Recent Topics

1 Mar 15, 2011 06:50    

Hi,

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Thanks,

John Leitch
john@autosectools.com

AutoSec Tools Vulnerability Researcher
http://www.autosectools.com/

2 Mar 15, 2011 12:26

Just for the record: Is that vulnerability have been fixed in 4.0.4?

3 Mar 15, 2011 15:15

we do not know even that's a real vulnerability or spam or whatever.

4 Mar 15, 2011 15:47

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

5 Mar 15, 2011 19:08

gstlt wrote:

Just for the record: Is that vulnerability have been fixed in 4.0.4?

Given the subtlety of the bug my guess would be no, but I cannot be sure without testing.

BushLeagueCritic wrote:

A vulnerability was discovered in b2evolution 4.0.3. For details please email me. As per our policy we will disclose this vulnerability in a public advisory 14 days after this notification.

Sounds like blackmail...

"Meet me at the DVD kiosk on 11th Ave or we WILL leak the compromising pictures to the press."

:lol:

There is no "or" in my post; vulnerabilities are disclosed after the allotted time period regardless of circumstances.

Again, I will disclose details over a more private medium.

6 Mar 15, 2011 19:58

Convince me you're NOT trying to sell an AutoSec Tools "Seal of Approval."

7 Mar 15, 2011 20:04

John Leitch wrote:

Again, I will disclose details over a more private medium.

Feel free to email me details yabs@mydomains.tld ( mydomain happens to be innervisions.org.uk ;) )

I'll forward your email to francois if appropriate

¥

9 Mar 16, 2011 01:39

Ah yeah, I wouldn't have minded the 14 days to fix it cleanly...

Working on a quick & dirty fix...

10 Mar 16, 2011 02:04

This issue is very real (in case anyone has a doubt). Autosec qualifies the threat level as:
Threat Level............Moderate (2/5)

Here is a quick fix you can apply right away if you are concerned:

In the file /blogs/inc/_core/_param.funcs.php go to line 2004 and replace the first few line of function balance_tags() like this:


function balance_tags( $text )
{
	$tagstack = array();
	$stacksize = 0;
	$tagqueue = '';
	$newtext = '';

	# b2 bug fix for comments - in case you REALLY meant to type '< !--'
	$text = str_replace('< !--', '<    !--', $text);

	# b2 bug fix for LOVE <3 (and other situations with '<' before a number) as well as <?
	$text = preg_replace('#<([0-9?]{1})#', '&lt;$1', $text);

	while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
	{

This quick fix is designed to detect thz <? combination the same way it was already detecting <?

This solves the given exploit demo. I am not sure it fixes everything that would be similar. Still working on this.

11 Mar 16, 2011 02:23

The following is a more generic fix:


function balance_tags( $text )
{
	$tagstack = array();
	$stacksize = 0;
	$tagqueue = '';
	$newtext = '';

	# b2 bug fix for comments - in case you REALLY meant to type '< !--'
	$text = str_replace('< !--', '<    !--', $text);

	// escape any < that does not look like a tag, i-e: that is not followed by a letter like in <a> or a / like in </a>:
	// (also not escaping comments like <!-- )
	$text = preg_replace('#<([^a-z/!]{1})#i', '&lt;$1', $text);

	while( preg_match('~<(\s*/?\w+)\s*(.*?)/?>~s', $text, $regex) )
	{

If you have an opinion on which is better, please let me know.

13 Mar 16, 2011 16:11

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

EDIT: b2evolution 4.0.4 is also vulnerable

14 Mar 17, 2011 15:06

gstlt wrote:

I think that use of html_entites would be simpler than preg_replace. Wouldn't it?

htmlentities() escapes all tags, but that's not we want to do.

15 May 15, 2011 18:48

Is this threat issue fixed in 4.0.5, i assume

16 Jun 11, 2011 22:12

For your information: Yes, this vulnerability has been fixed in b2evolution 4.0.5. We recommend you to upgrade immediately.


Form is loading...