Security Related bug in mx_errordocs v1.0.0
 
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.   printer-friendly view    phpMiX.org Forum Index -> mxBB Modules -> mxBB Module: mx_errordocs
View previous topic :: View next topic  
Author Message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Tue Dec 28, 2004 9:47 am    Post subject: Security Related bug in mx_errordocs v1.0.0 Reply with quote

All users of mx_errordocs v1.0.0 are encouraged to apply the following modification:

Code:
#
# ---[ OPEN ]----------
#
modules/mx_errordocs/admin/admin_errordocs_log.php
#
# ---[ FIND ]----------
#
   'REQUEST_URI'   => $log_data[$i]['request_uri'],
   'HTTP_REFERER'   => $log_data[$i]['http_referer'],
#
# ---[ REPLACE WITH ]----------
#
   'REQUEST_URI'   => htmlspecialchars($log_data[$i]['request_uri']),
   'HTTP_REFERER'   => htmlspecialchars($log_data[$i]['http_referer']),
#
# ---[ SAVE ]----------
#

It's just to prevent possible HTML injection comming from the HTTP request itself stored in the database.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
markus
[Administrator]
[Administrator]


Joined: 28 Jul 2003
Posts: 1124

PostPosted: Tue Dec 28, 2004 10:38 am    Post subject: Re: Security Related bug in mx_errordocs v1.0.0 Reply with quote

Please, also apply the following change:

Code:
#
# ---[ OPEN ]----------
#
modules/mx_errordocs/includes/common.php
#
# ---[ FIND ]----------
#
   if( getenv('HTTP_X_FORWARDED_FOR') != '' )
   {
      if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", getenv('HTTP_X_FORWARDED_FOR'), $ip_list) )
      {
         $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.16\..*/', '/^10.\.*/', '/^224.\.*/', '/^240.\.*/');
         $client_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
      }
   }
#
# ---[ REPLACE WITH ]----------
#
   Removed: HTTP_X_FORWARDED_FOR stuff...
#
# ---[ SAVE ]----------
#

To simplify error tracking, the same IP retrieval method than the one introduced by phpBB 2.0.8 should also be applied here.

 
 
_________________
http://www.phpmix.org
 
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.   printer-friendly view    phpMiX.org Forum Index -> mxBB Modules -> mxBB Module: mx_errordocs All times are GMT + 1 Hour
 
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum