Author Topic: commentary exploit -> section can be altered  (Read 2844 times)

Nightborn

  • Administrator
  • Sr. Member
  • *****
  • Posts: 320
  • Karma: +20/-0
    • View Profile
    • Shinobilegends
commentary exploit -> section can be altered
« on: August 15, 2008, 09:42:29 pm »
an exploit has been demonstrated by somebody on my (and another server) by a "proof of concept" attack

here is the patch you need to prevent people from posting in any section they want:

diff commentary.php ../../core/lib/commentar
84,91c84
<                       else {
<                               //here we have the request to add a comment with content... check if the section is right, else somebody tries to inject somewhere else ;)
<                               if (rawurldecode(httpget('section'))!=$section) {
<                                       output("`\$Please post in the section you should!");
<                               } else {
<                                       injectcommentary($section, $talkline, $comment, $schema);
<                               }
<                       }
---
>                       else injectcommentary($section, $talkline, $comment, $schema);
556c549
<       $req = comscroll_sanitize($REQUEST_URI)."&comment=1&section=".rawurlencode($section);
---
>       $req = comscroll_sanitize($REQUEST_URI)."&comment=1";
It should be fixed, but it won't be easy and it won't be fast. If you want
to help - wonderful. But keep in mind that it will take months of wading
through the ugliest code we have in the tree. If you've got a weak stomach -
stay out. I've been there and it's not a nice place.

   - Al Viro