SMF fgets off-by-one issue and filter size evasion
Author: Jose Carlos Norte
Discovered by: Jose Carlos Norte
Risk: Medium
Type: DoS
Version: ALL
1. Introduction
Simple machines forum is a popular scalable free bulletin board system written
in php over mysql database, the url of the project:
http://www.simplemachines.org/
2. The problem
Smf can allow the users to have a remote avatar, this avatar is shown in the
topics where the user send messages.
The problem is that smf checks the remote avatar for test if the size is in a
valid range.
From Sources/Subs.php (1578 yo 1069):
function url_image_size($url)
{
// Get the host to pester...
preg_match('~^\w+://(.+?)/(.*)$~', $url, $match);
// Can't figure it out, just try the image size.
if ($url == '' || $url == 'http://' || $url == 'https://')
return false;
elseif (!isset($match[1]))
return @getimagesize($url);
// Try to connect to the server... give it one full second.
$temp = 0;
$fp = @fsockopen($match[1], 80, $temp, $temp, 1);
// Successful? Continue...
if ($fp != false)
{
// Send the HEAD request.
fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" .
'Connection: close' . "\r\n" . 'Host: ' . $match[1] . "\r\n\r\n");
// Read in the HTTP/1.1 or whatever.
$test = substr(fgets($fp, 11), -1);
fclose($fp);
// See if it returned a 404/403 or something.
if ($test < 4)
return @getimagesize($url);
}
// Didn't work.
return false;
}
a remote server is modified, can send false values to head requests, and a
999999999999x9999999999 will bypass the filter,
aditionally, if the server don't do any response against head requests, php
script will stop in fgets until php kill it,
on time_limit, the result is that any topic where the malicious user send a
message becomes unreadable for all users.
3. SOlution
changue function to:
function url_image_size($url)
{
return false;
}
and don't try to check the size of remote images!
I was unable to contact smf developer team, again.
