Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

two loagic bugs in latest product #78

Closed
cL0und opened this issue Aug 7, 2017 · 7 comments
Closed

two loagic bugs in latest product #78

cL0und opened this issue Aug 7, 2017 · 7 comments
Assignees

Comments

@cL0und
Copy link

cL0und commented Aug 7, 2017

Hello Developers,i has found two logic bugs in your product,which maybe cause some problems

I hope this helps you.
the first point:
at register.php line53
if (!User::isSame($_POST['pass1'], $_POST['pass1']))
Here, you use the same password for testing

the Second point:
at register.php line53
User::isExist($_POST['userid'])) ,
Let's follow up this function
User.class.php line222
public static function isExist($user, $except='') { if ($except != '') { $id = Typo::cleanX(Typo::strip($except)); ......
Let's follow up Typo::strip
Type.class.php line101
`public static function strip($text, $tags = '', $invert = false)
{
preg_match_all('/<(.+?)[\s]/?[\s]>/si', trim($tags), $tags);
$tags = array_unique($tags[1]);

    if (is_array($tags) and count($tags) > 0) {
        if ($invert == false) {
            /*return preg_replace('@<(?!(?:'. implode('|', $tags) .')\b)(\w+)\b.*?>.*?</\1>@si', '', $text); */
            $text = preg_replace('@<(?!(?:'.implode('|', $tags).')\b)(\w+)\b.*?>@si', '', $text);
            $text = preg_replace('@</(?!(?:'.implode('|', $tags).')\b)(\w+)\b.*?>@si', '', $text);
        .......`

We can see that the regular expressions here are removed from the corner brackets.
For example:if username is admin<script> then the function will return admin.
But finally, the data does not check the same name before entering the database.
so it will cause a large problem we can block any member's account if we know his username.
why? because in login.php line 6 $c != 1 because there are two There are two users called admin

That's what I want to say. If I don't make it clear, please contact me

rigist the same user who named "root"
pic

we can see there are two same users except group
pic2

admin "root" can not log in!!!
pic3

@semplon
Copy link
Owner

semplon commented Aug 26, 2017

thank you for bringing this issue. i will do the fix on the next update.

sorry for long reply, my laptop was stolen and all of my data was lost.

once again, thank you.

@semplon
Copy link
Owner

semplon commented Sep 4, 2017

I've already check the script. the point 1 is not a bug, it just to check whether the inputed password are same or not.

and the second point i got this as issue. and will be commit the fix

for cve, please request cve id at https://cve.mitre.org/cve/request_id.html

semplon pushed a commit that referenced this issue Sep 5, 2017
major update version 1.1.0
#72 bugfix
#76 bugfix
#78 bugfix
improving more securities and add more GneeX theme features
@semplon semplon closed this as completed Sep 5, 2017
@cL0und
Copy link
Author

cL0und commented Sep 8, 2017 via email

@andre-checkmarx
Copy link

I've already check the script. the point 1 is not a bug, it just to check whether the inputed password are same or not.

Selamat pagi!
I think you have misread the code. The following line uses the same POST argument twice:

if (!User::isSame($_POST['pass1'], $_POST['pass1'])) {

So you're effectively doing p1 == p1 instead of p1 == p2.

@semplon
Copy link
Owner

semplon commented Jul 28, 2020

@andre-checkmarx ah you are right. i will take a look. and fixed it.
it's been so long not updated since i am trying to migrate to bootstrap 4.

@andre-checkmarx
Copy link

Awesome, glad I could help!
Also, do you have a way we can contact you privately, to discuss other vulnerabilities?

@semplon
Copy link
Owner

semplon commented Jul 29, 2020

yes you can contact me at telegram @metalgenix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants