[jsifuentes]

Hi everyone,

I recently discovered a LFI exploit in SourceBans 1.4.* in the Demos functionality. I reported this to GameConnect a few days ago, but haven't received much of an update.

Basically, the vulnerability allows for any authorized user of your SourceBans system to download any file on the server, within permissions of the web server, through the demos module.

I wrote up a walk through of the exploit as an attacker on my personal website here. I also provided a patch near the bottom.

If you don't... want to patch it, here's some advice:

I would highly suggest being careful with any SourceBans passwords. If any are compromised and have access to add or edit bans, they can exploit this fairly easily.

If you allow remote connections to your database, play it safe and whitelist only the IPs that should connect remotely. When I say they can download any files within permissions, that means config.php too.

Thanks.

[Phaiz]

Don't take this the wrong way, and not that I think AM is full of hackers, and not that I don't appreciate you finding an issue, but wouldn't this had been better left private so that the sb devs could release an update without making the issue largely public?

[Sarabveer]

Quote:

Originally Posted by Phaiz Don't take this the wrong way, and not that I think AM is full of hackers, and not that I don't appreciate you finding an issue, but wouldn't this had been better left private so that the sb devs could release an update without making the issue largely public?

I agree, now the hackers can use it, normally, they post the exploit after it has been fixed, I advise that you blank the first post for now, and people should use SSL on their SB, it sounds stupid, but there is a company called StartSSL which gives out free SSL certs, or use CloudFlare's Flexible Option, since I see SSL the only way to bypass this issue!

See, I use SSL: https://www.v33r.cf

EDIT: I am releasing SourceBans 1.4.13 to the public with this fix!

[Sarabveer]

Quote:

Originally Posted by Sarabveer SourceBans 1.4.13 has been released. Changes: Quote: (02/12/14): Version 1.4.13 ----------------------- 01. ! Fixed LFI EXPLOIT //Thanks jsifuentes 02. ? Optimized and updated IpToCountry.csv

Ok, Your Fix has been added to my Fork!

[dotexe]

Can you post the code that we have to replace? My line 1753 is "$reason,"

[jsifuentes]

Quote:

Originally Posted by dotexe Can you post the code that we have to replace? My line 1753 is "$reason,"

Try looking at 1758.

The code you need to replace is

Code:

	if($dname && $dfile)

[asherkin]

Throwing responsible disclosure right out the top floor window I see.

EDIT: To all the people reporting this thread, and those thinking of doing so, it's absolutely pointless (and actually harmful) to remove this now.

[Sarabveer]

Quote:

Originally Posted by asherkin Throwing responsible disclosure right out the top floor window I see. EDIT: To all the people reporting this thread, and those thinking of doing so, it's absolutely pointless (and actually harmful) to remove this now.

It would be pointless since I have already included the fix in my fork.

[Sarabveer]

Hey, also, can you change "It affects SourceBans 1.4.*" to "It affects SourceBans 1.4-1.4.12"

EDIT: Thanks

[friagram]

AFAIK there was no way to even disable demos, so i just did like
chmod
along with
ALTER TABLE `sourcebans`.`sb_demos`
ENGINE = BLACKHOLE ;

also helps setting protests and to that engine.