Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. Plugins & Extensions
  4. [HACK] Image upload XSS temp fixation

[HACK] Image upload XSS temp fixation

1 Aug 27, 2005 12:13    

Hello,

Pls, read http://forums.b2evolution.net//viewtopic.php?p=24630 first.

Now, simple fix

Open conf/_admin.php and find:


$fileupload_allowedtypes = ' jpg gif png ';

after that add the following:


/**
 * Accepted file mime types, you can add to that list if you want.
 *
 * Note: add a space before and after each file type.
 * Example: $fileupload_allowedmimes = ' image/gif image/jpeg image/png image/psd image/bmp image/tiff image/jp2 image/iff image/vnd.wap.wbmp image/xbm application/octet-stream application/x-shockwave-flash ';
 * Specify only binary mime types here.
 */
$fileupload_allowedmimes = ' image/gif image/jpg image/jpeg image/png ';

Now open admin/b2upload.php and find the following:


if (strlen($imgalt)) {
	$pathtofile = $fileupload_realpath."/".$imgalt;
	$img1 = $HTTP_POST_VARS['img1'];
} else {
	$pathtofile = $fileupload_realpath."/".$img1_name;
	$img1 = $HTTP_POST_FILES['img1']['tmp_name'];
}

replace it with the following:


if (strlen($imgalt)) {
	$pathtofile = $fileupload_realpath."/".$imgalt;
	$img1 = $HTTP_POST_VARS['img1'];
} else {
	$pathtofile = $fileupload_realpath."/".$img1_name;
	$img1 = $HTTP_POST_FILES['img1']['tmp_name'];

	// check if file was really uploaded
	if (is_uploaded_file($img1) == false) {
		die("This is not uploaded file.");
	}
	// check for file size
	if (filesize($img1) > $fileupload_maxk*1024) {
		die("File max size exceeded.");
	}

	////////// mime check hack - start
	// validate mime type of file
	if (!extension_loaded('mime_magic')) {
		// actually, we should not allow any uploads if we cannot determine the mime type
		// but leave this empty while
		# die("Cannot determine mime type of file, no mime extension loaded.");
	}
	$mimetype = mime_content_type($img1);
	if (strlen(trim($mimetype)) == 0 || !ereg(strtolower($mimetype), strtolower($fileupload_allowedmimes))) {
		die(sprintf( T_('File %s: type %s is not allowed.'), $img1_name, $mimetype));
	}
	////////// mime check hack - end
}

The only requirement is that mime_magic extension should be loaded.
If you don't have this module installed and have multi-user blog then be prepared you admin password for blog and some others will be stolen :D

If you are going to upload only image files and don't have mime_magic extension loaded then you can do the following instead of previous:

Open conf/_admin.php and find:


$fileupload_allowedtypes = ' jpg gif png ';

after that add the following:


/**
 * Valid image type extensions recognized by GetImageSize function.
 * Don't remove any ext from this array.
 * Order of the extensions should be exact the same as returned by the GetImageSize function.
 */
$image_valid_exts = array("gif", "jpg", "png", "swf", "psd", "bmp", "tiff", "tiff", "jpc", "jp2", "jpx", "jb2", "swc", "iff", "wbmp", "xbm");

Set this array exact with the same image extensions and in the same order as processed by GetImageSize function.

Now open admin/b2upload.php and find the following:


if (strlen($imgalt)) {
	$pathtofile = $fileupload_realpath."/".$imgalt;
	$img1 = $HTTP_POST_VARS['img1'];
} else {
	$pathtofile = $fileupload_realpath."/".$img1_name;
	$img1 = $HTTP_POST_FILES['img1']['tmp_name'];
}

replace it with the following:


if (strlen($imgalt)) {
	$pathtofile = $fileupload_realpath."/".$imgalt;
	$img1 = $HTTP_POST_VARS['img1'];
} else {
	$pathtofile = $fileupload_realpath."/".$img1_name;
	$img1 = $HTTP_POST_FILES['img1']['tmp_name'];

	// check if file was really uploaded
	if (is_uploaded_file($img1) == false) {
		die("This is not uploaded file.");
	}
	// check for file size
	if (filesize($img1) > $fileupload_maxk*1024) {
		die("File max size exceeded.");
	}

	////////// image upload check - start
	if (($img_info = @GetImageSize($img1)) == false) {
		die("File type is not allowed.");
	}
	if (!ereg(strtolower($image_valid_exts[$img_info[2] - 1]), strtolower($fileupload_allowedtypes))) {
		die(sprintf( T_('File %s: type %s is not allowed.'), $img1_name, $image_valid_exts[$img_info[2] - 1]));
	}
	////////// image upload check - end
}

In both versions I have added check for file size and check if the file was really uploaded from the post, don't know why these checks were not in the original code.

I have tested these on PHP 4.3.4, Apache 2.0.50, WinXP.

Back to top


Form is loading...