Serious security issue with Minify

Discussion in 'Security and Legal' started by djbaxter, Jul 26, 2013.

  1. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    Posted by Alfa1 at http://www.vbulletin.org/forum/showthread.php?t=202843&goto=newpost

    Here is the message that has just been posted:
    ***************
    There is a serious security issue with minify: https://groups.google.com/forum/#!msg/minify/cpN-ncKPFZE/kwYVpLMkfDwJ

    OVERVIEW
    ========

    On some systems running Minify, an attacker may be able to reveal the contents of arbitrary files. You are strongly advised to follow the instructions below to manually patch your system, and upgrade to Minify 2.1.7 when possible.

    PATCH INSTRUCTIONS
    ------------------

    Open /min/index.php. A comment block begins on line 2.

    Insert a line break so that the comment begins on line 3.

    Copy and paste the following code onto line 2:

    if (isset($_GET['f'])) {
    $_GET['f'] = str_replace("\x00", '', (string)$_GET['f']);
    }

    Save the file.


    DETAILS
    -------

    On some PHP systems, file system functions accept parameters containing null bytes ("\x00"), but do not handle them correctly. See: http://www.php.net/manual/en/security.filesystem.nullbytes.php

    An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.

    Thanks to Matt Mecham for reporting this vulnerability.


    MINIFY 2.1.7
    ------------

    You are strongly encouraged to upgrade to Minify 2.1.7, available at these URLS:

    * http://code.google.com/p/minify/downloads/detail?name=minify-2.1.7.zip
    * https://github.com/mrclay/minify/archive/2.1.7.zip

    For further support, email [email protected].
     
    Big al, pixelek and Brandon like this.
  2. pixelek

    pixelek Regular Member

    Joined:
    Oct 9, 2013
    Messages:
    229
    Likes Received:
    85
    Location:
    Torun, Poland
    Will do an upgrade soon - hope not too late for an attacker....
    Thanks for warning.
     
  3. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    So vBulletin is taking security tips from IPB now?
     
  4. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Why do you say that? This issue or the report has nothing to do with vBulletin directly.

    Scott
     
    djbaxter likes this.
  5. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    It was posted on vb.org, and it looks like it was reported by IPB.
     
  6. s.molinari

    s.molinari Regular Member

    Joined:
    Nov 6, 2009
    Messages:
    774
    Likes Received:
    603
    Location:
    Käshofen
    Yeah, exactly. Since it was reported on vB.org, it has nothing to do with vBulletin directly.

    Scott
     
  7. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,706
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Um.. other then it was reported on a vbulletin mod.. but I guess you are correct
     
  8. Mark.B

    Mark.B Regular Member

    Joined:
    Jul 4, 2013
    Messages:
    253
    Likes Received:
    42
    Thread necromancy......
     
  9. djbaxter

    djbaxter Regular Member

    Joined:
    Jul 4, 2009
    Messages:
    261
    Likes Received:
    162
    Location:
    Ottawa ON Canada
    Well the OP was dated last July...
     

Share This Page