New Security Bug Fix 13 March 2007 - Posted (18776 Views)
HuwR
Forum Admin
HuwR
Posts: 20611
20611
this fix relates to http://secunia.com/advisories/24358/

in pop_profile.asp look for the following lines of code

parts = split(rs("M_MSN"),"@")

in a clean pop_profile this will be on line 334 and again on line 609
replace that line with the line below.
parts = split(ChkString(rs("M_MSN"), "display"),"@")

Alternatively you can just disable the MSN messanger link from the admin options<
 Sort direction, for dates DESC means newest first  
 Page size 
Posted
wildfiction
Junior Member
wildfiction
Posts: 167
167
Thanks Huw!
I wanted to check to see if anybody had attempted to exploit this on any of my fora and so I ran the following SQL query:
select MEMBER_ID, M_MSN from FORUM_MEMBERS where M_MSN != '';
and then browsed the M_MSN field for script.
Was I looking in the right place? i.e. Is that where the script would have been placed?<
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
yes, that is the correct field to look in<
Posted
Stefano Angaran
Starting Member
Stefano Angaran
Posts: 1
1
Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.
The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.
Bye

P.S.: also the vulnerability is found in pop_messengers.asp<
Last edited by Stefano Angaran on 14 March 2007, 20:08
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
Originally posted by Stefano Angaran
Hi,
I founded this vulnerability and your solution doesn't really work, I could exploit it on my test site with no problems at all.
The single quotes are the real problem, using "display" only replaces double quotes and "plus" signs.
Bye

P.S.: also the vulnerability is found in pop_messengers.asp
perhaps in future you could follow the guidlines of secunia and inform us the developers of your findings rather than being a twat and making a public report about it.<
Posted
HuwR
Forum Admin
HuwR
Posts: 20611
20611
I would advise users to disable MSN until we post a full fix.<
Posted
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
The fix to this issue is to ensure that any data inserted into the MSN field is a valid email value. As such, here are the changes needed to properly validate the input to the MSN field.
1. register.asp
At approximately line#293, where you now have
Code:

                if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
		   if EmailField(Request.Form("MSN")) = 0 then 
			Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
		    end if
		end if


Replace it by

Code:

         if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

            set regEx = New RegExp
	    regEx.Global = true
            regEx.IgnoreCase = true
	    regEx.Pattern =  "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"
	    retVal = regEx.Test(Request.Form("MSN"))
	    If Not retVal Then
	       Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
	    end if
	end if


2. Pop_profile.asp
Approximately at line# 1065 and line# 1386 (line# already including the first change), where you now have
Code:

             if strMSN = "1" and trim(Request.Form("MSN")) <> "" then
		if EmailField(Request.Form("MSN")) = 0 then 
		   Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
		end if
	     end if
replace it by
Code:

          if strMSN = "1" and trim(Request.Form("MSN")) <> "" then

            set regEx = New RegExp
	    regEx.Global = true
            regEx.IgnoreCase = true
	    regEx.Pattern =  "^[A-Z0-9._%-]+@(?:[A-Z0-9-]+\.)+[A-Z]{2,4}$"

	    retVal = regEx.Test(Request.Form("MSN"))
	    If Not retVal Then
		Err_Msg = Err_Msg & "<li>You Must enter a valid MSN Messenger Username</li>"
	    end if
	end if
<
Snitz 3.4 Readme | Like the support? Support Snitz too
Posted
ruirib
Snitz Forums Admin
ruirib
Posts: 26364
26364
I've updated the regular expression used to validate the email, because it was failing in some situations. Also, as this one is more simple and is only including upper case letters, regEx.IgnoreCase = true was also added.
This expression will work in almost all common cases, but it will fail in some cases. I had to replace it because the expression I got from my regular expressions source failed where I didn't expect it to. This one was found here. You will also find at the same URL a very, very long expression that will work in every possible case. Use it if you want to.<
Snitz 3.4 Readme | Like the support? Support Snitz too
 
You Must enter a message