Astaran
Addict
Reged: 12/21/00
Posts: 1552
Loc: Germany
|
Finished-[6.3-6.4-6.5] Input validation mod (Security fix) 1.1.1
04/20/05 12:33 PM Attachment (147 downloads)
|
|
|
Mod Name / Version: Input validation mod (Security fix) 1.1.1
Description: You all probably noticed that several vulnerabilities have been found in ubb.threads over the last months/weeks. Some of them have been fixed by Infopop, but that's only the tip of the iceberg.
There's no proper input validation in ubb.threads, which makes the door wide open for sql injections. Additionally, the output of ubb.threads isn't escaped properly also. This can be used by "hackers" to start XSS (cross site scripting attacks).
Both types of attacks can used to compromise your boards. Either to damage it or to gain unauthorized access.
During a security audit of ubb.threads, I found more than 10 vulnerabilities.
Infopop is aware of this problem and will "take care" of it in the next release. As this will take at least "some weeks", I created a modification that will prevent most of this attacks.
Note that all current installations of ubb.threads are vulnerable at the moment and that some exploits have already been published to security mailing lists (last one yesterday).
If the modification detects a possible attack an error message is displayed and the attack is logged to a logfile.
Working Under: UBB.Threads 6.3-6.4-6.5
Mod Status: Finished
Any pre-requisites:
Author(s): Astaran
Date: 04/20/05
Credits:
Files Altered: ubbt.inc.php
New Files: Validate.php
Database Altered: no
Info/Instructions: Note that there are three versions of this modification (depending on the ubb.threads version you're using).
Just follow the instructions in instructions.txt.
More experienced users can enhance this class to also validate variables that are used in installed hacks/modifications. See the readme.txt for details.
Disclaimer: Please backup every file that you intend to modify.
If the modification modifies the database, it's a good idea to backup your database before doing so.
Note: If you modify your UBB.Threads code, you may be giving up your right for "official" support from Infopop.If you need official support, you'll need to restore unmodified files.
Edited by Astaran (05/11/05 05:17 PM)
|
|
0 registered and 24 anonymous users are browsing this forum.
Moderator: JoshPet, Gardener, Ian_W, Anno
|
Forum Permissions
You cannot start new topics
You cannot reply to topics
HTML is disabled
UBBCode is enabled
|
Rating:
Thread views: 9547
|
|
|
|
|
|
|
|
|
| No posts have caught fire as of yet. |
|
|
|
Are you looking for custom modifications? Upgrades? Installs?
We have developers who can help!
View Our Services Page for information.
|
|
|
| 114 guests have been online with in the last 90 minutes. |
|
|
| No current threads found... |
|
|
|
New Members:
4 Last 24 hours
20 Last 7 days
107 Last 31 days
Boards:
11676 Total topics
73324 Total replies
Totals:
5728 Members
85000 Posts
Max Online:
814 Total
(06/01/06 09:46 AM) |
|
|
|
Previous
Index
Next
Flat
Edit
Reply
Quote
