Icon bug. [message #13937] |
Sat, 01 November 2003 05:49 |
|
Xodnizel
Messages: 73 Registered: May 2003
Karma: 0
|
Member |
|
|
Simple solution is to disable icons if the posted icon string contains "..".
It may be possible to access images on other sites if the site hosting the fudforum has some sort of redirection script set up.
Edit:
(Removed disruptive icon example).
[Updated on: Sat, 01 November 2003 19:47] Report message to a moderator
|
|
|
|
|
|
|
|
Re: Icon bug. [message #13952 is a reply to message #13938] |
Sat, 01 November 2003 19:01 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
Xodnizel wrote on Sat, 01 November 2003 00:55 | There also appears to be an HTML-insertion vulnerability here. Now what?
|
Where?
FUDforum Core Developer
|
|
|
Re: SQL buggy. [message #13953 is a reply to message #13945] |
Sat, 01 November 2003 19:05 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
Xodnizel wrote on Sat, 01 November 2003 12:35 | In 2.5.3RC3, at least, there is a *sql insertion bug in the merge thread(and probably split thread, as well) feature.
The problem is in the handling of the sel_th[] form element.
I don't know if it's exploitable or not, but you'd need to be a moderator(or an admin, but that's sort of pointless then) to see the bug.
|
Addressed. Mind you it is even if you were to inject some stuff into MySQL nothing would happen. And like you said you'd need to be a priveledged user already.
FUDforum Core Developer
|
|
|
|
|
Re: Icon bug. [message #13957 is a reply to message #13937] |
Sat, 01 November 2003 19:14 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
ok, icon validation is now in place.
FUDforum Core Developer
|
|
|
Re: SQL buggy. [message #13961 is a reply to message #13947] |
Sat, 01 November 2003 20:07 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
Xodnizel wrote on Sat, 01 November 2003 13:19 | Another SQL injection vulnerability in the upload feature:
If you upload a file as an attachment, save the page, and manipulate the value of the "file_array" element(make a new array, serialize, base 64 encode), you can insert an unescaped statement at the end of another SQL statement.
Example file_array element setting:
YToxOntpOjI1O3M6MTI6IjE7KTAwJ2wnbCcoIiI7fQ==
Will should cause an error to be entered in the fudforum error log, which you can see to verify the problem exists.
|
I've added additional checks, but the problem is actually less serious, only the key value is used, the value is not used in SQL.
FUDforum Core Developer
|
|
|
|
Re: Icon bug. [message #13965 is a reply to message #13964] |
Sat, 01 November 2003 20:59 |
Ilia
Messages: 13241 Registered: January 2002
Karma: 0
|
Senior Member Administrator Core Developer |
|
|
That show no longer be possible given the recent changes I've made.
FUDforum Core Developer
|
|
|