Recent Topics

b2evolution 4.0.3 Vulnerability

started by on Mar 15, 2011 – Last touched: Nov 21, 2012

Mar 15, 2011 06:50    

Hi,

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Thanks,

John Leitch
john@autosectools.com

AutoSec Tools Vulnerability Researcher
http://www.autosectools.com/

Mar 15, 2011 12:26

Just for the record: Is that vulnerability have been fixed in 4.0.4?

Mar 15, 2011 15:15

we do not know even that's a real vulnerability or spam or whatever.

Mar 15, 2011 15:47

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

Mar 15, 2011 19:08

gstlt wrote:

Just for the record: Is that vulnerability have been fixed in 4.0.4?

Given the subtlety of the bug my guess would be no, but I cannot be sure without testing.

BushLeagueCritic wrote:

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

There is no "or" in my post; vulnerabilities are disclosed after the allotted time period regardless of circumstances.

Again, I will disclose details over a more private medium.

Mar 15, 2011 19:58

Convince me you're NOT trying to sell an AutoSec Tools "Seal of Approval."

Mar 15, 2011 20:04

John Leitch wrote:

Again, I will disclose details over a more private medium.

Feel free to email me details yabs@mydomains.tld ( mydomain happens to be innervisions.org.uk ;) )

I'll forward your email to francois if appropriate

¥

Mar 16, 2011 01:39

Ah yeah, I wouldn't have minded the 14 days to fix it cleanly...

Working on a quick & dirty fix...

Mar 16, 2011 02:04

This issue is very real (in case anyone has a doubt). Autosec qualifies the threat level as:
Threat Level............Moderate (2/5)

Here is a quick fix you can apply right away if you are concerned:

In the file /blogs/inc/_core/_param.funcs.php go to line 2004 and replace the first few line of function balance_tags() like this:

Code

function balance_tags( $text )
{
  $tagstack = array();
  $stacksize = 0;
  $tagqueue = '';
  $newtext = '';
 
  # b2 bug fix for comments - in case you REALLY meant to type '< !--'
  $text = str_replace('< !--', '<    !--', $text);
 
  # b2 bug fix for LOVE <3 (and other situations with '<' before a number) as well as <?
  $text = preg_replace('#<([0-9?]{1})#', '&lt;$1', $text);
 
  while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
  {

This quick fix is designed to detect thz <? combination the same way it was already detecting <?

This solves the given exploit demo. I am not sure it fixes everything that would be similar. Still working on this.

Mar 16, 2011 02:23

The following is a more generic fix:

Code

function balance_tags( $text )
{
  $tagstack = array();
  $stacksize = 0;
  $tagqueue = '';
  $newtext = '';
 
  # b2 bug fix for comments - in case you REALLY meant to type '< !--'
  $text = str_replace('< !--', '<    !--', $text);
 
  // escape any < that does not look like a tag, i-e: that is not followed by a letter like in <a> or a / like in </a>:
  // (also not escaping comments like <!-- )
  $text = preg_replace('#<([^a-z/!]{1})#i', '&lt;$1', $text);
 
  while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
  {

If you have an opinion on which is better, please let me know.

Mar 16, 2011 16:11

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

EDIT: b2evolution 4.0.4 is also vulnerable

Mar 17, 2011 15:06

gstlt wrote:

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

htmlentities() escapes all tags, but that's not we want to do.

May 15, 2011 18:48

Is this threat issue fixed in 4.0.5, i assume

Jun 11, 2011 22:12

For your information: Yes, this vulnerability has been fixed in b2evolution 4.0.5. We recommend you to upgrade immediately.


Form is loading...

powered by b2evolution – This forum is powered by b2evolution CMS, a complete engine for your website.