Re: sitex multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: sitex multiple vulnerabilities
From: Lostmon@xxxxxxxxx
Date: 14 Apr 2007 18:34:24 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello !

Original 
article:http://lostmon.blogspot.com/2007/04/posible-patch-for-sitex.html
vendor url: http://sitex.bjsintay.com/

osvdb id:33158,33159,33160,33161
http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html
http://www.securityfocus.com/archive/1/archive/1/461305/100/0/threaded
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234

after study this vulns i found a simple posible patch :

some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php , and multiple others params. 

the most of those flaws could be solve by a simple patch for "emergency" before 
the vendor 
release a update or a patch 

open includes/functions.php

arround line 12-13 we have this code

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = - 

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST))     foreach ($_POST as $k => $v)    $$k = $v;
if (!empty($_GET))              foreach ($_GET as $k => $v)     $$k = $v;
if (!empty($_SERVER))   foreach ($_SERVER as $k => $v)  $$k = $v;
if (!empty($_COOKIE))   foreach ($_COOKIE as $k => $v)  $$k = $v;
if (!empty($_SESSION))  foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars, will be 
over-written
#################################################################


you can change for this other :

################################################################
// stop XSS  function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = - 

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST))     foreach ($_POST as $k => $v)    $$k = StopXSS($v);
if (!empty($_GET))              foreach ($_GET as $k => $v)     $$k = 
StopXSS($v);
if (!empty($_SERVER))   foreach ($_SERVER as $k => $v)  $$k = StopXSS($v);
if (!empty($_COOKIE))   foreach ($_COOKIE as $k => $v)  $$k = StopXSS($v);
if (!empty($_SESSION))  foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will be 
over-written

#####################################################################

and the most of xss flaws now are solved :D

Thnx for your time !!!

Thnx to OSVDB !!!

-- 
atentamente:
Lostmon (lostmon@xxxxxxxxx)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Prev by Date: Pixaria Gallery 1.0 (class.Smarty.php) Remote File Include Vulnerability
Next by Date: Re: Maian Gallery v1.0
Previous by thread: sitex multiple vulnerabilities
Next by thread: Call for Paper - SyScan'07
Index(es):
- Date
- Thread