Changed the definition of $headerfile from uniqid(time()) to tempnam("/tmp", "sno")
Also changed all instances of
This is to allow php to provide the temporary directory name for us, instead of hard coding it to /tmp
This is done with the tempnam function
I've set it up so that it by default tries /tmp as it's temp directory but will use something else if it can't (for example in windows). I've set it to prefix it's temporary file with the letters sno (for snoopy)
…ction under the submit functions. When submitting (POST) if a redirect is encountered, it is assumed to also be a POST.
This fix allows for a redirect from a POST to lead to a page that should be pulled with a GET
… _exapandlinks function.
I tried to decode which regex was causing this but was
unable to, so I just added an additional regex to remove the
trailing slash from the URI before the page is concatenated
onto the end of it.
My new regex is :
$match = preg_replace("|/$|","",$match);
This isn't elegant but it works. If anyone wants to
determine which of the 6 other regexes being run is causing
the double slashes, I'd be happy to fix it and take out my
additional line of code.
Meta redirect regex inaccurate
The original regex was expecting 1 or more whitespaces between the semicolon and the URL in the http refresh. This is not always that case.
The new line expects 0 or more whitespaces between the semicolon and the URL
Root relative links are treated as relative
Snoopy is treating root relative links as relative.
When a page at domain.com/foo/bar/page1.htm has a link
like /foo/bar/page2.htm then Snoopy returns the link to
page 2 as: domain.com/foo/bar/foo/bar/page2.htm instead
$URI = $this->lastredirectaddr;
into the fetchlinks, submitlinks and submitext functions to properly expandlinks after a redirect.
Also modified the documentation at the beginning of the file indicating which functions use expandlinks
…s in the https curl request weren't being checked for double quotes (the URI was, but not the headers).
Here's the description of the exploit from SEC.
SEC-CONSULT Security Advisory < 2005xxxx-0 >
title: Snoopy Remote Code Execution Vulnerability
program: Snoopy PHP Webclient
vulnerable version: 1.2 and earlier
by: D. Fabian / SEC-CONSULT / www.sec-consult.com
Snoopy is a PHP class that simulates a web browser. It automates the
task of retrieving web page content and posting forms, for example.
Snoopy is used by various RSS parser, which are in turn used in a
whole bunch of applications like weblogs, content management systems,
and many more.
Whenever an SSL protected webpage is requested with one of the many
Snoopy API calls, it calls the function _httpsrequest which takes
the URL as argument. This function in turn calls the PHP-function
exec with unchecked user-input. Using a specially crafted URL, an
attacker can supply arbitrary commands that are executed on the web
server with priviledges of the web user.
While the vulnerability can not be exploited using the Snoopy class
file itself, there may exist implementations which hand unchecked
URLs from users to snoopy.
proof of concept:
Consider the following code on a webserver: