[geeklog-devel] Re: [geeklog-security] profiles.php

Vincent Furia vmf at abtech.org
Mon Oct 27 13:41:19 EST 2003


I've attached a fix to profiles.php that corrects all the errors posted 
below.  I've patched my changes on top of cvs latest, so it should be 
able to be place right on top of the current profiles.php.  The only 
other thing that needs to be taken care of is error messages for 
incorrect permissions to send the email and the speed limit check.  For 
the timing being I've just placed in COM_refresh, as the error message 
will require changes to the language files...  The changes made were 
primarily to the contactemail and mailstory functions.

Enjoy,
Vinny

Dwight Trumbower wrote:

> So when are you going to announce this to Full disclosure? :) :)
>
>
> At 10:32 AM 10/16/2003, you wrote:
>
>> Versions: Alll 1.3.x versions (at least back to 1.3.5)
>>
>> Allows the attacker (anonymous or registered) to send emails to users 
>> regardless of their allow email account setting and regardless of 
>> site settings allowing anonymous users to use the email utility (i.e. 
>> $_CONF['loginrequired'] or $_CONF['emailuserloginrequired']).
>>
>> Also there is no speedlimit for sending emails in this way.  While 
>> fixing these problems, I'd also recommend all emails going to the 
>> site admin (uid = 2) be allowed for website contact purposes.
>>
>> This could, theorectically be used to spam all of a site's users.
>>
>> The problem is in profiles.php, the contactemail function is called 
>> without checking (either within the function or before the function 
>> is called) the $_CONF variables or the user being emailed's preferences.
>> These are only checked when creating the email form.  The exploit 
>> simply by-passes using the form by doing a HTTP POST to profiles.php.
>>
>> This seems to me to be a pretty minor bug as no personal information 
>> is at risk and there is not opportunity to promote an attacker's 
>> rights.  I do think a fix should be released with 1.3.9.  I'll code 
>> up a fix if you'd like, it should be very straight forward.
>>
>> -Vinny
>>
>> Example Exploit:
>> > telnet site_url 80
>>
>> POST /profiles.php HTTP/1.1
>> Host: site_url
>> Content-Type: application/x-www-form-urlencoded
>> Content-Length: 98
>>
>> author=Hacker&authoremail=hack%40hack.org&subject=Testing&message=Testing+2+4+6&what=contact&uid=2 
>>
>>
>>
>>
>> _______________________________________________
>> geeklog-security mailing list
>> geeklog-security at lists.geeklog.net
>> http://lists.geeklog.net/listinfo/geeklog-security
>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20031027/19191124/attachment.html>


More information about the geeklog-devel mailing list