No replies to this topic

[visiblesoul]

Note (April 6,2006): A new patched version of Php Doc System has been released. I recommend that you upgrade to version 1.5.2 instead of applying my patch.

Quote

Vulnerability description:
Input passed to the "show" parameter in "index.php" isn't properly verified, before it is used to include files . This can be exploited to include arbitrary files from local resources or to view files from local resource.

http://pridels.blogspot.com/2005/11/php-do...local-file.html

My patch...


FIND in index.php:

if (!empty($_REQUEST["show"])) {
	$module = stripslashes($_REQUEST["show"]);
	require_once($content_dir.$module.'.php');
	$title = $application_name.': '.$$module->title;
}
else {
	$title = $application_name;
}

REPLACE WITH:

if (!empty($_REQUEST["show"])) {
  //filter
  if (preg_match('/^[0-9a-z_-]+$/i', $_REQUEST["show"])) {

	  $module = stripslashes($_REQUEST["show"]);
	  require_once($content_dir.$module.'.php');
	  $title = $application_name.': '.$$module->title;
  }
  else {
	$err_msgs[] = '<b>Error: No suitable input data.</b>';
  }
}
else {
	  $title = $application_name;
}

FIND in index.php:

if ($type == "static") {
	$file = fopen($output_dir.$_REQUEST["show"].'.html','w');
	if (!fwrite($file, $page)) {
		print('Error writing to '.$output_dir.$_REQUEST["show"].'.html');
	}
	fclose($file);
}

REPLACE WITH:

if ($type == "static") {
  //filter
  if (preg_match('/^[0-9a-z_-]+$/i', $_REQUEST["show"])) {  
	  $file = fopen($output_dir.$_REQUEST["show"].'.html','w');
	  if (!fwrite($file, $page)) {
		  print('Error writing to '.$output_dir.$_REQUEST["show"].'.html');
	  }
	  fclose($file);
  }
}

It may also be good to turn off error reporting in the top of index.php.

ini_set('display_errors', 0);

-=DKC=-