Security Advisory [05/03/2006] [Versions: 2.0.0, 2.0.1]

[E-Oreo]

Security Advisory [05/03/2006]

Description: Unchecked argument allows improper inclusion.  Coupling with EXIF allows for remote execution of commands.
Date of Discovery: 05/02/2006
Affected Versions: 2.0.0, 2.0.1
Affected Files: ./help/index.php, ./help/mini.php
Unaffected Versions: 1.x.x, 2.0.2
Severity: High
Discovered by: rgod
Recommended method of repair:

(1) Upgrade to X7 Chat 2.0.3

OR

(2) In ./help/index.php and ./help/mini.php
Find:

if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){

Replace with:

if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}") || eregi("[\\/]","{$_GET['help_file']}")){

In ./sources/usercp.php
Find:

Code:

f($error == ""){
$body = $txt[188];
$db->DoQuery("UPDATE {$prefix}users SET email='$email',avatar='$_POST[avatar]',name='$_POST[rname]',location='$_POST[location]',hobbies='$_POST[hobbies]',bio='$_POST[bio]',gender='$_POST[gender]' WHERE username='$x7s->username'");
}else{
$body = "<div align=\"center\">".$error."<Br><Br><a href=\"./index.php?act=user_cp&cp_page=profile\">$txt[77]</a></div>";
}

Add above:

Code:

if(!preg_match("#^http://#",$_POST['avatar']))
$_POST['avatar'] = "http://".$_POST['avatar'];