Talkback 2.2.8 fixes the remote file exploit vulnerability

[Old Guy]

Here is the new version that fixes the remote file exploit: http://www.scripts.oldguy.us/talkback/talkback2.2.8.zip

If your talkback version is older than 2.2.8 go to the download page and download the latest version.

If you are using the Apache web server you should also add the following line to your .htaccess file if your php default for register_globals is "on".

Code:

php_flag register_globals off

I did not implement the fix that was in the post "Draft fix to TalkBack". Instead I added an "if (!Is_file..." statement wherever an "include $variable_name" statement occurs in a script. See comments.php, line 93 for an example.

I also added a check in common-functions.php setupLanguage() so there is no need for a check when "include $language_file" follows a call to setupLanguage().

Files changed have a modified date of 12/24/07. If you wish you can double check my work by doing a find "include $" in all files. Every include $name statement should have an exploit check statement before it. Example:

Code:

if (!is_file($config['preview_panel_tpl'])) die('Unable to process the request (3)');
include $config['preview_panel_tpl'];

Exception: an "include $language_file" statement which follows a "$language_file = setupLanguage();" statement does not need to be checked for an exploit because it is done in setupLanguage().

[knbrown]

My host (Geocities) won't let me have a .htaccess file.  If I can't set register_globals to "off", will I still be vulnerable?

[Old Guy]

If I can't set register_globals to "off", will I still be vulnerable?

No. It's just extra insurance in case I missed an include or add one in the future and forget to also do the exploit check. If I did the fix correctly you'll be okay.

[lthj75]

No. It's just extra insurance in case I missed an include or add one in the future and forget to also do the exploit check. If I did the fix correctly you'll be okay.

Thanks for the great news.  Question.....is there a way to implement the new version and still have the old comments from the original version?  As you can tell I'm not technical....but I know the comments are stored in a DB - so I'm hoping its seamless.

HAPPY HOLIDAYS and hope you're feeling better!

[Old Guy]

is there a way to implement the new version and still have the old comments from the original version?

http://www.scripts.oldguy.us/talkback/demo/doc/upgrade2.2.html

[Zoe]

I followed the instructions regarding 'Upload install/info.php to your web root directory. Browse to it (www.yoursite.com/info.php). Do a find on “register_globals”. If it does not say “Off” in the Local Values column, do the following. ' 

When I check my register_globals says "ON"

I edited my htaccess. It now reads:

# -FrontPage-

php_flag register_globals off


AuthUserFile /home/mysite/public_html/blahblah/_vti_pvt/service.pwd
AuthGroupFile /home/mysite/public_html/blahblah/_vti_pvt/service.grp

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>

AuthName blahblah
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

Is this OK?  Can I go ahead with the installation?

Zoe

[Zoe]

Well, obviously that wasn't a good idea.

When I added the line php_flag register_globals off

I got a 500 Internal Server Error

[lthj75]

I followed the instructions regarding 'Upload install/info.php to your web root directory. Browse to it (www.yoursite.com/info.php). Do a find on “register_globals”.

Zoe - where did you see these instructions?  I used the link above that Old Guy posted and it worked fine....what process are you following?

[lthj75]

http://www.scripts.oldguy.us/talkback/demo/doc/upgrade2.2.html

Thanks Old Guy - missed that! 

[Old Guy]

Zoe,

Strange...don't know why it didn't work. Maybe your host is configured to disallow php config changes via .htaccess?

Turning register_globals off is just extra insurance. So just go ahead and install 2.2.8.

[Ian]

Nevermind.. got it to work.

[marianov]

Hello,

i'm a webmaster from italy and i have installed on some of my websites customers Talkback since 9 months and now i have updated all the sites to 2.2.8 version and besides i have also added on .htaccess the line that set register_globals to "off". This morning i have found an e-mail from my Hosting provider ( Ixwebhosting )  saying that the directory where is installed talkback has been disabled because the scripts inside the file ...\comments-display-tpl.php are vulnerable to cross site scripting attacks. I have replied to this mal asking more exact informations about the problem, and i'm waiting for an answer but the strange thing is that on the same hosting provider and on the same package ( Linux Hosting ) i have another website with the same talkback 2.2.8 and they are saying nothing for this one. They said that i have to "rewrite" the file or cancel it, so it means uninstalling Talkback .  Meanwhile i'm waiting for the hosting provider answer to my request to have more informations on what is the problem for them, could you suggest to me something i can do to solve this problem about this request if you can know already the potential problem ? Thank you in advance for your reply and your help, i'm relly disappointed for this and i hope i'havent' to uninstall Talkback from these sites ..
Mariano Vitale
Rome, Italy 
P.S. : Sorry for my bad english 

[Old Guy]

Your English is very good.

I need to know exactly what in the script makes it vulnerable to cross site scripting (XSS). So your provider must supply the details of why they think it is vulnerable.

FYI, if you want to know more abot XSS see: http://en.wikipedia.org/wiki/Cross-site_scripting. And do a web search on: cross site scripting.