id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
1518	Month of PHP Security - Serious Xinha Security Hole	guest	gogo	"Hello,

the following security vulnerability in Xinha will be disclosed ALREADY ON THIS TUESDAY as part of Month of PHP Security.

The problem is that the whole way Xinha passes configuration to the plugins is insecure and broken.

The following code is supposed to be secure but is not.
{{{
function xinha_read_passed_data()
{
if(isset($_REQUEST['backend_data']) && is_array($_REQUEST['backend_data']))
{
$bk = $_REQUEST['backend_data'];
session_name($bk['session_name']);
@session_start();
if(!isset($_SESSION[$bk['key_location']])) return NULL;
if($bk['hash']         ===
function_exists('sha1') ?
sha1($_SESSION[$bk['key_location']] . $bk['data'])
: md5($_SESSION[$bk['key_location']] . $bk['data']))
{
return unserialize(ini_get('magic_quotes_gpc') ? stripslashes($bk['data']) : $bk['data']);
}
}
	   
return NULL;
} 
}}}
All an attacker needs to submit his own configuration is.

{{{
backend_data = array(
""session_name"" => ""PHPSESSID"",
""key_location"" => ""some_session_key_from_the_main_app_that_we_know_like_eg_the_copy_of_user_agent_string_or_ip_of_user..."",
""data"" => serialize( ... A NEW CONFIGURATION ... ),
""hash"" => sha1(KNOWN_SESSION_DATA . $data)
);
}}}

And the same attack is possible against the ""old method"" stored in all the config.inc.php files of all the plugins.

Therefore an attacker can simply overwrite the configuration and upload any file to any writable directory on the webserver, or just include arbitrary files/URLs......

Example of a vulnerable application is the Serendipity WebLog.

Yours,
Stefan Esser"	defect	closed	normal	0.96	Xinha Core	trunk	blocker	fixed