| Poster |
Thread |
| thomas |
Posted: 2008/7/26 9:33 Updated: 2008/7/26 9:33 |
Home away from home   Joined: 2008/1/2 From: Posts: 1116 |
 Re: Vulnerability Summary CVE-2008-3296 Spot on Guys... This issue was solved in record time! Thanks
|
|
|
| Tom |
Posted: 2008/7/26 9:40 Updated: 2008/7/26 9:40 |
Home away from home  Joined: 2007/12/4 From: Under the sea. Posts: 1362 |
Re: Vulnerability Summary CVE-2008-3296 It was a cool team effort, René posted, David contacted Vaughan and a fix was made.
Good work guys!
|
|
|
| MrTheme |
Posted: 2008/7/26 10:08 Updated: 2008/7/26 10:10 |
Home away from home  Joined: 2007/12/4 From: Fort Worth, TX Posts: 2856 |
Re: Vulnerability Summary CVE-2008-3296 thanks guys, looks like we even beat the source (xo) to announcing it.
|
|
|
| stranger |
Posted: 2008/7/26 10:54 Updated: 2008/7/26 10:54 |
Home away from home  Joined: 2008/1/9 From: Posts: 1162 |
Re: Vulnerability Summary CVE-2008-3296 Good work guys!!
|
|
|
| yotsugi |
Posted: 2008/7/26 11:32 Updated: 2008/7/26 11:32 |
Quite a regular  Joined: 2008/7/16 From: Indonesia Posts: 48 |
Re: Vulnerability Summary CVE-2008-3296 Likely iCMS team are more aware of this issue than x-cms...  |
|
|
| Vaughan |
Posted: 2008/7/26 11:46 Updated: 2008/7/26 11:46 |
Home away from home  Joined: 2007/12/4 From: Derbyshire/UK Posts: 1719 |
Re: Vulnerability Summary CVE-2008-3296 Quote:
Likely iCMS team are more aware of this issue than x-cms...
probably because we are more organised and open + we actually put the term communication to good use ;-) |
|
|
| TheRplima |
Posted: 2008/7/26 16:08 Updated: 2008/7/26 16:14 |
Home away from home  Joined: 2007/12/4 From: MSM/MG/BR Posts: 291 |
Re: Vulnerability Summary CVE-2008-3296 Hey, we already have a function in the core to fix this. I add this function when I created the content manager but perhaps we can merge both to make a better solution.
function StopXSS($text){
if (!is_array($text)){
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
}else{
foreach ($text as $k=>$t){
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'","\"",">","<","\\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}
This is the function and to use it just do this:
if (isset($_POST['fct'])) {
$fct = StopXSS($_POST['fct']);
}
if (isset($_GET['fct'])) {
$fct = StopXSS($_GET['fct']);
}
or make this to filter all POST and GET variables
if (!empty($_POST)) foreach ($_POST as $k => $v) ${$k} = StopXSS($v);
if (!empty($_GET)) foreach ($_GET as $k => $v) ${$k} = StopXSS($v);
|
|
|
| stranger |
Posted: 2008/7/27 20:34 Updated: 2008/7/27 20:34 |
Home away from home Joined: 2008/1/9 From: Posts: 1162 |
Re: Vulnerability Summary CVE-2008-3296 I like the way suggested by Rodrigo  |
|
|
| Tom |
Posted: 2008/7/27 23:15 Updated: 2008/7/27 23:15 |
Home away from home Joined: 2007/12/4 From: Under the sea. Posts: 1362 |
Re: Vulnerability Summary CVE-2008-3296 Quote: I like the way suggested by Rodrigo But that doesn't help 1.0? |
|
|
| davidl2 |
Posted: 2008/7/27 23:30 Updated: 2008/7/27 23:30 |
Home away from home  Joined: 2007/12/4 From: Posts: 3578 |
Re: Vulnerability Summary CVE-2008-3296 Correct - 1.0 needs the function to be included as well.
|
|
|
| stranger |
Posted: 2008/7/28 0:28 Updated: 2008/7/28 0:28 |
Home away from home Joined: 2008/1/9 From: Posts: 1162 |
Re: Vulnerability Summary CVE-2008-3296 Yes, I meant I like this for 1.1 |
|
|
| FaYsSaL |
Posted: 2008/7/28 10:22 Updated: 2008/7/28 10:22 |
Home away from home  Joined: 2008/1/9 From: Posts: 235 |
Re: Vulnerability Summary CVE-2008-3296 hello,since i've replaced the above code i've no access to some modules on admin section like find users and modules management!
is there anyfixes? for 1.0
thx in advance
|
|
|
| MrTheme |
Posted: 2008/7/28 10:24 Updated: 2008/7/28 10:24 |
Home away from home Joined: 2007/12/4 From: Fort Worth, TX Posts: 2856 |
Re: Vulnerability Summary CVE-2008-3296 1.0.1 is being compiled and should be releases soon.
|
|
|
| Tom |
Posted: 2008/7/28 10:59 Updated: 2008/7/28 10:59 |
Home away from home Joined: 2007/12/4 From: Under the sea. Posts: 1362 |
Re: Vulnerability Summary CVE-2008-3296 Hi FaYsSaL, The following solution was also put forth by WTravel: Quote: Another solution to prevent this problem is to validate user input for $_POST['fct'] to see if the requested directory even exists. In order to do this a few lines should be added as well as a new constant to the language file(s):
File: modules/system/admin.php
Add after line: include_once XOOPS_ROOT_PATH.'/class/xoopsmodule.php'; (line 56?)
// Check if function call does exist (security)
require_once XOOPS_ROOT_PATH."/class/xoopslists.php";
$admin_dir = XOOPS_ROOT_PATH.'/modules/system/admin';
$dirlist = XoopsLists::getDirListAsArray($admin_dir);
if ($fct && !in_array($fct,$dirlist)) {
redirect_header(XOOPS_URL.'/',3,_INVALID_ADMIN_FUNCTION);
exit();
}
Remove the following lines below the line: $class = 'even';
require_once XOOPS_ROOT_PATH."/class/xoopslists.php";
$admin_dir = XOOPS_ROOT_PATH.'/modules/system/admin';
$dirlist = XoopsLists::getDirListAsArray($admin_dir);
Constant _INVALID_ADMIN_FUNCTION needs to be defined in the language file. This should fix the security issue and your problem. As MrThemes stated a new package will also be release shortly. |
|
|
| Chappy |
Posted: 2008/7/29 0:16 Updated: 2008/7/29 0:16 |
Just popping in  Joined: 2008/1/10 From: Posts: 19 |
Re: Vulnerability Summary CVE-2008-3296 How do you define the language constant as per wtravel's instructions: Quote: Constant _INVALID_ADMIN_FUNCTION needs to be defined in the language file. ? |
|
|
| sato-san |
Posted: 2008/7/29 4:28 Updated: 2008/7/29 4:28 |
Home away from home  Joined: 2007/12/4 From: Germany Posts: 1009 |
Re: Vulnerability Summary CVE-2008-3296 Hi Chappy,
please wait 24h, we would like publish a official patch as impresscms version 1.0.1
|
|
|
| Tom |
Posted: 2008/7/29 17:07 Updated: 2008/7/29 17:07 |
Home away from home Joined: 2007/12/4 From: Under the sea. Posts: 1362 |
Re: Vulnerability Summary CVE-2008-3296 In the language files you use, add this:
define ('_INVALID_ADMIN_FUNCTION', 'Message');
That will define the constant.
|
|
|
| McDonald |
Posted: 2008/10/9 16:44 Updated: 2008/10/9 16:44 |
Home away from home  Joined: 2007/12/4 From: Abyss Posts: 1545 |
 Re: Vulnerability Summary CVE-2008-3296 At the moment I'm busy with converting the module Wordbook into imGlossary. In the file letter.php is the following code: $init = isset($_GET['init']) ? $_GET['init'] : 0;
$start = isset( $_GET['start'] ) ? intval( $_GET['start'] ) : 0; I've replaced these 2 lines as follows: $init = trim( StopXSS( $_GET['init'] ) );
$start = trim( StopXSS( $_GET['start'] ) ); Is this correct and/or can it be improved? TIA! |
|
|
| Vaughan |
Posted: 2008/10/9 17:53 Updated: 2008/10/9 17:53 |
Home away from home Joined: 2007/12/4 From: Derbyshire/UK Posts: 1719 |
Re: Vulnerability Summary CVE-2008-3296 if both of those are actual integer values which i think they are, then just adding intval() is enough, you don't need to use stopXSS.
StopXSS is mainly for text/alphanumeric fields etc. but don't use with fields that are HTML enabled, for that you'll need to use a different method for stopXSS otherwise it would filter out HTML in the submissions.
|
|
|
| McDonald |
Posted: 2008/10/9 18:14 Updated: 2008/10/9 18:14 |
Home away from home Joined: 2007/12/4 From: Abyss Posts: 1545 |
Re: Vulnerability Summary CVE-2008-3296 $init is text. It's the letter choosen from the letter-bar (something like that's on top of the WF-Links pages.
So in this case StopXSS is correct, isn't it?
$start is an integer value. It's the start value for page navigation.
Will use intval() for this.
|
|
|
| Vaughan |
Posted: 2008/10/9 19:05 Updated: 2008/10/9 19:05 |
Home away from home Joined: 2007/12/4 From: Derbyshire/UK Posts: 1719 |
Re: Vulnerability Summary CVE-2008-3296 for $init if it's text, then yes you can use StopXSS :)
|
|
|
