About the ipb the latest that 2 vulnerability-vulnerability warning-the black bar safety net

2009-12-12T00:00:00
ID MYHACK58:62200925581
Type myhack58
Reporter 佚名
Modified 2009-12-12T00:00:00

Description

5up3rh3i'blog

Vulnerability Bulletin

  1. Local include vulnerability

Is mainly due to the ipb themselves to achieve friendly URLs function to extract the url parameter filtering not the whole cause of[or that is overly dependent on IPSLib::cleanGlobals of the filter,and simply ignores the parameters of the filter],the author of the vulnerability announcement given in the ipb 3.04 detailed code analysis,below we take a look at ipb 3.0. [0-3]. According to the author of the vulnerability analysis,vulnerability is primarily a function _fUrlInit ():

upload\admin\sources\base\ipsRegistry.php

private static function _fUrlInit() { if ( ipsRegistry::$settings['use_friendly_urls'] ) //default is 1 {

......

/ Grab FURL data... / if ( file_exists( IPS_CACHE_PATH . 'cache/furlCache.php' ) ) { require( IPS_CACHE_PATH . 'cache/furlCache.php' ); self::$_seoTemplates = $templates; } .....

if ( is_array( self::$_seoTemplates ) AND count( self::$_seoTemplates ) AND IPS_IS_TASK !== TRUE AND IPS_IS_AJAX !== TRUE ) { $qs = $_SERVER['QUERY_STRING'] ? $_SERVER['QUERY_STRING'] : @getenv('QUERY_STRING'); $uri = $_SERVER['REQUEST_URI'] ? $_SERVER['REQUEST_URI'] : @getenv('REQUEST_URI');

$_toTest = ( $qs ) ? $qs : $uri; //$_SERVER['QUERY_STRING']/@getenv('QUERY_STRING')take the url parameter,the estimate is taking into account the$_SERVER/getenv extract to //The variable is not affected by magic quotes processing[for details see<a senior PHP application vulnerability auditing techniques>],and switch directly by taking? Behind to extract,this is also //Is 3. 0 4 years of exp in the use of the point.

foreach( self::$_seoTemplates as $key => $data ) {

.....

if ( strstr( $_toTest, self::$_seoTemplates['data']['varBlock'] ) ) { $_parse = substr( $_toTest, strpos( $_toTest, self::$_seoTemplates['data']['varBlock'] ) + strlen( self::$_seoTemplates['data']['varBlock'] ) );

$_data = explode( self::$_seoTemplates['data']['varSep'], $_parse ); //Separation and extraction of parameters //self::$_seoTemplates['data']['varBlock'],self::$_seoTemplates['data']['varSep']and other variables are //In the require( IPS_CACHE_PATH . 'cache/furlCache.php' );extract: // / / the 'data' => //array ( // 'start' => '-', // 'end' => '/', // 'varBlock' => '/page__', // 'varSep' => '__',

$_c = 0;

foreach( $_data as $_v ) { if ( ! $_c ) { $k = IPSText::parseCleanKey( $_v ); $v = "; $_c++; } else { $v = IPSText::parseCleanValue( $_v ); $_c = 0;

$_GET[ $k ] = $v; $_POST[ $k ] = $v; $_REQUEST[ $k ] = $v; $_urlBits[ $k ] = $v;

ipsRegistry::$request[ $k ] = $v; }//Finally extract the variable after IPSText::parseCleanValue the filter after extraction. While IPSText::parseCleanValue just some of the filterxss sql injection of some special word //Identifier and there is no filter../

Although$_SERVER['QUERY_STRING']in php5 is not affected by magic quotes control,but is itself a demerit. urlencode processing,so the bad commit%0 0 truncated. We can, however, use of ultra-long/etc. characters to truncate.

2 injection vulnerability

Yet another typical intval()improper use leads to security vulnerabilities,for details, please refer to[PCH-0 0 1]

These 2 vulnerabilities are the need of the target functions of the program and the process to fully understand the case,will it be possible to dig it out...