Sorry for not contacting you before, or not even in a non-public way, but I haven't found any e-mail for this. So here it goes:

Multiple High Risk Vulnerabilities on Pixel Post v1.4.3 and 1.5 beta1 and probably lower versions too.

Advisory:

http://www.neosecurityteam.net/index.php?action=advisories&id=19

Please feel free to contact me at: mr.knightmarex [at] gmail [dot] com

Regards,
Mr. Knightmare

If I were a dev I would be a bit cross at not contacting before disclosing publicly - I am sure you are aware of the code of ethics about the sec flaws - Give the vendor enough time to release a patch before disclosure!!

I find the excuse "haven't found any e-mail" a bit lame....

Anyway - don't bother too much about my comments - I just hang here when I have time to waste ;)

We have (dev team) contacted with Mr. Knightmare.

Some of this infos arent really sec holes and some of them are not present in 1.5 BETA1 which we suggest to install from time when it is public.
1.5 RC1 will be patched completle for all known holes.

PS Email address is in code of /index.php so its poor story that there is no info about contact way.

I know you must have done it already - just to be sure search every file for lines like

$var = $_GET['var'];
$var = $_POST['var'];
$var = $_COOKIE['var'];

and put validating functions around the super-globals or cast the super-global into an expected type...

Sure! I did it on purpose! Is that what you wanna hear?

If I would have liked to make bad to you, I would have much better ways of doing it.

It's ok, I recognize it wasn't too good publishing it, but I really didn't see the email on the src code (Too much beer! Or too much time without sleeping) but so it was the only way I figured out to contact you.

If you wanna protect from XSS, there is a good built-in PHP function that protects from this kind of attacks:

www.php.net/htmlspecialchars

And if you wanna allow certaing tags, I don't recommend doing it with strip_tags($var, '<allowed tags>') as it doesn't checks the validity of those allowed tags, and I can also inject code on those tags.

So, probably what would be the best is too apply htmlspecialchars() and then search for exact <b> and so tags, and replace them with valid ones to print them. but be aware also of tags not being closed and so, they wouldn't be a security issue, but they can desfigure the layout.

You can protect from SQL Injections by using the addslashes() or mysql_real_escape_string() functions.

But you should take wether the server doesn't do it automatically by checking with the magic_quotes_gpc() function.

And I would also limit the filetypes that can be uploaded from admin area.

You probably know all this, but well...

Regards,
Mr. Knightmare

Hello,

I changed php for making it more secure.
I don't know if it is enougth but here this the code :

1) First create a file 'requesttool.php' into the directory include

2) Copy/Paste this function

<?

function secure()
{
$get_array_keys = array_keys($_GET);

for ($g=0;$g<count($post_array_keys);$g++)
{
$_GET[$get_array_keys[$g]] = htmlspecialchars($_GET[$get_array_keys[$g]], ENT_QUOTES);
}

$post_array_keys = array_keys($_POST);

for ($g=0;$g<count($post_array_keys);$g++)
{
$_POST[$post_array_keys[$g]] = htmlspecialchars($_POST[$post_array_keys[$g]], ENT_QUOTES);
}

}

?>

3) Edit index.php at the root and after this include :

// includes
require("includes/pixelpost.php");
require("includes/markdown.php");
require("includes/functions.php");
require("includes/exifer1_5/exif.php");

Write this :
require("includes/requesttools.php");

secure();


Do you thing this right or not ?

I don't think it's a good idea.

First of all, you are still vulnerable to SQL Injection attacks.

That script doesn't secure arrays sent by post or get data. And also it doesn't secure incoming data from cookies or server variables like USER_AGENT.

And also there are sometimes that you don't want to apply htmlspecialchars() cause you don't need it or you need it just as it is. You should apply htmlspecialchars() every time you need to print data that comes from the user.

The function would be good to implement it but with addslashes() and appyling it to arrays also.

Regards,
Mr. Knightmare

Hi,
Thanks Mr. Knightmare.

I am going to check into google if I don't find a better way to doing that and implement what you talk about.