Fixed (was Re: [Imc-tech] Patch EMERGENCY!)
Arun Bhalla
bhalla at uiuc.edu
Mon Oct 25 15:33:04 CDT 2004
Sascha Meinrath writes:
> On Mon, 25 Oct 2004, Ryan Kaldari wrote:
>
> > http://www.dadaimc.org/support.php?section=xss
>
> can someone get on this ASAP -- two more IMC sites were _just_ hacked
> (arkansas and colorado) -- we _will_ get hacked if we don't implement this
> change immediately.
>
> --sascha
Okay, I think I fixed it. I had to patch it manually since it seemed
that we were using a different version of dada than both Ryan's and
the latest (whatever spud was displaying). Rather than cutting and
pasting the code at the link above, I tried to follow the spirit of
the patch. I won't certify that our install of dada is now safe from
the XSS-exploit, but I think at least the classes I patched should be.
I applied the attached patch (also located at imsahp:/var/www/dada-arun.patch).
***I did not apply the patch to any other dada trees which may be on imsahp.
It may or may not work for those.***
If there's been some other manual editing of imc_classes on imsahp, CVS might
have been helpful for tracking that. But we've had this discussion before.
Also, if a rollback needs to be done, I have a backup of the imc_classes tree
at imsahp:/var/www/ucimc-20041025.tar.gz
Arun
-------------- next part --------------
--- imc_classes/imc_FunctionLibrary.inc 2004-10-25 14:09:28.000000000 -0500
+++ imc_classes/imc_FunctionLibrary.inc.new 2004-10-25 14:25:24.000000000 -0500
@@ -626,10 +626,13 @@
$stripsearch = array("'<head[^>]*?>.*?</head>'si", // Strip out javascript
"'<!DOCTYPE[^>]*?>'si", // Strip out doctype
"'<script[^>]*?>.*?</script>'si", // Strip out javascript
+ "'<iframe[^>]*?>.*?</iframe>'si", // Strip out iframes (ill-formed)
+ "'<iframe[^>]*?>'si", // Strip out iframes (well-formed)
"'<meta[^>]*?>'si", // Strip out meta tags
"'<form[^>]*?>.*?</form>'si", // Strip out forms
"'<object[^>]*?>.*?</object>'si", // Strip out objects
"'<embed[^>]*?>.*?</embed>'si", // Strip out embeds
+ "'<applet[^>]*?>.*?</applet>'si", // Strip out applets
"'</?body[^>]*?>'i", // Strip out body tags
"'</?html>'i", // Strip out html tag
);
@@ -720,8 +723,10 @@
"#exec"=>"itriedtohackthis",
"<meta"=>"<meta",
"<script"=>"<script",
+ "<iframe"=>"<iframe",
"<form"=>"<form",
"<object"=>"<object",
+ "<applet"=>"<applet",
"<embed"=>"<embed"
);
} else {
@@ -734,8 +739,10 @@
"#exec"=>"itriedtohackthis",
"<meta"=>"<meta",
"<script"=>"<script",
+ "<iframe"=>"<iframe",
"<form"=>"<form",
"<object"=>"<object",
+ "<applet"=>"<applet",
"<embed"=>"<embed"
);
}
--- imc_classes/imc_Article.inc 2004-04-16 11:45:27.000000000 -0500
+++ imc_classes/imc_Article.inc.new 2004-10-25 14:38:49.000000000 -0500
@@ -314,19 +314,19 @@
$editdate = new Date(time());
$this->set_edit_datetime($editdate);
}
- if (isset($form_section)) $this->set_section($form_section);
- if (isset($form_language)) $this->set_language($form_language);
+ if (isset($form_section)) $this->set_section(cleantext($form_section));
+ if (isset($form_language)) $this->set_language(cleantext($form_language));
if (isset($form_category_ids)) $this->set_category_ids($form_category_ids);
- if (isset($form_author)) $this->set_author($form_author);
- if (isset($form_contact_email)) $this->set_contact_email($form_contact_email);
- if (isset($form_contact_phone)) $this->set_contact_phone($form_contact_phone);
- if (isset($form_contact_address)) $this->set_contact_address($form_contact_address);
+ if (isset($form_author)) $this->set_author(cleantext($form_author));
+ if (isset($form_contact_email)) $this->set_contact_email(cleantext($form_contact_email));
+ if (isset($form_contact_phone)) $this->set_contact_phone(cleantext($form_contact_phone));
+ if (isset($form_contact_address)) $this->set_contact_address(cleantext($form_contact_address));
if (isset($form_heading)) $this->set_heading(cleantext($form_heading,$this->language));
if (isset($form_mime_type)) $this->set_mime_type($form_mime_type);
if (isset($form_summary)) $this->set_summary(cleantext($form_summary,$this->language));
//if (isset($form_body)) $this->set_body($form_body);
if (isset($form_body)) $this->set_body(cleantext($form_body,$this->language));
- if (isset($form_parentid)) $this->set_parentid($form_parentid);
+ if (isset($form_parentid) && is_numeric($form_parentid)) $this->set_parentid($form_parentid);
if (isset($form_media)) $this->set_media($form_media);
if (isset($form_submitted)) $this->set_submitted($form_submitted);
if (isset($form_displayable)) $this->set_displayable($form_displayable);
--- imc_classes/imc_Media.inc 2004-05-29 11:08:57.000000000 -0500
+++ imc_classes/imc_Media.inc.new 2004-10-25 14:40:50.000000000 -0500
@@ -325,7 +325,7 @@
global $g_path;
if (!empty($_POST)) extract($_POST, EXTR_OVERWRITE);
if (isset($form_category_ids)) $this->set_category_ids($form_category_ids);
- if (isset($form_artist)) $this->set_artist($form_artist);
+ if (isset($form_artist)) $this->set_artist(cleantext($form_artist));
if ($year && $month && $day) {
$thedate = new Date();
$thedate->set_from_mysql_date("$year-$month-$day");
@@ -344,7 +344,7 @@
if (isset($form_width)) $this->set_width($form_width);
if (isset($form_duration)) $this->set_duration($form_duration);
if (isset($form_mime_type)) $this->set_mime_type($form_mime_type);
- if (isset($form_parentid)) $this->set_parentid($form_parentid);
+ if (isset($form_parentid) && is_numeric($form_parentid)) $this->set_parentid($form_parentid);
if (isset($form_metafile)) $this->set_metafile($form_metafile);
if (isset($form_related_url1)) $this->set_related_url1(normalizeURL($form_related_url1));
if (isset($form_license)) {
--- imc_classes/imc_User.inc 2004-01-03 18:03:55.000000000 -0600
+++ imc_classes/imc_User.inc.new 2004-10-25 14:43:11.000000000 -0500
@@ -176,17 +176,17 @@
$this->set_password(md5($form_password));
$this->set_pw_method('MD5');
}
- if (isset($form_firstname)) $this->set_firstname($form_firstname);
- if (isset($form_lastname)) $this->set_lastname($form_lastname);
+ if (isset($form_firstname)) $this->set_firstname(cleantext($form_firstname));
+ if (isset($form_lastname)) $this->set_lastname(cleantext($form_lastname));
if (isset($form_level)) {
$this->set_level($form_level);
} else {
$this->set_level('User');
}
if (isset($form_groupid)) $this->set_groupid($form_groupid);
- if (isset($form_phone)) $this->set_phone($form_phone);
- if (isset($form_address)) $this->set_address($form_address);
- if (isset($form_email)) $this->set_email($form_email);
+ if (isset($form_phone)) $this->set_phone(cleantext($form_phone));
+ if (isset($form_address)) $this->set_address(cleantext($form_address));
+ if (isset($form_email)) $this->set_email(cleantext($form_email));
if (isset($form_language)) $this->set_language($form_language);
if (isset($form_unilingual_features)) $this->set_unilingual_features($form_unilingual_features);
if (isset($form_unilingual_newswire)) $this->set_unilingual_newswire($form_unilingual_newswire);
--- mods/otherpress/imc_classes/imc_OtherPress.inc.old 2004-10-25 14:44:35.000000000 -0500
+++ mods/otherpress/imc_classes/imc_OtherPress.inc 2004-10-25 14:46:47.000000000 -0500
@@ -115,14 +115,14 @@
function read_args() {
$this->read_object_args();
if (!empty($_POST)) extract($_POST);
- if (isset($form_section)) $this->set_section($form_section);
- if (isset($form_parentid)) $this->set_parentid($form_parentid);
+ if (isset($form_section)) $this->set_section(cleantext($form_section));
+ if (isset($form_parentid) && is_numeric($form_parentid)) $this->set_parentid($form_parentid);
if (isset($form_category_ids)) $this->set_category_ids($form_category_ids);
- if (isset($form_author)) $this->set_author($form_author);
- if (isset($form_heading)) $this->set_heading($form_heading);
- if (isset($form_summary)) $this->set_summary($form_summary);
- if (isset($form_organization)) $this->set_organization($form_organization);
- if (isset($form_link)) $this->set_link($form_link);
+ if (isset($form_author)) $this->set_author(cleantext($form_author));
+ if (isset($form_heading)) $this->set_heading(cleantext($form_heading));
+ if (isset($form_summary)) $this->set_summary(cleantext($form_summary));
+ if (isset($form_organization)) $this->set_organization(cleantext($form_organization));
+ if (isset($form_link)) $this->set_link(normalizeURL(cleantext($form_link)));
}
More information about the Imc-tech
mailing list