1.1 --- a/config.php Sat Jul 02 16:20:04 2005 +0000
1.2 +++ b/config.php Sun Mar 05 09:04:20 2006 +0000
1.3 @@ -33,7 +33,7 @@
1.4 // | on configuration. |
1.5 // +---------------------------------------------------------------------------+
1.6 //
1.7 -// $Id: config.php,v 1.110.2.2 2004/10/07 19:44:13 dhaun Exp $
1.8 +// $Id: config.php,v 1.110.2.3 2006/03/05 09:04:19 dhaun Exp $
1.9
1.10 // When setting up Geeklog for the first time, you need to make sure the
1.11 // settings in the following 3 sections are correct:
1.12 @@ -592,7 +592,7 @@
1.13 define('LB',"\n");
1.14 }
1.15 if (!defined ('VERSION')) {
1.16 - define('VERSION', '1.3.9sr2');
1.17 + define('VERSION', '1.3.9sr5');
1.18 }
1.19
1.20 $_STATES = array(
2.1 --- a/public_html/docs/history Sat Jul 02 16:20:04 2005 +0000
2.2 +++ b/public_html/docs/history Sun Mar 05 09:04:20 2006 +0000
2.3 @@ -1,5 +1,43 @@
2.4 GeekLog History/Changes:
2.5
2.6 +Mar 5, 2006 (1.3.9sr5)
2.7 +-----------
2.8 +
2.9 +This release addresses the following security issues:
2.10 +
2.11 +- Konstantin Dyakoff found an old bug in the session handling that would allow
2.12 + anyone to log in as any user.
2.13 +- James Bercegay of GulfTech Security Research reported several issues with
2.14 + Geeklog's cookie handling that made it vulnerable to SQL injections, arbitrary
2.15 + file access, and even injection and execution of arbitrary code.
2.16 +- Prevent execution of PHP code in "normal" blocks
2.17 +
2.18 +Please note that Geeklog 1.3.9 is not officially supported any more. We are
2.19 +only releasing this update due to the severity of these security issues.
2.20 +
2.21 +
2.22 +Jul 3, 2005 (1.3.9sr4)
2.23 +-----------
2.24 +
2.25 +This release addresses the following security issue:
2.26 +
2.27 +Stefan Esser found an SQL injection that can, under certain circumstances,
2.28 +be exploited to extract user data such as the user's password hash.
2.29 +
2.30 +
2.31 +Dec 31, 2004 (1.3.9sr3)
2.32 +------------
2.33 +
2.34 +This release addresses 2 security issues:
2.35 +
2.36 +1. It was possible to submit stories anonymously even if anonymous submissions
2.37 + were turned off in config.php (reported by Barry Wong).
2.38 + These stories still ended up in the submission queue, though, unless you
2.39 + disabled it in config.php.
2.40 +2. Some of the parameters in link and event submissions weren't filtered,
2.41 + leaving them open to potential SQL injections.
2.42 +
2.43 +
2.44 Oct 8, 2004 (1.3.9sr2)
2.45 -----------
2.46
3.1 --- a/public_html/lib-common.php Sat Jul 02 16:20:04 2005 +0000
3.2 +++ b/public_html/lib-common.php Sun Mar 05 09:04:20 2006 +0000
3.3 @@ -33,7 +33,7 @@
3.4 // | |
3.5 // +---------------------------------------------------------------------------+
3.6 //
3.7 -// $Id: lib-common.php,v 1.301.2.3 2005/07/02 16:20:04 dhaun Exp $
3.8 +// $Id: lib-common.php,v 1.301.2.4 2006/03/05 09:04:20 dhaun Exp $
3.9
3.10 // Prevent PHP from reporting uninitialized variables
3.11 error_reporting( E_ERROR | E_WARNING | E_PARSE | E_COMPILE_ERROR );
3.12 @@ -223,20 +223,28 @@
3.13 // way if user logged in and set theme and then logged out we would still know
3.14 // which theme to show them.
3.15
3.16 -if( !empty( $HTTP_POST_VARS['usetheme'] ) && is_dir( $_CONF['path_themes']
3.17 - . $HTTP_POST_VARS['usetheme'] ))
3.18 +$usetheme = '';
3.19 +if( isset( $HTTP_POST_VARS['usetheme'] ))
3.20 {
3.21 - $_CONF['theme'] = $HTTP_POST_VARS['usetheme'];
3.22 + $usetheme = preg_replace( '/[^a-zA-Z0-9\-_\.]/', '', $HTTP_POST_VARS['usetheme'] );
3.23 + $usetheme = str_replace( '..', '', $usetheme );
3.24 +}
3.25 +if( !empty( $usetheme ) && is_dir( $_CONF['path_themes'] . $usetheme ))
3.26 +{
3.27 + $_CONF['theme'] = $usetheme;
3.28 $_CONF['path_layout'] = $_CONF['path_themes'] . $_CONF['theme'] . '/';
3.29 $_CONF['layout_url'] = $_CONF['site_url'] . '/layout/' . $_CONF['theme'];
3.30 }
3.31 else if( $_CONF['allow_user_themes'] == 1 )
3.32 {
3.33 - if( isset( $HTTP_COOKIE_VARS[$_CONF['cookie_theme']]) && empty($_USER['theme'] ))
3.34 - {
3.35 - if( is_dir( $_CONF['path_themes'] . $HTTP_COOKIE_VARS[$_CONF['cookie_theme']] ))
3.36 + if( isset( $HTTP_COOKIE_VARS[$_CONF['cookie_theme']] ) && empty( $_USER['theme'] ))
3.37 + {
3.38 + $theme = preg_replace( '/[^a-zA-Z0-9\-_\.]/', '',
3.39 + $HTTP_COOKIE_VARS[$_CONF['cookie_theme']] );
3.40 + $theme = str_replace( '..', '', $theme );
3.41 + if( is_dir( $_CONF['path_themes'] . $theme ))
3.42 {
3.43 - $_USER['theme'] = $HTTP_COOKIE_VARS[$_CONF['cookie_theme']];
3.44 + $_USER['theme'] = $theme;
3.45 }
3.46 }
3.47
3.48 @@ -268,12 +276,14 @@
3.49
3.50 // Similarly set language
3.51
3.52 -if( isset( $HTTP_COOKIE_VARS[$_CONF['cookie_language']]) && empty( $_USER['language'] ))
3.53 +if( isset( $HTTP_COOKIE_VARS[$_CONF['cookie_language']] ) && empty( $_USER['language'] ))
3.54 {
3.55 - if( is_file( $_CONF['path_language'] . $HTTP_COOKIE_VARS[$_CONF['cookie_language']] . '.php' ))
3.56 - {
3.57 - $_USER['language'] = $HTTP_COOKIE_VARS[$_CONF['cookie_language']];
3.58 - $_CONF['language'] = $HTTP_COOKIE_VARS[$_CONF['cookie_language']];
3.59 + $language = preg_replace( '/[^a-z0-9\-_]/', '',
3.60 + $HTTP_COOKIE_VARS[$_CONF['cookie_language']] );
3.61 + if( is_file( $_CONF['path_language'] . $language . '.php' ))
3.62 + {
3.63 + $_USER['language'] = $language;
3.64 + $_CONF['language'] = $language;
3.65 }
3.66 }
3.67 else if( !empty( $_USER['language'] ))
3.68 @@ -3536,6 +3546,7 @@
3.69 if( !empty( $A['content'] ) && !$U['noboxes'] )
3.70 {
3.71 $blockcontent = stripslashes( $A['content'] );
3.72 + $blockcontent = str_replace( array( '<?', '?>' ), '', $blockcontent );
3.73
3.74 // Hack: If the block content starts with a '<' assume it
3.75 // contains HTML and do not call nl2br() which would only add
3.76 @@ -5353,7 +5364,7 @@
3.77 if( $isnumeric )
3.78 {
3.79 // Note: PHP's is_numeric() accepts values like 4e4 as numeric
3.80 - if( !is_numeric( $p ) || ( preg_match( '/^([0-9]+)$/', $p ) == 0 ))
3.81 + if( !is_numeric( $p ) || ( preg_match( '/^-?\d+$/', $p ) == 0 ))
3.82 {
3.83 $p = 0;
3.84 }
4.1 --- a/public_html/users.php Sat Jul 02 16:20:04 2005 +0000
4.2 +++ b/public_html/users.php Sun Mar 05 09:04:20 2006 +0000
4.3 @@ -32,7 +32,7 @@
4.4 // | |
4.5 // +---------------------------------------------------------------------------+
4.6 //
4.7 -// $Id: users.php,v 1.77.2.1 2004/05/31 10:43:43 dhaun Exp $
4.8 +// $Id: users.php,v 1.77.2.2 2006/03/05 09:04:20 dhaun Exp $
4.9
4.10 /**
4.11 * This file handles user authentication
4.12 @@ -687,8 +687,12 @@
4.13 setcookie ($_CONF['cookie_session'], '', time() - 10000,
4.14 $_CONF['cookie_path'], $_CONF['cookiedomain'],
4.15 $_CONF['cookiesecure']);
4.16 - setcookie ($_CONF['cookie_name'], '', time() - 10000, $_CONF['cookie_path'],
4.17 - $_CONF['cookiedomain'], $_CONF['cookiesecure']);
4.18 + setcookie ($_CONF['cookie_password'], '', time() - 10000,
4.19 + $_CONF['cookie_path'], $_CONF['cookiedomain'],
4.20 + $_CONF['cookiesecure']);
4.21 + setcookie ($_CONF['cookie_name'], '', time() - 10000,
4.22 + $_CONF['cookie_path'], $_CONF['cookiedomain'],
4.23 + $_CONF['cookiesecure']);
4.24 $display = COM_refresh($_CONF['site_url'] . '/index.php?msg=8');
4.25 break;
4.26
4.27 @@ -873,12 +877,12 @@
4.28 if (empty ($userid) || ($userid == 'deleted')) {
4.29 unset ($userid);
4.30 } else {
4.31 - if ($VERBOSE) {
4.32 - COM_errorLog('NOW trying to set permanent cookie',1);
4.33 - COM_errorLog('Got '.$userid.' from perm cookie in users.php',1);
4.34 - }
4.35 - if ($userid) {
4.36 - $user_logged_in = 1;
4.37 + $userid = COM_applyFilter ($userid, true);
4.38 + if ($userid > 1) {
4.39 + if ($VERBOSE) {
4.40 + COM_errorLog('NOW trying to set permanent cookie',1);
4.41 + COM_errorLog('Got '.$userid.' from perm cookie in users.php',1);
4.42 + }
4.43 // Create new session
4.44 $userdata = SESS_getUserDataFromId($userid);
4.45 $_USER = $userdata;
5.1 --- a/system/lib-sessions.php Sat Jul 02 16:20:04 2005 +0000
5.2 +++ b/system/lib-sessions.php Sun Mar 05 09:04:20 2006 +0000
5.3 @@ -30,7 +30,7 @@
5.4 // | |
5.5 // +---------------------------------------------------------------------------+
5.6 //
5.7 -// $Id: lib-sessions.php,v 1.28 2004/02/14 13:04:10 dhaun Exp $
5.8 +// $Id: lib-sessions.php,v 1.28.2.1 2006/03/05 09:04:20 dhaun Exp $
5.9
5.10 /**
5.11 * This is the session management library for Geeklog. Some of this code was
5.12 @@ -95,7 +95,7 @@
5.13 // an array of the users info and setup the theme.
5.14
5.15 if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_session']])) {
5.16 - $sessid = $HTTP_COOKIE_VARS[$_CONF['cookie_session']];
5.17 + $sessid = COM_applyFilter ($HTTP_COOKIE_VARS[$_CONF['cookie_session']]);
5.18 if ($_SESS_VERBOSE) {
5.19 COM_errorLog("got $sessid as the session id from lib-sessions.php",1);
5.20 }
5.21 @@ -120,21 +120,25 @@
5.22 // Session probably expired, now check permanent cookie
5.23 if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
5.24 $userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
5.25 - if (empty ($userid) || !is_numeric ($userid)) {
5.26 + if (empty ($userid) || ($userid == 'deleted')) {
5.27 unset ($userid);
5.28 } else {
5.29 - $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];
5.30 - $userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");
5.31 + $userid = COM_applyFilter ($userid, true);
5.32 + $cookie_password = '';
5.33 + $userpass = '';
5.34 + if ($userid > 1) {
5.35 + $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];
5.36 + $userpass = DB_getItem ($_TABLES['users'], 'passwd',
5.37 + "uid = $userid");
5.38 + }
5.39 if (empty ($cookie_password) || ($cookie_password <> $userpass)) {
5.40 //User may have modified their UID in cookie, ignore them
5.41 - } else {
5.42 - if ($userid) {
5.43 - $user_logged_in = 1;
5.44 - $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
5.45 - SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
5.46 - $userdata = SESS_getUserDataFromId($userid);
5.47 - $_USER = $userdata;
5.48 - }
5.49 + } else if ($userid > 1) {
5.50 + $user_logged_in = 1;
5.51 + $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
5.52 + SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
5.53 + $userdata = SESS_getUserDataFromId($userid);
5.54 + $_USER = $userdata;
5.55 }
5.56 }
5.57 }
5.58 @@ -154,23 +158,27 @@
5.59 }
5.60
5.61 $userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
5.62 - if (!is_numeric ($userid)) {
5.63 + if (empty ($userid) || ($userid == 'deleted')) {
5.64 unset ($userid);
5.65 } else {
5.66 - $userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");
5.67 - $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];
5.68 + $userid = COM_applyFilter ($userid, true);
5.69 + $cookie_password = '';
5.70 + $userpass = '';
5.71 + if ($userid > 1) {
5.72 + $userpass = DB_getItem ($_TABLES['users'], 'passwd',
5.73 + "uid = $userid");
5.74 + $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];
5.75 + }
5.76 if (empty ($cookie_password) || ($cookie_password <> $userpass)) {
5.77 // User could have modified UID in cookie, don't do shit
5.78 - } else {
5.79 - if ($userid) {
5.80 - $user_logged_in = 1;
5.81 + } else if ($userid > 1) {
5.82 + $user_logged_in = 1;
5.83
5.84 - // Create new session and write cookie
5.85 - $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
5.86 - SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
5.87 - $userdata = SESS_getUserDataFromId($userid);
5.88 - $_USER = $userdata;
5.89 - }
5.90 + // Create new session and write cookie
5.91 + $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
5.92 + SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
5.93 + $userdata = SESS_getUserDataFromId($userid);
5.94 + $_USER = $userdata;
5.95 }
5.96 }
5.97 }
5.98 @@ -359,11 +367,7 @@
5.99 }
5.100
5.101 if (!$row) {
5.102 - if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
5.103 - return $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
5.104 - } else {
5.105 - return 0;
5.106 - }
5.107 + return 0;
5.108 } else {
5.109 return $row['uid'];
5.110 }