Bugtraq: Re: Arbitrary code execution in eping plugin

[exon <exon () home se>]

oliver () codersquad de wrote:
> Hello,
>
> the problem is in function eping_validaddr() in functions.php where the host is checked if it is valid as the name 
> says...
> But the only check is to see if it is a valid ip adress for eping, here is the code:
>
> --------------8<-----------------------------------------8<-------------------------------------
> function eping_validaddr($eping_hosttocheck)
> {
> If 
> (ereg("(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
>  $eping_hosttocheck))
>    {
>        return true;
>    }
>    else
>    {
>        return false;
>    }
> --------------8<-----------------------------------------8<-------------------------------------
>
> I am sorry but I am a coder and my eyes are bleeding when looking at stuff like that so here is my suggestion for 
> replaceing the if-statement:
> if(preg_match("/^[0-9]{2,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?$/", $eping_hosttocheck))
Your suggestion would block 1.1.1.1 which is a valid IP, while letting 
through 999.999.999.999 which isn't. It's a bad regex for finding valid 
IP's.
Implementing an inet_aton()-like function would be several orders of 
magnitude faster than a preg_match() and several times more accurate.
> So only IP-Adresses are allowed and no kind of code injection is possible.
>
> And everyone who thinks 'will he ever stop writeing?' will be disappointed:
> The same vulnerability also exists in the eTrace modul from E107. It looks like the same Author of the ePing modul.
> The only difference is the you have to search for 'etrace' instead of 'eping' in the files
>
> Greetings from Germany
> Oliver