Gossamer Forum
Home : Products : DBMan : Discussions :

Post deleted by ELB

Quote Reply
Post deleted by ELB
Quote Reply
Re: Major Security Hole (fix incl) In reply to
Ok, I've been waiting around for someone to respond to this, but it does'nt look like it's going to happen, so I'll just go right ahead and ask:

Exactly how is this achieved? I tried a few things on my DB... no results...

Don't get me wrong, I'm not asking so I can go around and wreak havoc on every web server running DBMan, I'm asking because it does'nt exactly seem like there are too many people concerned about this.

I mean, only 50 views? and No replies?

The code reads:
$regexp_func[$field] = eval "sub { m/$tmpreg/o }";

Now my perl knowledge isn't great, but the way I see it, as long as we don't evaluate the string (add an 'e' modifier) we're fine...

I could be wrong, I probobly am... But could someone please verify this? Because it isn't exaclty like people are jumping around to spread the word, and if any possible security bug should be squished, it's this one.

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/
Quote Reply
Re: Major Security Hole (fix incl) In reply to
I don't know enough about this to say anything, which is why I didn't say anything. Smile

JPD
http://www.jpdeni.com/dbman/
Quote Reply
I probably shouldn't, but here's a hint In reply to
Code:
"sub { m/$tmpreg/o }"
is the same thing as
Code:
"sub { m/" . $tmpreg . "/o }"
and nothing says that $tmpreg must be a regular expression.


Quote Reply
Re: I probably shouldn't, but here's a hint In reply to
Oh my gosh! It works!

After a fair bit of trial and error, I managed to write a test.txt file to the system. So system commands are possible!

If Alex doesn't already know, he should certainly be told for future releases. It has a couple of restrictions, but it's still a very nasty bug!

Well spotted ol' chap Laugh

- Mark

Astro-Boy!!
http://www.zip.com.au/~astroboy/
Quote Reply
Re: Major Security Hole (fix incl) In reply to
In Reply To:
Any user in the world can run any command on your web server if you use DBMan . To
fix this hole, replace the line
$regexp_func[$field] = eval "sub { m/$tmpreg/o }";

with

$regexp_func[$field] = sub { m/$tmpreg/o };

in the file db.cgi.
This is in fact quite distressing and I'm very surprised that Alex hasn't jumped in with any input?



easy does it
Quote Reply
Re: Major Security Hole (fix incl) In reply to
Thanks for the bug fix...I am going to refer Links users to this Thread since the same codes are used in the db.pl file, which is accessed via the admin.cgi script.

Regards,

Eliot Lee
Quote Reply
Re: Major Security Hole (fix incl) In reply to
Hi,

I used your Fix, and replaced the line, but something weird happened:

With your line in place - $regexp_func[$field] = sub { m/$tmpreg/o }; - if I make a search using more than one field (example: name AND address), the database keeps returning 0 matches; if I only use one field, it works...

With the original line in place the problem goes away...

Gustavo Melo

Quote Reply
Re: Major Security Hole (fix incl) In reply to
In Reply To:
I used your Fix, and replaced the line, but something weird happened:
When I applied the fix, the browse_alpha MOD I am using got broke also. I hope that per Alex's announcement about forthcoming security fixes and such in new release of DBMan and DBMAN SQL that this is addressed - especially for those MODS that are inherently based upon regex's.


easy does it
Quote Reply
oops, sorry. fix for my fix is forthcoming In reply to
 
I didn't have a database on which I could test my fix, sorry.