workaround? for imei vulnerability

[cpguser]

There has been a suggestion posted by Dariusz Kolasinski in bugtraq regarding vuln. discovered by imei addmimistrator

...change...

[SNIP]
$file = str_replace('//','',str_replace('..','',$_GET['file']));
[/SNIP]

to:

[SNIP]
$file = str_replace('..','',$_GET['file']);
[/SNIP]

Is this viable? Should we apply this workaround?

[Joachim Müller]

you already asked this, and I moved your posting to a dev-only zone for discussion, leaving a redirector thread that told you exactly that. Once we have looked into the issue, we'll post a fix. Don't keep on posting the same question again. Comment out the whole line if you're afraid as suggested by Nibbler on the dev-only thread:

I'd recommend commenting out the section involved until someone comes up with a way to clean it properly.

Code Select Expand


/*
if (isset($_GET['file'])) {
    // Scrub: Remove '..' and leftover '//' from filename
    $file = str_replace('//','',str_replace('..','',$_GET['file']));
    $path = './plugins/'.$file.'.php';

    // Don't include the codebase and credits files
    if ($file != 'codebase' && $file != 'configuration' && file_exists($path)) {

        // Include the code from the plugin
        include_once($path);
        $file = true;
    } else {
        $file = false;
    }
}
*/


[cpguser]

Don't keep on posting the same question again.

It is really not the same question. is it? First post was to inform you in case you were not aware. That post was moved to a board which I don't have access to hence there was no way I could have seen Nibbler's suggestion.

[Joachim Müller]

as I suggested: Nibbler's code is a quick'n dirty fix, not a final one. We're looking for a final fix as soon as possible and will announce it publicly.

[Joachim Müller]

http://forum.coppermine-gallery.net/index.php?topic=30655.0