Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: Security Related Bug Fixes
 New Security Bug Fix 13 March 2007
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 13 March 2007 :  07:52:36  Show Profile  Visit HuwR's Homepage  Reply with Quote
this fix relates to http://secunia.com/advisories/24358/

in pop_profile.asp look for the following lines of code

parts = split(rs("M_MSN"),"@")

in a clean pop_profile this will be on line 334 and again on line 609
replace that line with the line below.

parts = split(ChkString(rs("M_MSN"), "display"),"@")

Alternatively you can just disable the MSN messanger link from the admin options<

wildfiction
Junior Member

167 Posts

Posted - 13 March 2007 :  10:09:52  Show Profile  Visit wildfiction's Homepage  Reply with Quote
Thanks Huw!

I wanted to check to see if anybody had attempted to exploit this on any of my fora and so I ran the following SQL query:
select MEMBER_ID, M_MSN from FORUM_MEMBERS where M_MSN != '';
and then browsed the M_MSN field for script.

Was I looking in the right place? i.e. Is that where the script would have been placed?<
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 13 March 2007 :  10:30:40  Show Profile  Visit HuwR's Homepage  Reply with Quote
yes, that is the correct field to look in<
Go to Top of Page

Stefano Angaran
Starting Member

1 Posts

Posted - 14 March 2007 :  20:06:29  Show Profile  Reply with Quote
Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.

The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.

Bye

P.S.: also the vulnerability is found in pop_messengers.asp<

Edited by - Stefano Angaran on 14 March 2007 20:08:38
Go to Top of Page

SiSL
Average Member

Turkey
671 Posts

Posted - 14 March 2007 :  22:35:39  Show Profile  Visit SiSL's Homepage  Reply with Quote
Hmm, hard to put replace(x,"'","''") thing?<

CHIP Online Forum

My Mods
Select All Code | Fix a vulnerability for your private messages | Avatar Categories W/ Avatar Gallery Mod | Complaint Manager
Admin Level Revisited | Merge Forums | No More Nested Quotes Mod
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 15 March 2007 :  04:02:37  Show Profile  Visit HuwR's Homepage  Reply with Quote
quote:
Originally posted by Stefano Angaran

Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.

The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.

Bye

P.S.: also the vulnerability is found in pop_messengers.asp


perhaps in future you could follow the guidlines of secunia and inform us the developers of your findings rather than being a twat and making a public report about it.<
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 15 March 2007 :  05:03:43  Show Profile  Visit HuwR's Homepage  Reply with Quote
I would advise users to disable MSN until we post a full fix.<
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 15 March 2007 :  20:45:17  Show Profile  Send ruirib a Yahoo! Message  Reply with Quote
The fix to this issue is to ensure that any data inserted into the MSN field is a valid email value. As such, here are the changes needed to properly validate the input to the MSN field.

1. register.asp

At approximately line#293, where you now have

if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
if EmailField(Request.Form("MSN")) = 0 then
Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
end if
end if



Replace it by


if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

set regEx = New RegExp
regEx.Global = true
regEx.IgnoreCase = true
regEx.Pattern = "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"
retVal = regEx.Test(Request.Form("MSN"))
If Not retVal Then
Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
end if
end if



2. Pop_profile.asp

Approximately at line# 1065 and line# 1386 (line# already including the first change), where you now have

if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
if EmailField(Request.Form("MSN")) = 0 then
Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
end if
end if

replace it by

if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

set regEx = New RegExp
regEx.Global = true
regEx.IgnoreCase = true
regEx.Pattern = "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"

retVal = regEx.Test(Request.Form("MSN"))
If Not retVal Then
Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
end if
end if

<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 19 March 2007 :  12:47:20  Show Profile  Send ruirib a Yahoo! Message  Reply with Quote
I've updated the regular expression used to validate the email, because it was failing in some situations. Also, as this one is more simple and is only including upper case letters, regEx.IgnoreCase = true was also added.

This expression will work in almost all common cases, but it will fail in some cases. I had to replace it because the expression I got from my regular expressions source failed where I didn't expect it to. This one was found here. You will also find at the same URL a very, very long expression that will work in every possible case. Use it if you want to.<


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07