A vulnerability in WB ?

[mylesk42]

Hi,
I've just read this topic about WB 281 : http://www.htbridge.ch/advisory/multiple_path_disclosure_in_websitebaker.html

Regards

[pcwacht]

Hmm missing startline wich checks if user is logged in

Code:

// Must include code to stop this file being access directly
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }

in these files:
http://[host]/modules/code/add.php
http://[host]/modules/code/delete.php
http://[host]/modules/code/modify.php
http://[host]/modules/code/view.php
http://[host]/modules/form/add.php
http://[host]/modules/form/delete.php

 
There might be more files wich lacks this simple check!


John

[mylesk42]

Well, seems so serious and must be updated soon ?
Regards

[DarkViper]

must of are already fixed for the next packet of 2.8.2

[mylesk42]

Yes, very good. But is there a quick fix (files to be modified) to resolve the problem while waiting for the new release ?
Regards

[DarkViper]

see the previous post from John.
insert that line only at top of the files. It will fix 99%.

[PurpleEdge]

http://www.htbridge.ch/advisory/multiple_sql_injections_in_websitebaker.html

[fischstäbchenbrenner]

Simple question:
if WB_PATH is not defined, then also TABLE_PREFIX, page_id, section_id is not defined.

So what can one do with this?

[DarkViper]

Simple question:
if WB_PATH is not defined, then also TABLE_PREFIX, page_id, section_id is not defined.
So what can one do with this?

HTB22929: Multiple Path disclosure:::
a remote user can identify the real physical path on the server. The risk is low, but it's a good, helpful information for a professional attacker.

HTB22928: Multiple SQL Injections:::
very dangerously. a remote user can modify / destroy your whole database.

but don't worry. most of this was fixed some month ago in WB2.8.1 and all in WB2.8.2

[NorHei]

Simple question:
if WB_PATH is not defined, then also TABLE_PREFIX, page_id, section_id is not defined.
So what can one do with this?

You can do something like this:

Code:

if (strstr(__FILE__,$_SERVER['PHP_SELF']) == $_SERVER['PHP_SELF'])
{header("HTTP/1.1 301 Moved Permanently"); header("Location: http://$_SERVER[SERVER_NAME]"); die();}

If you dont like the redirect , you can simply exit() or die().

[instantflorian]

Hi,

@DarkViper: in which revision it was fixed?

@norhei:
Your Code:

Code:

if (strstr(__FILE__,$_SERVER['PHP_SELF']) == $_SERVER['PHP_SELF'])
{header("HTTP/1.1 301 Moved Permanently"); header("Location: http://$_SERVER[SERVER_NAME]"); die();}

Is this a patch? Where should the code lines be added?

@moderator: I think this topic should be moved to the security announcement section of this forum.

BR
-instantflorian.

[NorHei]

You can use it instead of :

// Must include code to stop this file being access directly
if(defined('WB_PATH') == false) { exit("Cannot access this file directly");

Its independent from  any WB defined constants or variables.