Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: tobozo tagada (tobozoiol.ie)
Date: Tue May 15 2001 - 06:46:13 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                                      sAvAte inc.
                                Serial Savate System

    <[( advisory )]>---------------------------------------<[(

    Program: PHPSLASH
    Homepage: http://www.phpslash.org
    Author Contacted: 15/apr/2001
    Answer: 16/apr/2001 (ajayrockrock)
    Patch : 16/apr/2001
    Version tested: 0.6.1
    Found by : tobozo

    - Problem description:

    Url block type can access the filesystem when a path
    specified by the administrator.

    The method used in Block_render_url.class does not
    if the $url variable contains a valid url scheme.

    No parsing is really done to check integrity of the url
    scheme, neither the content of the url and file name.

    - Impact:

    If a path to a file is specified (ex : /etc/passwd), the
    file will be read and its content stored in the cache
    exactly as if it was a remote file on a given url.

    - Exploit:

    Login as admin with GOD permissions
    Access the BLOCKS admin section
    (blockAdmin.php3) and
    create a new block with the following information :

    Title : notTrusted
    Type : url
    Site Location : whatever
    Source URL : ./config.php3
    Expire Length : 0
    Owned by section : home
    Data : (empty)
    Order number : whatever

    It will display the content of the config.php3 as text in
    the block of the main page.

    It might become an issue if blockAdmin.php3 gives
    add/edit/remove permission to some users that are
    supposed to access the filesystem.

    Fix :

    Replace the function parse() in the
    Block_render_url.class tu
    use parse_url() and a regex before sending $url to
    the file()

      function parse($block_info) {

        $url = $block_info["source_url"];

        /* check for url structure before opening it (you
    don't want
          /etc/passwd to be validated here -- tobozo -- */
        $urlParts = parse_url($url);

        if( (empty($urlParts)) or (!$urlParts) ) {
          $this->output = "Block_render_url.class:: Parse
    error reading


        $scheme = $urlParts[scheme];
        $HostName = $urlParts[host];

        if(empty($scheme)) {
          $this->output = "Block_render_url.class:: Missing
    protocol declaration

          $this->output = "Block_render_url.class:: No
    hostname in [$url]";

        if (!eregi("^(ht|f)tp",$scheme)) {
          $this->output = "Block_render_url.class:: No
    http:// or ftp:// in


        /* have to silence 'implode' and 'file' because you
    don't want
        the errors showing up on the main page */
        $ary = file($url);
        $size = count($ary);

        $string = implode("",$ary);

        if (strlen($string) < 1) {
          $this->output = "Block_render_url.class: $url
    contained no data.";
        for ($i = 0 ; $i < $size ; $i++) {
          $output .= $ary[$i];
        $this->output = $output;

    - Workaround :

    1) check for all possible protocols
    2) check for url content (host)

    - Code:
    Tested on http://assassine.org (successfully)

    - Contact us:


    - Greetings:

    The phpSlash Team, Gard, Jericho, madteam