Navigation

Active forum topics

Good Ideea
2 days 2 hours ago
russian language
5 days 46 min ago
Thanks
1 week 9 hours ago
You have to use there your
1 week 14 hours ago
I am usin page2rss.com and
1 week 21 hours ago
Hi,
1 week 2 days ago
Sorry but that is not
1 week 2 days ago
Actually, I do delete files
1 week 2 days ago
Not sure, but it looks like
1 week 2 days ago
Try the installer, if it
1 week 2 days ago

Security problems - Path traversal attack and XSS attack

Submitted by Sparviero on Sat, 2008-08-02 13:38.

Problem Report

Modifing php code, I've found different security problems.

1) Path traversal attack
In Upload manager it's possible to exit from Photos dir using multiple "../" string. To protect your album you must do a check like

if($var2=="chdir"){
  if (preg_match("/\.\./", $p_dir)) $p_dir = "";
  ...
}
if($var2=="mkdir"){
  if (preg_match("/\.\./", $p_dir)) $p_dir = "";
  ...
}
if($var2=="rmdir"){
  if (preg_match("/\.\./", $p_dir)) $p_dir = "";
  ...
}

into setup.php

2) XSS attack (client side attack)
In search input box you can insert malicious code (like js).
For example, try to insert <script>alert(document.location)</script>
and you'll see the script will be execute.
To solve this problem, you must sanitize the search_text string using htmlspecialchars (or htmlentities) function

value="<?=$search_text);?>"/>

into

value="<?= htmlspecialchars($search_text) ?>"/>

in ALL album.tpl.php and imageview.tpl.php files.
You must modify also the menu code...

<table width="100%" class="menu">
... 
<? foreach( $dir_path as $num => $dir ) {
  $dir['name'] = htmlspecialchars($dir['name']);
  $dir['link'] = htmlspecialchars($dir['link']);
?>
<b>&nbsp;::&nbsp;&nbsp;</b>
...

That's all (for now).

Is this something we are to

Submitted by schick on Fri, 2008-08-22 23:33.

Is this something we are to edit ourselves???

Security issues like this worry me. I love the album software, but don't want to risk everything on my server for it.

I wonder why the author of PHPAlbum has not responded to the original post.

You don't need an answer

Submitted by Sparviero on Fri, 2008-10-24 19:27.

You don't need an answer from the author: in my post you find the problem and the solution, so apply my "patch".

Hi Sparviero, I do not think

Submitted by patrik on Sun, 2008-10-26 09:25.

Hi Sparviero,

I do not think the point 1) is critical, as it only works if you have an FTP password for that site, and if you have this, you can do the same with any FTP-Client, so there is no need for any other checks.

The point 2) is indeed critical and will be fixed now, hope I can release new bugfix today.

@shcick: I know it is bad, but I did not have the time for this project last few months, and I am sorry for that.

Patrik

About 1st point, most

Submitted by Sparviero on Sun, 2008-10-26 15:46.

Right but i prefer to add a security level embedded into php code: few months ago, i've found a ISP that give me an ftp account usable only in localhost for my php code.
In that case, unfortunately the account was not chrooted.
For same reasons, i prefer add the path check and the extension check so people can't upload some "strange" files like .sh, .php, etc.

User login

Who's new

tuffy
Niels
serena
the_witt
eskc512

Navigation

Active forum topics

Recent comments