You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 53 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Offsite avatar vulnerability [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

Offsite avatar vulnerability
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
Prophet
Captain
Captain


Joined: Mar 14, 2004
Posts: 422

Location: Florida, USA, Earth, Space
PostPosted: Fri Dec 16, 2005 12:20 pm Reply with quoteBack to top
Here is a patch for the offsite avatar vulnerability.

First, create a backup of your original modules/Your_Account/index.php file.

Then,
Locate in modules/Your_Account/index.php around line 1525 (clean version 7.8 ) function avatarlinksave

Replace the entire avatarlinksave function with the following code ....

Code:
function avatarlinksave($avatar) {
global $user_prefix, $db, $module_name, $user, $cookie;
if (is_user($user)) {
getusrinfo($user);
cookiedecode($user);
include("header.php");
title("Avatar Selection Successful!");
OpenTable();
nav();
CloseTable();
OpenTable();
$avatar = $avatar;
if( !preg_match("#^http:\/\/#i", $avatar) ){
$avatar = "http://" . $avatar;}
if(preg_match("#^(http:\/\/[a-z0-9\-]+?\.([a-z0-9\-]+\.)*[a-z]+\/.*?\.(gif|jpg|png)$)#is", $avatar) && !eregi(".php",$avatar) && !eregi(".js",$avatar) && !eregi(".cgi",$avatar)){
$db->sql_query("UPDATE ".$user_prefix."_users SET user_avatar='$avatar', user_avatar_type='2' WHERE username='$cookie[1]'");
echo "<center><font class=\"content\">Avatar for ".$cookie[1]." Saved!</center></font><br><br>";
if (ereg("(http)", $avatar)) { echo "<center>Your New Avatar:<br><br><IMG alt=\"\" src=\"$avatar\"><br><br>[ <a href=\"modules.php?name=$module_name&op=edituser\">Back to Profile</a> | <a href=\"modules.php?name=$module_name\">Done</a> ]<br><br></center>"; } elseif ($avatar) { echo "<center>Your New Avatar:<br><br><IMG alt=\"\" src=\"modules/Forums/images/avatars/$avatar\"><br><br>[ <a href=\"modules.php?name=$module_name&op=edituser\">Back to Profile</a> | <a href=\"modules.php?name=$module_name\">Done</a> ]<br><br></center>"; }
}else{
 echo "<b>Error:</b> Wrong avatar format! Avatars can only be gif, jpg, or png format.";
}
CloseTable();
include("footer.php");
}


Save and upload. Very Happy

_________________
- Prophet
Get the Last Visit module (and others modules I designed) from my website! FREE! http://jasonlau.biz

http://DotCom.Name
Find all posts by ProphetView user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Fri Dec 16, 2005 6:38 pm Reply with quoteBack to top
I'm going to validate this and add to it - good job.

This line wasn't needed though. Smile
Code:

$avatar = $avatar;


And I'm not sure what this check is supposed to do
Code:

if (ereg("(http)", $avatar)) {

Because you already add http:// if its missing, that check should always be valid.

Next, the function needs to check that remote avatars are allowed.

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Fri Dec 16, 2005 6:59 pm Reply with quoteBack to top
Your Account Avatar Validation Fix

Your Account does no validation to the avatar remote links and the avatar gallery selection. Nor does it even check that these avatars are allowed to be saved, per the configuration of the Forums. This may allow SQL injection and other nasty things.
(Avatar uploading itself is controlled by the Forums files.. which I assume has proper validation)

Issue and original fix credit to Prophet

MOD-FRIENDLY VERSION

IN modules/Your_Account/index.php

FIND

Code:

function avatarsave($avatar, $category) {
   global $user_prefix, $db, $module_name, $user, $cookie;
   if (is_user($user)) {


REPLACE WITH

Code:

function avatarsave($avatar, $category) {
   global $user_prefix, $db, $module_name, $user, $cookie, $prefix;
   $sql = "SELECT * FROM ".$prefix."_bbconfig WHERE config_name = 'allow_avatar_local'";
   $result = $db->sql_query($sql);
   if ($row = $db->sql_fetchrow($result))
   {
      $allow_avatar_local = $row['config_value'];
   }
    else { $allow_avatar_local = 0; }
   if (is_user($user) AND $allow_avatar_local) {



FIND

Code:

      $newavatar=$category."/".$avatar;


REPLACE WITH

Code:

       $category = stripslashes(check_html($category,"nohtml"));
      if(preg_match('/(\.gif$|\.png$|\.jpg|\.jpeg)$/is', $avatar) AND file_exists("modules/Forums/images/avatars/$category/$avatar"))
      {
      $newavatar = $category."/".$avatar;


FIND

Code:

      CloseTable();
      include("footer.php");


REPLACE WITH

Code:

      } else {
       echo "<center><b>Error:</b> Wrong avatar format! Avatars can only be gif, jpg, or png format.<br />"._GOBACK."</center>";
      }
      CloseTable();
      include("footer.php");



FIND

Code:

function avatarlinksave($avatar) {
   global $user_prefix, $db, $module_name, $user, $cookie;
   if (is_user($user)) {


REPLACE WITH

Code:

function avatarlinksave($avatar) {
   global $user_prefix, $db, $module_name, $user, $cookie, $prefix;
   $sql = "SELECT * FROM ".$prefix."_bbconfig WHERE config_name = 'allow_avatar_remote'";
   $result = $db->sql_query($sql);
   if ($row = $db->sql_fetchrow($result))
   {
      $allow_avatar_remote = $row['config_value'];
   }
    else { $allow_avatar_remote = 0; }
   if (is_user($user) AND $allow_avatar_remote) {



FIND

Code:

      CloseTable();
      OpenTable();


REPLACE WITH

Code:

      CloseTable();
      OpenTable();
      if( !preg_match("#^http:\/\/#i", $avatar) ){
      $avatar = "http://" . $avatar;}
      if(preg_match("#^(http:\/\/[a-z0-9\-]+?\.([a-z0-9\-]+\.)*[a-z]+\/.*?\.(gif|jpg|png)$)#is", $avatar) && !eregi(".php",$avatar) && !eregi(".js",$avatar) && !eregi(".cgi",$avatar)){



FIND

Code:

      CloseTable();
      include("footer.php");


REPLACE WITH
Code:

      } else {
       echo "<center><b>Error:</b> Wrong avatar format! Avatars can only be gif, jpg, or png format.<br />"._GOBACK."</center>";
      }
      CloseTable();
      include("footer.php");

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Fri Dec 16, 2005 10:18 pm Reply with quoteBack to top
If you have problems figuring out what to change, here's the visual version now that my ViewCVS is back up

http://evaders.swrebellion.com/modules.php?name=NukeWrap&page=cvsrepos/modules/Your_Account/index.php?only_with_tag=phpNuke76

Compare 1.4 and 1.3 - it will show you colored text of exactly where to put the code.

For the advanced user, you can use the CVS to compare to your current file and use diff as necessary

(Did I also mention you could Download the modified file directly as well. No editing needed on your part)

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
JoAnne
Lieutenant
Lieutenant


Joined: Sep 22, 2005
Posts: 204

Location: NYC
PostPosted: Sat Dec 17, 2005 8:11 am Reply with quoteBack to top
Thank You Prophet and Evaders99!! Cool Very Happy








JoAnne ~

United Sound of Music

REEL SOUND of MUSIC

Image
Find all posts by JoAnneView user's profileSend private messageVisit poster's websiteAIM Address
tinfoil
Nuke Soldier
Nuke Soldier


Joined: Apr 06, 2005
Posts: 25
PostPosted: Sun Dec 18, 2005 4:22 am Reply with quoteBack to top
You mention clean 7.8. Is 7.8.3.1 vulnerable as well?

_________________
Tinfoil.Music - Digital Media & Music News
Find all posts by tinfoilView user's profileSend private messageVisit poster's website
Prophet
Captain
Captain


Joined: Mar 14, 2004
Posts: 422

Location: Florida, USA, Earth, Space
PostPosted: Sun Dec 18, 2005 6:02 am Reply with quoteBack to top
Any version of PHP-Nuke which allows the user to link to an offsite avatar via Your_Account module is vulnerable.
The best way to prevent an attack through the avatar linking is to simply disable the feature. However, since Your_Account module does not even check to see if the feature is enabled or disabled by the Admin, I still recommend patching the file.
The patch will not protect from every possible kind of attack because it only checks the link ... the data itself is not validated.
So, presently the only real fix is this ...
Find and replace the entire avatarlinksave function with ...
Code:
function avatarlinksave($avatar) {
include("header.php");
title("Disabled!");
OpenTable();
nav();
CloseTable();
OpenTable();
echo "Error: This feature is disabled!";
CloseTable();
include("footer.php");
}


That's in modules/Your_Account/index.php

_________________
- Prophet
Get the Last Visit module (and others modules I designed) from my website! FREE! http://jasonlau.biz

http://DotCom.Name
Find all posts by ProphetView user's profileSend private messageVisit poster's websiteAIM Address
tinfoil
Nuke Soldier
Nuke Soldier


Joined: Apr 06, 2005
Posts: 25
PostPosted: Sun Dec 18, 2005 6:31 am Reply with quoteBack to top
Great, thanks for the info!

_________________
Tinfoil.Music - Digital Media & Music News
Find all posts by tinfoilView user's profileSend private messageVisit poster's website
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Sun Dec 18, 2005 9:23 pm Reply with quoteBack to top
My code does indeed check whether it is allowed - per the configuration in your Forums. If that is not working, please verify it and tell me how I can duplicate it

You are correct that there are remote image problems. But that is not a specific phpNuke issue. Any site that allows remote links may have problems.

If there is a specific hack people are using, then please message them to me

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Prophet
Captain
Captain


Joined: Mar 14, 2004
Posts: 422

Location: Florida, USA, Earth, Space
PostPosted: Sun Dec 18, 2005 9:33 pm Reply with quoteBack to top
Evaders99 wrote:
My code does indeed check whether it is allowed - per the configuration in your Forums.


Oh, I meant without any kind of patch Your_Account module does not check to see if the feature is enabled by the admin. I know you patched that.

_________________
- Prophet
Get the Last Visit module (and others modules I designed) from my website! FREE! http://jasonlau.biz

http://DotCom.Name
Find all posts by ProphetView user's profileSend private messageVisit poster's websiteAIM Address
Prophet
Captain
Captain


Joined: Mar 14, 2004
Posts: 422

Location: Florida, USA, Earth, Space
PostPosted: Mon Dec 19, 2005 2:43 pm Reply with quoteBack to top
I noticed a similar vulnerability in Your_Account edithome. Confused

Here's a fix ...

In modules/Your_Account/index.php

Find: (in the savehome function)
Code:
$ublock = FixQuotes($ublock);


Replace with:
Code:
$allowedTags='<a><br><b><h1><h2><h3><h4><i>' .
             '<li><ol><ul><p><strong><table>' .
             '<tr><td><th><u><ul>';
$ublock = strip_tags($ublock, $allowedTags);
$ublock = FixQuotes($ublock);


Very Happy That takes care of that.

_________________
- Prophet
Get the Last Visit module (and others modules I designed) from my website! FREE! http://jasonlau.biz

http://DotCom.Name
Find all posts by ProphetView user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Tue Dec 20, 2005 9:06 pm Reply with quoteBack to top
Wouldn't we rather do
Code:

$ublock = FixQuotes(check_html($ublock,""));

That will use whatever is defined in the AllowedHTML in config.php

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Prophet
Captain
Captain


Joined: Mar 14, 2004
Posts: 422

Location: Florida, USA, Earth, Space
PostPosted: Tue Dec 20, 2005 9:51 pm Reply with quoteBack to top
That'll work if it'll work for all versions. Very Happy

_________________
- Prophet
Get the Last Visit module (and others modules I designed) from my website! FREE! http://jasonlau.biz

http://DotCom.Name
Find all posts by ProphetView user's profileSend private messageVisit poster's websiteAIM Address
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12397
PostPosted: Tue Dec 20, 2005 11:37 pm Reply with quoteBack to top
More or less every version we need Smile
7.9 would use the filter function for that

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.436 Seconds - 282 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::