Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
 All Forums
 Announcements
 Announcements: Security Related Bug Fixes
 New Security Bug Fix 13 March 2007

Note: You must be registered in order to post a reply.
To register, click here. Registration is FREE!
Before posting, make sure you have read this topic!

Screensize:
UserName:
Password:
Format Mode:
Format: BoldItalicizedUnderlineStrikethrough Align LeftCenteredAlign Right Horizontal Rule Insert HyperlinkInsert EmailInsert Image Insert CodeInsert QuoteInsert List
   
Message:

* HTML is OFF
* Forum Code is ON
Smilies
Smile [:)] Big Smile [:D] Cool [8D] Blush [:I]
Tongue [:P] Evil [):] Wink [;)] Clown [:o)]
Black Eye [B)] Eight Ball [8] Frown [:(] Shy [8)]
Shocked [:0] Angry [:(!] Dead [xx(] Sleepy [|)]
Kisses [:X] Approve [^] Disapprove [V] Question [?]

 
Check here to subscribe to this topic.
   

T O P I C    R E V I E W
HuwR Posted - 13 March 2007 : 07:52:36
this fix relates to http://secunia.com/advisories/24358/

in pop_profile.asp look for the following lines of code

parts = split(rs("M_MSN"),"@")

in a clean pop_profile this will be on line 334 and again on line 609
replace that line with the line below.

parts = split(ChkString(rs("M_MSN"), "display"),"@")

Alternatively you can just disable the MSN messanger link from the admin options<
8   L A T E S T    R E P L I E S    (Newest First)
ruirib Posted - 19 March 2007 : 12:47:20
I've updated the regular expression used to validate the email, because it was failing in some situations. Also, as this one is more simple and is only including upper case letters, regEx.IgnoreCase = true was also added.

This expression will work in almost all common cases, but it will fail in some cases. I had to replace it because the expression I got from my regular expressions source failed where I didn't expect it to. This one was found here. You will also find at the same URL a very, very long expression that will work in every possible case. Use it if you want to.<
ruirib Posted - 15 March 2007 : 20:45:17
The fix to this issue is to ensure that any data inserted into the MSN field is a valid email value. As such, here are the changes needed to properly validate the input to the MSN field.

1. register.asp

At approximately line#293, where you now have

                if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
		   if EmailField(Request.Form("MSN")) = 0 then 
			Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
		    end if
		end if



Replace it by


         if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

            set regEx = New RegExp
	    regEx.Global = true
            regEx.IgnoreCase = true
	    regEx.Pattern =  "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"
	    retVal = regEx.Test(Request.Form("MSN"))
	    If Not retVal Then
	       Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
	    end if
	end if



2. Pop_profile.asp

Approximately at line# 1065 and line# 1386 (line# already including the first change), where you now have

             if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
		if EmailField(Request.Form("MSN")) = 0 then 
		   Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
		end if
	     end if

replace it by

          if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

            set regEx = New RegExp
	    regEx.Global = true
            regEx.IgnoreCase = true
	    regEx.Pattern =  "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"

	    retVal = regEx.Test(Request.Form("MSN"))
	    If Not retVal Then
		Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
	    end if
	end if

<
HuwR Posted - 15 March 2007 : 05:03:43
I would advise users to disable MSN until we post a full fix.<
HuwR Posted - 15 March 2007 : 04:02:37
quote:
Originally posted by Stefano Angaran

Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.

The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.

Bye

P.S.: also the vulnerability is found in pop_messengers.asp

perhaps in future you could follow the guidlines of secunia and inform us the developers of your findings rather than being a twat and making a public report about it.<
SiSL Posted - 14 March 2007 : 22:35:39
Hmm, hard to put replace(x,"'","''") thing?<
Stefano Angaran Posted - 14 March 2007 : 20:06:29
Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.

The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.

Bye

P.S.: also the vulnerability is found in pop_messengers.asp<
HuwR Posted - 13 March 2007 : 10:30:40
yes, that is the correct field to look in<
wildfiction Posted - 13 March 2007 : 10:09:52
Thanks Huw!

I wanted to check to see if anybody had attempted to exploit this on any of my fora and so I ran the following SQL query:
select MEMBER_ID, M_MSN from FORUM_MEMBERS where M_MSN != '';
and then browsed the M_MSN field for script.

Was I looking in the right place? i.e. Is that where the script would have been placed?<

Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.07 seconds. Powered By: Snitz Forums 2000 Version 3.4.07