PHP Reactor

Dave Bullock has provided a fix for security issues in phpreactor-1.2.7.
An issue was brought to our attention by Ahmet Sapri.

1. The $go variable in the forums code was not stripped of html
characters, making the code vulnerable to Cross Site Scripting (CSS)
attacks. It should be noted that $g is a transient variable, i.e.
it is just used to carry information between page views and not stored
in a database. The only way the problem could be exploited was by
crafting a special link and then clicking on it. The fix removes the
vulnerability.

2. We removed <img> from the default $allowed_tags in the
forums code for obvious CSS-related reasons. We recommend that you do
not allow <img> unless you are operating in a closed and secure
environment.

:r ! diff -ur phpreactor-1.2.7/ phpreactor-1.2.7pl1/
Only in phpreactor-1.2.7/: changes-1.2.7
Only in phpreactor-1.2.7pl1/: changes-1.2.7pl1
diff -ur phpreactor-1.2.7/conf/bbs.conf.php phpreactor-1.2.7pl1/conf/bbs.conf.php
— phpreactor-1.2.7/conf/bbs.conf.php Wed Feb 28 12:59:00 2001
+++ phpreactor-1.2.7pl1/conf/bbs.conf.php Fri May 24 16:13:50 2002
@@ -22,10 +22,8 @@
//what directory are the icons for the forums stored in
$icondir = $reactorcore.” /img/” ;//relative to document root, include trailing /
-//what HTML tags will you allow your users to use.
-//note: I do not recommend allowing <br> or <p> as newlines are converted to
-//<br> tags in the comments.
-$allowedtags = ” <b> ,<i> ,<font> ,<img> ” ;
+/** WARNING: allowing tags like <img> , <iframe> and other may open your
* site to XSS (Cross Site Scripting) attacks. Only use those tags when
* you have a trusted user base or are running in a closed environment,
* eg. an intranet.
*/
+$allowedtags = ” <b> ,<i> ,<font> ” ;

// THE MAXIMUM NUMBER OF RECORDS YOU WANT TO DISPLAY ON ANY PAGE VIEW
//this is already specified in global.inc.php but you can change it here
diff -ur phpreactor-1.2.7/inc/global.inc.php phpreactor-1.2.7pl1/inc/global.inc.php
— phpreactor-1.2.7/inc/global.inc.php Wed Feb 28 12:59:00 2001
+++ phpreactor-1.2.7pl1/inc/global.inc.php Fri May 24 16:15:12 2002
@@ -40,6 +40,11 @@
$boardname = $tmp_array[count($tmp_array) - 2];

/*
+* Strip the nasties from $go … preventing XSS attacks
+*/
+$go = strip_tags($go);
+
+/*
* the mailfrom() function allows you to set the ” Return-Path:” header when using
* sendmail. This bounces messages to the sender. done by using sendmail -f
*/

This entry was posted on Monday, June 9th, 2003 at 6:29 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.