really dangerous bug!!!! to Charter

[zaartix]

Plz, give me you'r email, i'll send you link to danger bug

[zaartix]

or better send email to me on zaartix @no-spam@ yandex.ru

[zaartix]

result of this bug - anyone can view content of any file.
for example this is a part of your http://www.phpdig.net/forum/sendmessage.php file:
<?php
include("//hide\\");
header("HTTP/1.1 301 Moved Permanently");
header("Location: http://www.phpdig.net/forum/");
exit();
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 3.0.3 - Licence Number L*1*2*6*

in this code i've hide full path and license number

[Charter]

Argh, noooooooooo...

In search.php find:

PHP Code:

extract(phpdigHttpVars(
     array('query_string'=>'string',
           'refine'=>'integer',
           'refine_url'=>'string',
           'site'=>'string', // set to integer later
           'limite'=>'integer',
           'option'=>'string',
           'lim_start'=>'integer',
           'browse'=>'integer',
           'path'=>'string'
           )
     )); 


And replace with:

PHP Code:

extract(phpdigHttpVars(
     array('query_string'=>'string',
           'refine'=>'integer',
           'refine_url'=>'string',
           'site'=>'string', // set to integer later
           'limite'=>'integer',
           'option'=>'string',
           'lim_start'=>'integer',
           'browse'=>'integer',
           'path'=>'string'
           )
     ),EXTR_SKIP); 


Special thanks to zaartix for finding this! Watch this thread for updates!

[zaartix]

no problems, man

[ZoRaC]

Charter,
I've taken my phpDig down, so please send out a new mail when the bug is completly fixed and a fix is ready for download.

Thanks!

[Charter]

http://www.phpdig.net/forum/showthread.php?t=1608

[tomas]

hi charter,

maybe you forgot these lines setting the "EXTR_SKIP" flag:

admin/spider.php:
extract(phpdigGetSiteFromUrl($id_connect,trim($url),$linksper,$linksper_fla g,$limit,$limit_flag,$usetable));
extract(phpdigTempFile($url_indexing,$result_test_http,$relative_script_pat h.'/admin/temp/'));

admin/update.php:
extract($a_result);
extract($num_result);
extract($this_exclude);

libs/function_phpdig_form.php:
extract($result);



kind regards
tomas

[Charter]

Not every extract without the EXTR_SKIP is a problem.

[tomas]

hi charter,

ok - the problem occurs only in arrays.

for those who do not want to upgrade - is anything done with changing the
flag to EXTR_SKIP?

would you email me a partly pattern to search in apache-logs for a possible hack?

please delete the forum entries with the links to members sites using phpdig because this would be the crackers-dream - getting a list where to have all this fun (knowing this my link-entry was phpdig-website ;-)


thanx
tomas

[Charter]

The problem occurred for another reason, but that's all, no details. People need to upgrade or face possible exploits. To search your logs, just check for anyone accessing your important files. For example, grep on config.php and other important files and review the output for suspicious requests. You will know it if you see it. Also check for any file starting with a string of numbers, that file being writable or in a writable location. If you find such a file and it is not your content, review the file, then delete the file and again check your logs for any requests to the file. As for the PhpDig link entry set via the vB control panel, only admins or mods can see it.