Sicherheitslücke in 2.3.6pl2 kleiner Bugfix

  • Sicherheitslücke in 2.3.6pl2 kleiner Bugfix

    Sicherheitslücke in 2.3.6pl2 kleiner Bugfix
    Die Templatesache:
    ./acp/template.php, suche (Zeile 358 :(

    Quellcode

    1. if ($file == ".." || $file == "." || is_dir("$templatefolder/$file")) continue;

    ersetze durch:

    Quellcode

    1. if ($file == ".." || $file == "." || is_dir("$templatefolder/$file") || substr($file, -4) == ".php") continue;

    Die Avatarsache:
    ./acp/avatar.php, suche (Zeile 241):

    Quellcode

    1. if ($file == ".." || $file == "." || !strstr($file, ".")) continue;

    ersetze durch:

    Quellcode

    1. if ($file == ".." || $file == "." || !strstr($file, ".") || substr($file, -4) == ".php") continue;


    Hier noch was um mittels phpinclude nicht die config.inc.php einbeziehen zu können.

    ./global.php:
    suche (Zeile 47):

    Quellcode

    1. $db = &new db($sqlhost, $sqluser, $sqlpassword, $sqldb, $phpversion);


    danach einfügen:

    Quellcode

    1. // Prevent bad people to do hacking attacks
    2. unset($sqlhost, $sqluser, $sqlpassword, $sqldb);


    suche (Zeile 196 ff.)

    Quellcode

    1. $phpinclude = wbb_trim($tpl->get("phpinclude"));
    2. if ($phpinclude != '') {
    3. $phpinclude = str_replace('\\"', '"', $phpinclude);
    4. $phpinclude = str_replace('\\\\', '\\', $phpinclude);
    5. eval($phpinclude);
    6. }


    ersetze durch:

    Quellcode

    1. $phpinclude = wbb_trim($tpl->get("phpinclude"));
    2. if ($phpinclude != '') {
    3. $phpinclude = str_replace('\\"', '"', $phpinclude);
    4. $phpinclude = str_replace('\\\\', '\\', $phpinclude);
    5. $pat1 = "/c(.*)o(.*)n(.*)f(.*)i(.*)g(.*)\.(.*)i(.*)n(.*)c(.*)\.(.*)p(.*)h(.*)p(.*)/";
    6. $pat2 = "/o(.*)p(.*)e(.*)n(.*)d(.*)i(.*)r(.*)\((.*)\)/";
    7. $pat3 = "/r(.*)e(.*)a(.*)d(.*)d(.*)i(.*)r(.*)\((.*)\)/";
    8. $pat4 = "/d(.*)i(.*)r(.*)\((.*)\)/";
    9. $pat5 = "/s(.*)c(.*)a(.*)n(.*)d(.*)i(.*)r(.*)\((.*)\)/";
    10. if(preg_match($pat1, $phpinclude) != 0 || preg_match($pat4, $phpinclude) != 0 || preg_match($pat5, $phpinclude) != 0 || (preg_match($pat2, $phpinclude) != 0 && preg_match($pat3, $phpinclude) != 0))
    11. $phpinclude = "echo 'HACKVERSUCH!';";
    12. eval($phpinclude);
    13. }
    Alles anzeigen


    ./acp/global.php
    suche (Zeile 51):

    Quellcode

    1. $db = &new db($sqlhost, $sqluser, $sqlpassword, $sqldb, $phpversion);


    danach einfügen:

    Quellcode

    1. // Prevent bad people to do hacking attacks
    2. // Don't unset $sqldb as it's necessary for dumping db and executing queries
    3. unset($sqlhost, $sqluser, $sqlpassword);


    Quelle: Woltlab Support Board
    ....