workaround? for imei vulnerability workaround? for imei vulnerability
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

workaround? for imei vulnerability

Started by cpguser, April 18, 2006, 12:02:40 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

cpguser

There has been a suggestion posted by Dariusz Kolasinski in bugtraq regarding vuln. discovered by imei addmimistrator

Quote
...change...

[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]

to:

[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]


Is this viable? Should we apply this workaround?


Joachim Müller

you already asked this, and I moved your posting to a dev-only zone for discussion, leaving a redirector thread that told you exactly that. Once we have looked into the issue, we'll post a fix. Don't keep on posting the same question again. Comment out the whole line if you're afraid as suggested by Nibbler on the dev-only thread:
Quote from: Nibbler on April 16, 2006, 10:00:38 PM
I'd recommend commenting out the section involved until someone comes up with a way to clean it properly.


/*
if (isset($_GET['file'])) {
    // Scrub: Remove '..' and leftover '//' from filename
    $file = str_replace('//','',str_replace('..','',$_GET['file']));
    $path = './plugins/'.$file.'.php';

    // Don't include the codebase and credits files
    if ($file != 'codebase' && $file != 'configuration' && file_exists($path)) {

        // Include the code from the plugin
        include_once($path);
        $file = true;
    } else {
        $file = false;
    }
}
*/


cpguser

QuoteDon't keep on posting the same question again.
It is really not the same question. is it? First post was to inform you in case you were not aware. That post was moved to a board which I don't have access to hence there was no way I could have seen Nibbler's suggestion.

Joachim Müller

as I suggested: Nibbler's code is a quick'n dirty fix, not a final one. We're looking for a final fix as soon as possible and will announce it publicly.

Joachim Müller