Naprawa DST i BBCode'ów

[DawPi]

IP.Board 2.3.4 Security Enhancements and DST Bug Fix

We are releasing a minor security update to address issues recently reported regarding areas of IP.Board 2.3.4. These security issues are rather low priority and the impact is minimal due to other security features in the software. We would like to thank the users and administrators of criticalsecurity.net for their help in identifying the issues and testing the patches.

Issue

Nesting custom bbcode in an improper fashion can result in the final HTML result of the bbcode being broken, and subsequently unwanted HTML injected into the tag. If used in specific fashions, a person could inject javascript event handlers into the final result. Additionally, we have added an "allowscriptaccess" parameter to flash movies parsed in IPB to prevent flash movies and avatars from having javascript access. These issues are mitigated due to the use of httpOnly cookies in IP.Board which limits the direct impact.

Additionally, we have patched a recent bug with the automated DST checking in IPB that has surfaced since the recent DST changeover.

Patching Your IP.Board

The IP.Board 2.3.4 download in the client area has already been updated with the required changes. If you download IP.Board after the date of this announcement your installation will be up to date.

Changed Files

Download the zip file below which includes only the changed files for this update. Simply upload and overwrite the old files.

http://forums.invisionpower.com/index.php?...st&id=16364

-----------------------------------------------------------------

DODATEK BY DawPi

Nie wdając się w tłumaczenie czasem jest tak, że przy 'padzie' bbcode można dostać wynikowo kod HTML co nie zawsze jest dobrym objawem. Dlatego, że ktoś może wstrzyknąć kod javascript w ostateczny wynik/rezultat/zapytanie. Dlatego też dodano parametr allowscriptaccess do plików flash, które są parsowane w IPB w celu weryfikacji źródła i nie dopuszczenia do dostępu poprzez avatary lub owe pliki flash w których można umieścić kod javscript.

Ogólnie rzecz biorąc - patch poprawia bezpieczeństwo forum

Przy okazji dodano fixa do do mechanizmu sprawdzania DST w IP.Board.

Manual zmian:

Otwórz plik: jscripts/ipb_global.js

Znajdź:

	var thisoffset = tzo + dst;

Zamień na:

	var thisoffset = tzo - dst;

Zapisz i wyślij.

Otwórz plik: sources/ipsclass.php

		$html = preg_replace( "/javascript/i" , "javascript", $html );
	$html = preg_replace( "/alert/i"	  , "alert"		  , $html );

Dodaj poniżej:

		$html = preg_replace( "/behavior/i"   , "behavior"		  , $html );
	$html = preg_replace( "/e((\/\*.*?\*\/)*)x((\/\*.*?\*\/)*)p((\/\*.*?\*\/)*)r((\/\*.*?\*\/)*)e((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)s((\/\*.*?\*\/)*)i((\/\*.*?\*\/)*)o((\/\*.*?\*\/)*)n/i" , "exp​ression"	 , $html );
	$html = preg_replace( "/e((\\\|\)*)x((\\\|\)*)p((\\\|\)*)r((\\\|\)*)e((\\\|\)*)s((\\\|\)*)s((\\\|\)*)i((\\\|\)*)o((\\\|\)*)n/i" 	  , "exp​ression"	 	  , $html );
	$html = preg_replace( "/m((\\\|\)*)o((\\\|\)*)z((\\\|\)*)\-((\\\|\)*)b((\\\|\)*)i((\\\|\)*)n((\\\|\)*)d((\\\|\)*)i((\\\|\)*)n((\\\|\)*)g/i" 	  , "moz-​binding"	 	  , $html );

Znajdź:

		$html = preg_replace( "/onmouseover/i", "onmouseover"	, $html );
	$html = preg_replace( "/onclick/i"	, "onclick"		, $html );
	$html = preg_replace( "/onload/i"	 , "onload"		 , $html );
	$html = preg_replace( "/onsubmit/i"   , "onsubmit"	   , $html );

i usuń.

Znajdź:

		$html = preg_replace( "/<body/i"	  , "<body"			, $html );
	$html = preg_replace( "/<html/i"	  , "<html"			, $html );
	$html = preg_replace( "/document\./i" , "document."	  , $html );

Dodaj poniżej:

		$html = preg_replace( "/window\./i"   , "window."	  , $html );

	$event_handlers	= array( 'mouseover', 'mouseout', 'mouseup', 'mousemove', 'mousedown', 'mouseenter', 'mouseleave', 'mousewheel',
							 'contextmenu', 'click', 'dblclick', 'load', 'unload', 'submit', 'blur', 'focus', 'resize', 'scroll',
							 'change', 'reset', 'select', 'selectionchange', 'selectstart', 'start', 'stop', 'keydown', 'keyup',
							 'keypress', 'abort', 'error', 'dragdrop', 'move', 'moveend', 'movestart', 'activate', 'afterprint',
							 'afterupdate', 'beforeactivate', 'beforecopy', 'beforecut', 'beforedeactivate', 'beforeeditfocus',
							 'beforepaste', 'beforeprint', 'beforeunload', 'begin', 'bounce', 'cellchange', 'controlselect',
							 'copy', 'cut', 'paste', 'dataavailable', 'datasetchanged', 'datasetcomplete', 'deactivate', 'drag',
							 'dragend', 'dragleave', 'dragenter', 'dragover', 'drop', 'end', 'errorupdate', 'filterchange', 'finish',
							 'focusin', 'focusout', 'help', 'layoutcomplete', 'losecapture', 'mediacomplete', 'mediaerror', 'outofsync',
							 'pause', 'propertychange', 'progress', 'readystatechange', 'repeat', 'resizeend', 'resizestart', 'resume',
							 'reverse', 'rowsenter', 'rowexit', 'rowdelete', 'rowinserted', 'seek', 'syncrestored', 'timeerror',
							 'trackchange', 'urlflip',
							);

	$html = preg_replace( "/on(" . implode( '|', $event_handlers ) . ")/i", "on\\1"	, $html );

Znajdź:

				return "<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" width='{$this_dims[0]}' height='{$this_dims[1]}'>
					<param name='movie' value='{$member_avatar}'><param name='play' value='true'>
					<param name='loop' value='true'><param name='quality' value='high'>
					<param name='wmode' value='transparent'> 
					<embed src='{$member_avatar}' width='{$this_dims[0]}' height='{$this_dims[1]}' play='true' loop='true' quality='high' wmode='transparent'></embed>
					</object>";

Zamień na:

				return "<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" width='{$this_dims[0]}' height='{$this_dims[1]}'>
					<param name='movie' value='{$member_avatar}'><param name='play' value='true'>
					<param name='loop' value='true'><param name='quality' value='high'>
					<param name='allowscriptaccess' value='never'>
					<param name='wmode' value='transparent'> 
					<embed src='{$member_avatar}' allowscriptaccess='never' width='{$this_dims[0]}' height='{$this_dims[1]}' play='true' loop='true' quality='high' wmode='transparent'></embed>
					</object>";

Znajdź:

						<param name='movie' value='{$this->vars['upload_url']}/$member_avatar'><param name='play' value='true'>
					<param name='loop' value='true'><param name='quality' value='high'>
					<param name='wmode' value='transparent'> 
					<embed src='{$this->vars['upload_url']}/$member_avatar' width='{$this_dims[0]}' height='{$this_dims[1]}' play='true' loop='true' quality='high' wmode='transparent'></embed>
					</object>";

Zamień na:

				return "<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" width='{$this_dims[0]}' height='{$this_dims[1]}'>
					<param name='movie' value='{$this->vars['upload_url']}/$member_avatar'><param name='play' value='true'>
					<param name='loop' value='true'><param name='quality' value='high'>
					<param name='wmode' value='transparent'> 
					<param name='allowscriptaccess' value='never'>
					<embed src='{$this->vars['upload_url']}/$member_avatar' allowscriptaccess='never' width='{$this_dims[0]}' height='{$this_dims[1]}' play='true' loop='true' quality='high' wmode='transparent'></embed>
					</object>";

Znajdź:

			$member['_has_photo']	 = 0;

Dodaj poniżej:

			$member['pp_thumb_photo'] = '';

Znajdź:

		$member['member_joined']   = $this->compiled_templates[ $skin_file ]->member_joined( $this->get_date( $member['joined'], 'JOINED' ) );

Dodaj powyżej:

		$member['location']		   = $this->txt_wordwrap( $member['location'], 25 );

Zapisz i wyślij.

Otwórz plik: sources/classes/bbcode/class_bbcode_core.php

Znajdź:

					while (preg_match_all( "#(\[".$preg_tag."=(?:"|&\#39;|\"|\')?(.+?)(?:"|&\#39;|\"|\')?\])((?R)|.*?)(\[/".$preg_tag."\])#si", $t, $match ))

Zamień na:

					while (preg_match_all( "#(\[".$preg_tag."=(?:\"|\')?(.+?)(?:\"|\')?\])((?R)|.*?)(\[/".$preg_tag."\])#si", $t, $match ))

Znajdź:

							$match[ $_content ][$i] = preg_replace( '#(style)=#is', "$1=", $match[ $_content ][$i] );	
						$match[ $_option ][$i] = preg_replace( '#(style)=#is', "$1=", $match[ $_option ][$i] );

Zamień na:

							//$match[ $_content ][$i] = preg_replace( '#(style)=#is', "$1=", $match[ $_content ][$i] );	
						//$match[ $_option ][$i] = preg_replace( '#(style)=#is', "$1=", $match[ $_option ][$i] );

Znajdź:

							$tmp = str_replace( '{option}' , $match[ $_option  ][$i], $tmp );
						$tmp = str_replace( '{content}', $match[ $_content ][$i], $tmp );

Zamień na:

							$tmp = str_replace( '{option}' , $this->ipsclass->xss_html_clean( $match[ $_option  ][$i] ), $tmp );
						$tmp = str_replace( '{content}', $this->ipsclass->xss_html_clean( $match[ $_content ][$i] ), $tmp );

Znajdź:

		//-----------------------------------------
	// Is the img extension allowed to be posted?
	//-----------------------------------------

Dodaj powyżej:

		$url = str_replace( '&', '&', $url );

Znajdź:

		return "<!--Flash $width+$height+$url--><OBJECT CLASSID='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' WIDTH=$width HEIGHT=$height><PARAM NAME=MOVIE VALUE=$url><PARAM NAME=PLAY VALUE=TRUE><PARAM NAME=LOOP VALUE=TRUE><PARAM NAME=QUALITY VALUE=HIGH><EMBED SRC=$url WIDTH=$width HEIGHT=$height PLAY=TRUE LOOP=TRUE QUALITY=HIGH></EMBED></OBJECT><!--End Flash-->";

Zamień na:

		return "<!--Flash $width+$height+$url--><OBJECT CLASSID='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000' WIDTH='$width' HEIGHT='$height'><PARAM NAME='MOVIE' VALUE='$url'><PARAM NAME='PLAY' VALUE='TRUE'><PARAM NAME='LOOP' VALUE='TRUE'><PARAM NAME='QUALITY' VALUE='HIGH'><PARAM NAME='allowscriptaccess' VALUE='never'><EMBED AllowScriptAccess='never' SRC='$url' WIDTH='$width' HEIGHT='$height' PLAY='TRUE' LOOP='TRUE' QUALITY='HIGH'></EMBED></OBJECT><!--End Flash-->";

Zapisz i wyślij.

Pozdrawiam,

DawPi