Discuz! & Amp; lt; 5.50 preg_match () variable $ onlineipmatches not initialized miss

 
Author: 80vul-B
Team: http://www.80vul.com
 
I. Analysis

File include/common. inc. php:

$ Magic_quotes_gpc = get_magic_quotes_gpc ();

@ Extract (daddslashes ($ _ COOKIE ));
@ Extract (daddslashes ($ _ POST ));
@ Extract (daddslashes ($ _ GET ));
// Overwrite the variable. Here we can overwrite $ _ SERVER
If (! $ Magic_quotes_gpc ){
$ _ FILES = daddslashes ($ _ FILES );
}

.....

If (getenv (HTTP_CLIENT_IP) & strcasecmp (getenv (HTTP_CLIENT_IP), unknown )){
$ Onlineip = getenv (HTTP_CLIENT_IP );
} Elseif (getenv (HTTP_X_FORWARDED_FOR) & strcasecmp (getenv (HTTP_X_FORWARDED_FOR), unknown )){
$ Onlineip = getenv (HTTP_X_FORWARDED_FOR );
} Elseif (getenv (REMOTE_ADDR) & strcasecmp (getenv (REMOTE_ADDR), unknown )){
$ Onlineip = getenv (REMOTE_ADDR );
} Elseif (isset ($ _ SERVER [REMOTE_ADDR]) & $ _ SERVER [REMOTE_ADDR] & strcasecmp ($ _ SERVER [REMOTE_ADDR], unknown )){
$ Onlineip = $ _ SERVER [REMOTE_ADDR];
}
// Extract the ip address. First, try getenv (). If it fails, use $ _ SERVER.
Preg_match ("/[d.] {7, 15}/", $ onlineip, $ onlineipmatches );
// Note that the 3rd parameter $ onlineipmatches of this preg_match () is not initialized, And the programmer does not judge the return value of the preg_match function. In this way, the regular expression may be bypassed in certain situations,
// You can construct any $ onlineipmatches. For details, see the detailed analysis of preg_match () in [PCH-002]: http://www.80vul.com/pch/

$ Onlineip = $ onlineipmatches [0]? $ Onlineipmatches [0]: unknown;
Unset ($ onlineipmatches );

The getenv () in iis is invalid, and then the $ _ SERVER variable is overwritten through extract (), resulting in preg_match ("/[d.] {7, 15}/", $ onlineip, $ onlineipmatches); If the matching fails, we can submit $ onlineipmatches [] at will.

Ii. Exploitation

POC:

// In the iis Environment
Index. php? _ SERVER [REMOTE_ADDR] [] = 1 & onlineipmatches [] = 80vul

 
Three patches [fix]
 
It can be seen that the preceding vulnerability requires several conditions:

1. the iis environment is required, causing the getenv () to become invalid.
2. The variable $ _ SERVER needs to be overwritten.
3. The preg_match () variable is not initialized.

So our patch is around 2 and 3 to solve. Discuz! In Versions later than 5.50, fix "2. Replace $ _ SERVER variables" to avoid this vulnerability:

Foreach (array (_ COOKIE, _ POST, _ GET) as $ _ request ){
Foreach ($ _ request as $ _ key => $ _ value ){
$ _ Key {0 }! = _ & $ _ Key = daddslashes ($ _ value );
}
}
 
// $ _ Key {0 }! = _ No variable overwrites starting :)