what you don't know can hurt you

SMFfgetsoff.txt

SMFfgetsoff.txt
Posted Oct 27, 2006
Authored by Jose Carlos Norte

Simple machines forum (SMF) suffers from a vulnerability that allows a malicious user to render any topic unreadable by sending false information to the avatar size checking function.

tags | advisory
MD5 | 32f7dd77481c9e56509d5055540463e6

SMFfgetsoff.txt

Change Mirror Download

SMF fgets off-by-one issue and filter size evasion

Author: Jose Carlos Norte
Discovered by: Jose Carlos Norte
Risk: Medium
Type: DoS
Version: ALL

1. Introduction

Simple machines forum is a popular scalable free bulletin board system written in php over mysql database, the url of the project:

http://www.simplemachines.org/


2. The problem

Smf can allow the users to have a remote avatar, this avatar is shown in the topics where the user send messages.

The problem is that smf checks the remote avatar for test if the size is in a valid range.

>From Sources/Subs.php (1578 yo 1069):

function url_image_size($url)
{
// Get the host to pester...
preg_match('~^\w+://(.+?)/(.*)$~', $url, $match);

// Can't figure it out, just try the image size.
if ($url == '' || $url == 'http://' || $url == 'https://')
return false;
elseif (!isset($match[1]))
return @getimagesize($url);

// Try to connect to the server... give it one full second.
$temp = 0;
$fp = @fsockopen($match[1], 80, $temp, $temp, 1);

// Successful? Continue...
if ($fp != false)
{
// Send the HEAD request.
fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" . 'Connection: close' . "\r\n" . 'Host: ' . $match[1] . "\r\n\r\n");
// Read in the HTTP/1.1 or whatever.
$test = substr(fgets($fp, 11), -1);
fclose($fp);

// See if it returned a 404/403 or something.
if ($test < 4)
return @getimagesize($url);
}

// Didn't work.
return false;
}

a remote server is modified, can send false values to head requests, and a 999999999999x9999999999 will bypass the filter,
aditionally, if the server don't do any response against head requests, php script will stop in fgets until php kill it,
on time_limit, the result is that any topic where the malicious user send a message becomes unreadable for all users.

3. SOlution

changue function to:

function url_image_size($url)
{
return false;
}

and don't try to check the size of remote images!

I was unable to contact smf developer team, again.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    1 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close