pre|<table|<a\s+href|<img|<plaintext#si", $file_check ) )
            {
                @unlink( $this->saved_upload_name );
                $this->error_no = 5;
                return;
    
    Всё работает :)
     
Статус темы:
Закрыта.