Fork me on GitHub
Subscribe 2

Ticket #488 (fixed bug)

Vulnerabilities caused by get_remote_addr()

  • Created: 2011-09-06 16:01:28
  • Reported by: Franz
  • Assigned to: Reines
  • Milestone: 1.4.7
  • Component: security
  • Priority: highest

Reported by Romain B.

If FORUM_BEHIND_REVERSE_PROXY is defined (luckily, this is a rare case), the return value of get_remote_addr() is not properly escaped, as the value of $_SERVER['HTTP_X_FORWARDED_FOR'] is used directly.

This leads to SQL injection vulnerabilities in include/functions.php, post.php (multiple) and register.php (multiple).

The same problem causes a XSS vulnerability in admin_bans.php.

Also, full path disclosure:

Romain wrote:

The "Full Path Disclosure" is an information leak, some vulnerabilities require the WEBROOT of the web application to build a exploitation. For example, as part of a SQL injection with the function "LOAD_FILE()" of MySQL [2], it is necessary to have the full path name of the file to access it.

You can fix this by checking that the variable is not an array before passing it as parameter to a function not treating this type of data, either by hiding the errors, which can be done by adding the "E_WARNING" constant when using error_reporting() in /include/common.php.
error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));

For more details see the completed vulnerability report, which was mailed to devs@fluxbb.org.

History

Reines 2011-09-13 19:37:34

  • Status changed from open to fixed.

Franz 2011-09-13 22:21:01

Public now?

Franz 2012-11-11 22:35:29

  • Visibility set to public.