- Регистрация
- 7 Июл 2008
- Сообщения
- 1.191
- Реакции
- 1.242
- Автор темы
- Модер.
- #151
Обновление безопасности в IP.Board 3.0.5 и 2.3.6
Исправление безопасности (XSS) в ББ-кодах.
Файлы для исправления в аттачменте, первый для 3.0.5 версии, второй для 2.3.6.
Для ручного исправления:
3.0.5
В файле admin/sources/classes/bbcode/core.php найти:
Заменить на:
[spoil]
Для 2.3.6
В файле sources\classes\bbcode\class_bbcode_core.php
Найти:
[spoil]
Добавить после:
[spoil]
После установки исправления обязательно сделайте перестроение сообщений/подписей/личных сообщений через админ-центр форума.
Исправление безопасности (XSS) в ББ-кодах.
Файлы для исправления в аттачменте, первый для 3.0.5 версии, второй для 2.3.6.
Для ручного исправления:
3.0.5
В файле admin/sources/classes/bbcode/core.php найти:
[/spoil]/**
* Check against XSS
*
* @access public
* @param string Original string
* @param boolean Fix script HTML tags
* @return string "Cleaned" text
*/
public function checkXss( $txt='', $fixScript=false )
{
//-----------------------------------------
// Opening script tags...
// Check for spaces and new lines...
//-----------------------------------------
if ( $fixScript )
{
$txt = preg_replace( "#<(\s+?)?s(\s+?)?c(\s+?)?r(\s+?)?i(\s+?)?p(\s+?)?t#is" , "<script" , $txt );
$txt = preg_replace( "#<(\s+?)?/(\s+?)?s(\s+?)?c(\s+?)?r(\s+?)?i(\s+?)?p(\s+?)?t#is", "</script", $txt );
}
//-----------------------------------------
// Here we can do some generic checking for XSS
// This should not be considered fool proof, though can provide
// a centralized point for maintenance and checking
//-----------------------------------------
$txt = preg_replace( "/(j)avascript/i" , "\\1avascript", $txt );
//$txt = str_ireplace( "alert" , "alert" , $txt );
$txt = str_ireplace( "behavior" , "behavior" , $txt );
$txt = preg_replace( "/(e)((\/\*.*?\*\/)*)x((\/\*.*?\*\/)*)p((\/\*.*?\*\/)*)r((\/\*.*?\*\/)*)e((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)i((\/\*.*?\*\/)*)o((\/\*.*?\*\/)*)n/is" , "\\1xp<b></b>ression" , $txt );
$txt = preg_replace( "/(e)((\\\|\)*)x((\\\|\)*)p((\\\|\)*)r((\\\|\)*)e((\\\|\)*)s((\\\|\)*)s((\\\|\)*)i((\\\|\)*)o((\\\|\)*)n/is" , "\\1xp<b></b>ression" , $txt );
$txt = preg_replace( "/m((\\\|\)*)o((\\\|\)*)z((\\\|\)*)\-((\\\|\)*)b((\\\|\)*)i((\\\|\)*)n((\\\|\)*)d((\\\|\)*)i((\\\|\)*)n((\\\|\)*)g/is" , "moz-<b></b>binding" , $txt );
$txt = str_ireplace( "about:" , "about:" , $txt );
$txt = str_ireplace( "<body" , "<body" , $txt );
$txt = str_ireplace( "<html" , "<html" , $txt );
$txt = str_ireplace( "document." , "document." , $txt );
$txt = str_ireplace( "window." , "window." , $txt );
$event_handlers = array( 'mouseover', 'mouseout', 'mouseup', 'mousemove', 'mousedown', 'mouseenter', 'mouseleave', 'mousewheel',
'contextmenu', 'click', 'dblclick', 'load', 'unload', 'submit', 'blur', 'focus', 'resize', 'scroll',
'change', 'reset', 'select', 'selectionchange', 'selectstart', 'start', 'stop', 'keydown', 'keyup',
'keypress', 'abort', 'error', 'dragdrop', 'move', 'moveend', 'movestart', 'activate', 'afterprint',
'afterupdate', 'beforeactivate', 'beforecopy', 'beforecut', 'beforedeactivate', 'beforeeditfocus',
'beforepaste', 'beforeprint', 'beforeunload', 'begin', 'bounce', 'cellchange', 'controlselect',
'copy', 'cut', 'paste', 'dataavailable', 'datasetchanged', 'datasetcomplete', 'deactivate', 'drag',
'dragend', 'dragleave', 'dragenter', 'dragover', 'drop', 'end', 'errorupdate', 'filterchange', 'finish',
'focusin', 'focusout', 'help', 'layoutcomplete', 'losecapture', 'mediacomplete', 'mediaerror', 'outofsync',
'pause', 'propertychange', 'progress', 'readystatechange', 'repeat', 'resizeend', 'resizestart', 'resume',
'reverse', 'rowsenter', 'rowexit', 'rowdelete', 'rowinserted', 'seek', 'syncrestored', 'timeerror',
'trackchange', 'urlflip',
);
foreach( $event_handlers as $handler )
{
$txt = str_ireplace( 'on' . $handler, 'on' . $handler, $txt );
}
return $txt;
}
Заменить на:
[spoil]
[/spoil]/**
* Check against XSS
*
* @access public
* @param string Original string
* @param boolean Fix script HTML tags
* @return string "Cleaned" text
*/
public function checkXss( $txt='', $fixScript=false, $tag='' )
{
//-----------------------------------------
// Opening script tags...
// Check for spaces and new lines...
//-----------------------------------------
if ( $fixScript )
{
$txt = preg_replace( "#<(\s+?)?s(\s+?)?c(\s+?)?r(\s+?)?i(\s+?)?p(\s+?)?t#is" , "<script" , $txt );
$txt = preg_replace( "#<(\s+?)?/(\s+?)?s(\s+?)?c(\s+?)?r(\s+?)?i(\s+?)?p(\s+?)?t#is", "</script", $txt );
}
if ( $tag )
{
switch ($tag)
{
case 'entry':
case 'blog':
case 'topic':
case 'post':
$txt = intval( str_ireplace( array( "\n", "\r", "<br>", "<br />", "<br>" ), "", $txt ) );
break;
case 'acronym':
$txt = preg_replace( "/s((\\\|\)*)t((\\\|\)*)y((\\\|\)*)l((\\\|\)*)e((\\\|\)*)=/is", "st yle=", $txt );
$txt = str_replace( array( ':', ';' ), '', $txt );
break;
}
}
//-----------------------------------------
// Here we can do some generic checking for XSS
// This should not be considered fool proof, though can provide
// a centralized point for maintenance and checking
//-----------------------------------------
$txt = preg_replace( "/(j)avascript/i" , "\\1avascript", $txt );
//$txt = str_ireplace( "alert" , "alert" , $txt );
$txt = str_ireplace( "behavior" , "behavior" , $txt );
$txt = preg_replace( "/(e)((\/\*.*?\*\/)*)x((\/\*.*?\*\/)*)p((\/\*.*?\*\/)*)r((\/\*.*?\*\/)*)e((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)i((\/\*.*?\*\/)*)o((\/\*.*?\*\/)*)n/is" , "\\1xp<b></b>ression" , $txt );
$txt = preg_replace( "/(e)((\\\|\)*)x((\\\|\)*)p((\\\|\)*)r((\\\|\)*)e((\\\|\)*)s((\\\|\)*)s((\\\|\)*)i((\\\|\)*)o((\\\|\)*)n/is" , "\\1xp<b></b>ression" , $txt );
$txt = preg_replace( "/m((\\\|\)*)o((\\\|\)*)z((\\\|\)*)\-((\\\|\)*)b((\\\|\)*)i((\\\|\)*)n((\\\|\)*)d((\\\|\)*)i((\\\|\)*)n((\\\|\)*)g/is" , "moz-<b></b>binding" , $txt );
$txt = str_ireplace( "about:" , "about:" , $txt );
$txt = str_ireplace( "<body" , "<body" , $txt );
$txt = str_ireplace( "<html" , "<html" , $txt );
$txt = str_ireplace( "document." , "document." , $txt );
$txt = str_ireplace( "window." , "window." , $txt );
$event_handlers = array( 'mouseover', 'mouseout', 'mouseup', 'mousemove', 'mousedown', 'mouseenter', 'mouseleave', 'mousewheel',
'contextmenu', 'click', 'dblclick', 'load', 'unload', 'submit', 'blur', 'focus', 'resize', 'scroll',
'change', 'reset', 'select', 'selectionchange', 'selectstart', 'start', 'stop', 'keydown', 'keyup',
'keypress', 'abort', 'error', 'dragdrop', 'move', 'moveend', 'movestart', 'activate', 'afterprint',
'afterupdate', 'beforeactivate', 'beforecopy', 'beforecut', 'beforedeactivate', 'beforeeditfocus',
'beforepaste', 'beforeprint', 'beforeunload', 'begin', 'bounce', 'cellchange', 'controlselect',
'copy', 'cut', 'paste', 'dataavailable', 'datasetchanged', 'datasetcomplete', 'deactivate', 'drag',
'dragend', 'dragleave', 'dragenter', 'dragover', 'drop', 'end', 'errorupdate', 'filterchange', 'finish',
'focusin', 'focusout', 'help', 'layoutcomplete', 'losecapture', 'mediacomplete', 'mediaerror', 'outofsync',
'pause', 'propertychange', 'progress', 'readystatechange', 'repeat', 'resizeend', 'resizestart', 'resume',
'reverse', 'rowsenter', 'rowexit', 'rowdelete', 'rowinserted', 'seek', 'syncrestored', 'timeerror',
'trackchange', 'urlflip',
);
foreach( $event_handlers as $handler )
{
$txt = str_ireplace( 'on' . $handler, 'on' . $handler, $txt );
}
return $txt;
}
Для 2.3.6
В файле sources\classes\bbcode\class_bbcode_core.php
Найти:
[spoil]
[/spoil]# XSS Check: Bug ID: 980
if ( $row['bbcode_tag'] == 'post' OR $row['bbcode_tag'] == 'topic' OR $row['bbcode_tag'] == 'snapback' )
{
$match[ $_option ][$i] = intval( $match[ $_option ][$i] );
}
Добавить после:
[spoil]
# XSS acronym
if ( $row['bbcode_tag'] == 'acronym' )
{
$match[ $_option ][$i] = preg_replace( "/s((\\\|\)*)t((\\\|\)*)y((\\\|\)*)l((\\\|\)*)e((\\\|\)*)=/is", "st yle=", $match[ $_option ][$i] );
$match[ $_option ][$i] = str_replace( array( ':', ';' ), '', $match[ $_option ][$i] );
$match[ $_content ][$i] = preg_replace( "/s((\\\|\)*)t((\\\|\)*)y((\\\|\)*)l((\\\|\)*)e((\\\|\)*)=/is", "st yle=", $match[ $_content ][$i] );
$match[ $_content ][$i] = str_replace( array( ':', ';' ), '', $match[ $_content ][$i] );
}
После установки исправления обязательно сделайте перестроение сообщений/подписей/личных сообщений через админ-центр форума.