I think you need to patch your bbcode-plugin (if you use it).
Path is here:
http://adz.void.ru/index.php?file&id=11
Vendor was informed, but no action was maded to fix it, so I did it myself.
bbcodes security bugs
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: bbcodes security bugs
This is so not true. The "vendor" (in that case me) was notified 15 minutes before. I posted a mail to our mailinglist, as a proof of response and told kreon that I would look into this.
A patch will be made public from us, officially. But give us more than 15 minutes, alright.
A patch will be made public from us, officially. But give us more than 15 minutes, alright.
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
As I said before, this is a critical vulnerability...
F.e. - this is a cookie with admin session cached with script
Fully login data I can replace it in my browser to working as admin
So, if you use bbcodes, turn it off or install patch.
F.e. - this is a cookie with admin session cached with script
Code: Select all
serendipity[author_information]=YToyOntzOjg6InVzZXJuYW1lIjtzOjc6ImpvaG5kb2UiO3M6ODoicG
Fzc3dvcmQiO3M6Nzoiam9obmRvZSI7fQ%3D%3D;%
20phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%
22autologinid%22%3Bs%3A32%3A%
2221232f297a57a5a743894a0e4a801fc3%22%3Bs%3A6%3A%
22userid%22%3Bs%3A1%3A%222%22%3B%7D;%
20w3t_myid=2;%
20PHPSESSID=657db285fa6208ac58433c6f0051dab7
So, if you use bbcodes, turn it off or install patch.
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
I have created a new patch which hopefully fixes the BBCodes properly, without affecting user-made HTML markup (for entries, not comments).
You can download the new version at http://www.netmirror.org/mirror/serendi ... bbcode.php or http://www.netmirror.org/mirror/serendi ... bcode.phps
I'd be happy to get some feedback and include this file in the upcoming Serendipity release.
Regards,
Garvin
You can download the new version at http://www.netmirror.org/mirror/serendi ... bbcode.php or http://www.netmirror.org/mirror/serendi ... bcode.phps
I'd be happy to get some feedback and include this file in the upcoming Serendipity release.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Neither link gives the raw .php file
Both read it as a .php or maybe I am missing something.
-
jhermanns
- Site Admin
- Posts: 378
- Joined: Tue Apr 01, 2003 11:28 pm
- Location: Berlin, Germany
- Contact:
Re: Neither link gives the raw .php file
If you are not, I amLesur wrote:Both read it as a .php or maybe I am missing something.
clear as mud
Ok I guess I wasn't clear. Not the first time.
To me both links look like semi-processed php, but the .php header is missing and other information doesn't fully jive with the current event_bbcode file.
Here are the first few lines in the files:
To me both links look like semi-processed php, but the .php header is missing and other information doesn't fully jive with the current event_bbcode file.
Here are the first few lines in the files:
Code: Select all
BBCode-Formatierung erlaubt'); break; case 'en': default: @define('PLUGIN_EVENT_BBCODE_NAME', 'Markup: BBCode'); @define('PLUGIN_EVENT_BBCODE_DESC', 'Markup text using BBCode'); @define('PLUGIN_EVENT_BBCODE_TRANSFORM', 'BBCode format allowed'); break; } class serendipity_event_bbcode extends serendipity_event { var $title = PLUGIN_EVENT_BBCODE_NAME; function introspect(&$propbag) { global
In the words of Homer Simpson
I am so smart, I am so smart ... S..A..M..R..T ....
Right click and download works fine. Sorry for the line noise.
Right click and download works fine. Sorry for the line noise.