Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

0

[Security]MKPortal M1.1 Rc1 vulnerabilities and patches

Started by visiblesoul, Apr 25 2006 12:45 AM

This topic is locked
Go to first unread post

4 replies to this topic

#1 visiblesoul

Administrators
551 posts

Location:Earth

Posted 25 April 2006 - 12:45 AM

1. MKPortal Multiboard XSS vulnerability in pmpopup.php
2. MKPGallery mime type vulnerability
3. Blog Template Javascript Filtering Vulnerability

-----------------------------------------
1. MKPortal Multiboard XSS vulnerability in pmpopup.php

There is a XSS vulnerability in the MKPortal PM popup functions. All versions of the MKPortal Multiboard (M0.2 - M1.1Rc1) are affected.

As a temporary measure you can remove pmpopup.php from your server and comment out this line in mkportal/include/functions.php (function header)...

//$pmk_js .= $mklib_board->popup_pm($this->lang['popm1'], $this->lang['popm2'], $this->lang['popm3'], $this->lang['popm4']);

This will disable PM popups in the Portal and will neutralize XSS this vulnerability. Hopefully there will be an official patch very soon.

Quote

Advisory ID : FrSIRT/ADV-2006-1485
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-04-24

Technical Description

Multiple vulnerabilities have been identified in MKPortal, which may be exploited by attackers to execute arbitrary scripting code. These flaws are due to input validation errors in the "include/pmpopup.php" script that does not validate the "u1", "m1", "m2", "m3", and "m4" parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

Affected Products

MKPortal version 1.0 and prior
MKPortal version 1.1 RC1 and prior

Solution

The FrSIRT is not aware of any official supplied patch for this issue.

References

http://www.frsirt.co...ories/2006/1485
http://www.nukedx.com/?viewdoc=26

Credits

Vulnerabilities reported by Mustafa Can Bjorn

ChangeLog

2006-04-24 : Initial release

(from http://www.frsirt.co...ries/2006/1485)

Please note that I offer free support on this forum in my free time. Depending on how much work I have backlogged it may take me a week or more to answer questions. I am not ignoring you. I answer everyone but please be patient. Thanks.

Disclaimer: All forum posts, including code examples, on this forum are offered for free in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use code examples at your own risk.

"If at first you don't succeed, keep on suckin' til you do succeed." -Curly Howard

Back to top

#2 visiblesoul

Administrators
551 posts

Location:Earth

Posted 25 April 2006 - 12:46 AM

Here is my temporary patch for pmpopup.php. I am sure Meo will have a better way of doing this but this is working for me and it does eliminate the XSS vulnerability while preserving the PM Popup functions. This is not an official patch.

For M1.1Rc1:

Step 1.
FIND in mkportal/include/pmpopup.php

$m1 = str_replace("%20", " ", $_GET['m1']);
$m2 = str_replace("%20", " ", $_GET['m2']);
$m3 = str_replace("%20", " ", $_GET['m3']);
$m4 = str_replace("%20", " ", $_GET['m4']);
$u1 = $_GET['u1'];

REPLACE WITH:

/*
$m1 = str_replace("%20", " ", $_GET['m1']);
$m2 = str_replace("%20", " ", $_GET['m2']);
$m3 = str_replace("%20", " ", $_GET['m3']);
$m4 = str_replace("%20", " ", $_GET['m4']);
$u1 = $_GET['u1'];
*/

/* Begin temp patch by visiblesoul */
define ( 'IN_MKP', 1 );
define ( 'IN_PMPOP', 1 );

$MK_PATH = "../../";
require $MK_PATH."mkportal/conf_mk.php";

global $DB, $mklib, $mkportals;

switch($MK_BOARD) {
	case 'IPB':
		$driverf = "IPB/ipb_driverf.php";
		$board_functions = "IPB/ipb_board_functions.php";
	break;
	case 'PHPBB':
	$driverf = "PHPBB/php_driverf.php";
		$board_functions = "PHPBB/php_board_functions.php";
	break;
	case 'VB':
	$driverf = "VB/vb_driverf.php";
		$board_functions = "VB/vb_board_functions.php";
	break;
  case 'IPB13':
	$driverf = "IPB13/ipb13_driverf.php";
		$board_functions = "IPB13/ipb13_board_functions.php";
	break;
	default:
	$driverf = "SMF/smf_driverf.php";
		$board_functions = "SMF/smf_board_functions.php";
	break;
}

require $MK_PATH."mkportal/include/$driverf";
require $MK_PATH."mkportal/include/functions.php";
require $MK_PATH."mkportal/include/$board_functions";

switch($MK_BOARD) {
	case 'IPB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?act=Msg";
	break;
	case 'PHPBB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/privmsg.php?folder=inbox";
	break;
	case 'VB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/private.php";
	break;
  case 'IPB13':
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?act=Msg";
	break;
	default:
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?action=pm";
	break;
}

$m1 = $mklib->lang['popm1'];
$m2 = $mklib->lang['popm2'];
$m3 = $mklib->lang['popm3'];
$m4 = $mklib->lang['popm4'];
/* End temp patch by visiblesoul */

Step 2. (vBulletin only)
FIND in mkportal/include/VB/vbdriverf.php

require $MK_PATH."mkportal/conf_mk.php";

ADD ABOVE:

if (defined('IN_PMPOP')) {
	chdir('mkportal/include');
}

Please note that I offer free support on this forum in my free time. Depending on how much work I have backlogged it may take me a week or more to answer questions. I am not ignoring you. I answer everyone but please be patient. Thanks.

Disclaimer: All forum posts, including code examples, on this forum are offered for free in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use code examples at your own risk.

"If at first you don't succeed, keep on suckin' til you do succeed." -Curly Howard

Back to top

#3 visiblesoul

Administrators
551 posts

Location:Earth

Posted 25 April 2006 - 12:47 AM

For <= M1.0

Step 1.
FIND in mkportal/include/pmpopup.php

$m1 = str_replace("%20", " ", $_GET['m1']);
$m2 = str_replace("%20", " ", $_GET['m2']);
$m3 = str_replace("%20", " ", $_GET['m3']);
$m4 = str_replace("%20", " ", $_GET['m4']);
$u1 = $_GET['u1'];

REPLACE WITH:

/*
$m1 = str_replace("%20", " ", $_GET['m1']);
$m2 = str_replace("%20", " ", $_GET['m2']);
$m3 = str_replace("%20", " ", $_GET['m3']);
$m4 = str_replace("%20", " ", $_GET['m4']);
$u1 = $_GET['u1'];
*/

/* Begin temp patch by visiblesoul */
define ( 'IN_MKP', 1 );
define ( 'IN_PMPOP', 1 );

$MK_PATH = "../../";
require $MK_PATH."mkportal/conf_mk.php";

global $DB, $mklib, $mkportals;

switch($MK_BOARD) {
	case 'IPB':
		$driverf = "ipb_driverf.php";
		$board_functions = "ipb_board_functions.php";
	break;
	case 'PHPBB':
	$driverf = "php_driverf.php";
		$board_functions = "php_board_functions.php";
	break;
	case 'VB':
	$driverf = "vb_driverf.php";
		$board_functions = "vb_board_functions.php";
	break;
  case 'IPB13':
	$driverf = "ipb13_driverf.php";
		$board_functions = "ipb13_board_functions.php";
	break;
	default:
	$driverf = "smf_driverf.php";
		$board_functions = "smf_board_functions.php";
	break;
}

require $MK_PATH."mkportal/include/$driverf";
require $MK_PATH."mkportal/include/functions.php";
require $MK_PATH."mkportal/include/$board_functions";

switch($MK_BOARD) {
	case 'IPB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?act=Msg";
	break;
	case 'PHPBB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/privmsg.php?folder=inbox";
	break;
	case 'VB':
	$u1 = "$mklib->siteurl/$mklib->forumpath/private.php";
	break;
  case 'IPB13':
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?act=Msg";
	break;
	default:
	$u1 = "$mklib->siteurl/$mklib->forumpath/index.php?action=pm";
	break;
}

$m1 = $mklib->lang['popm1'];
$m2 = $mklib->lang['popm2'];
$m3 = $mklib->lang['popm3'];
$m4 = $mklib->lang['popm4'];
/* End temp patch by visiblesoul */

Step2. vBulletin only...
FIND in mkportal/include/vbdriverf.php

require $MK_PATH."mkportal/conf_mk.php";

ADD ABOVE:

if (defined('IN_PMPOP')) {
	chdir('mkportal/include');
}

Please note that I offer free support on this forum in my free time. Depending on how much work I have backlogged it may take me a week or more to answer questions. I am not ignoring you. I answer everyone but please be patient. Thanks.

Disclaimer: All forum posts, including code examples, on this forum are offered for free in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use code examples at your own risk.

"If at first you don't succeed, keep on suckin' til you do succeed." -Curly Howard

Back to top

#4 visiblesoul

Administrators
551 posts

Location:Earth

Posted 04 May 2006 - 12:05 PM

2. MKPGallery mime type vulnerability
Note: This is not an official patch.

original post by Mark...
http://www.mkportal....ead.php?t=13487

There is an issue in the gallery module. A user is able to create a text document with html inside it then rename it to a valid file type. Once it is uploaded it is possible for it to be executed.

Here is the solution. I am sure meo, visible or neur can do this better but it was a quick job.

Open:
/mkportal/modules/gallery/index.php

Find:

$file = $_FILES['FILE_UPLOAD']['tmp_name'];
$file_name = $_FILES['FILE_UPLOAD']['name'];
$file_type = $_FILES['FILE_UPLOAD']['type'];
$peso = $_FILES['FILE_UPLOAD']['size']; 
}

Add After:

$check = @fopen($file, "r");
$check = @fread($check, filesize($file));
if (preg_match("/html/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/javascript/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/about/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/vbscript/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/alert/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/onmouseover/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/onclick/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/onload/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/onsubmit/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("#script(.+?)/script#ies", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
if (preg_match("/<?php/i", $check)) {
$message = "Sorry this file is not valid";
$mklib->error_page($message);
exit;
}
@fclose($check);

Regards,

Mark

Please note that I offer free support on this forum in my free time. Depending on how much work I have backlogged it may take me a week or more to answer questions. I am not ignoring you. I answer everyone but please be patient. Thanks.

Disclaimer: All forum posts, including code examples, on this forum are offered for free in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use code examples at your own risk.

"If at first you don't succeed, keep on suckin' til you do succeed." -Curly Howard

Back to top

#5 visiblesoul

Administrators
551 posts

Location:Earth

Posted 08 May 2006 - 03:11 PM

3. Blog Template Javascript Filtering Vulnerability

The blog module does not filter html and javascript correctly. This could allow a user to insert malicious code in a blog template.

Reported here...
http://www.mkportal....ead.php?p=56097

Patch by Meo:

REPLACE the entire "function clean_template" in /mkportal/modules/blog/index.php with this modified function...

function clean_template ($t="") {

		$t = str_replace( "&#"   , "", $t );
		$t = str_replace( ">"	, ">", $t );
		$t = str_replace( "<"	, "<", $t );
		$t = str_replace( "<?"   , ""	   , $t );
		$t = str_replace( "?"   , ""	   , $t );
		while( preg_match( "#script(.+?)/script#ies" , $t ) ) {
				$t = preg_replace( "#script(.+?)/script#ies", "" , $t);
		}
		$t = preg_replace( "/javascript/i" , "", $t );
		$t = preg_replace( "/about/i"	 , "", $t );
		$t = preg_replace( "/vbscript/i"	 , "", $t );
		$t = preg_replace( "/alert/i"	  , ""	  , $t );
		$t = preg_replace( "/onmouseover/i", "", $t );
		$t = preg_replace( "/onclick/i"	, ""	, $t );
		$t = preg_replace( "/onload/i"	 , ""	 , $t );
		$t = preg_replace( "/onsubmit/i"   , ""   , $t );

		return $t;
	}

Please note that I offer free support on this forum in my free time. Depending on how much work I have backlogged it may take me a week or more to answer questions. I am not ignoring you. I answer everyone but please be patient. Thanks.

Disclaimer: All forum posts, including code examples, on this forum are offered for free in the hope that they will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Use code examples at your own risk.

"If at first you don't succeed, keep on suckin' til you do succeed." -Curly Howard

Back to top

Back to MKPortal Support & Resources · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users