Serious security issue with Minify

Posted by Alfa1 at http://www.vbulletin.org/forum/showthread.php?t=202843&goto=newpost

Here is the message that has just been posted:
***************
There is a serious security issue with minify: https://groups.google.com/forum/#!msg/minify/cpN-ncKPFZE/kwYVpLMkfDwJ

OVERVIEW
========

On some systems running Minify, an attacker may be able to reveal the contents of arbitrary files. You are strongly advised to follow the instructions below to manually patch your system, and upgrade to Minify 2.1.7 when possible.

PATCH INSTRUCTIONS
------------------

Open /min/index.php. A comment block begins on line 2.

Insert a line break so that the comment begins on line 3.

Copy and paste the following code onto line 2:

if (isset($_GET['f'])) {
$_GET['f'] = str_replace("\x00", '', (string)$_GET['f']);
}

Save the file.


DETAILS
-------

On some PHP systems, file system functions accept parameters containing null bytes ("\x00"), but do not handle them correctly. See: http://www.php.net/manual/en/security.filesystem.nullbytes.php

An attacker may be able to use Minify to reveal the contents of any file PHP has access to within the document root, including sensitive configuration files.

Thanks to Matt Mecham for reporting this vulnerability.


MINIFY 2.1.7
------------

You are strongly encouraged to upgrade to Minify 2.1.7, available at these URLS:

* http://code.google.com/p/minify/downloads/detail?name=minify-2.1.7.zip
* https://github.com/mrclay/minify/archive/2.1.7.zip

For further support, email [email protected].

 

Will do an upgrade soon - hope not too late for an attacker....
Thanks for warning.

 

So vBulletin is taking security tips from IPB now?

 

Why do you say that? This issue or the report has nothing to do with vBulletin directly.

Scott

 

It was posted on vb.org, and it looks like it was reported by IPB.

 

Yeah, exactly. Since it was reported on vB.org, it has nothing to do with vBulletin directly.

Scott

 

Um.. other then it was reported on a vbulletin mod.. but I guess you are correct

 

Thread necromancy......

 

Well the OP was dated last July...