Google Groups

Serious vulnerability in Minify


Steve Clay Jul 23, 2013 2:00 PM
Posted in group: Minify support
OVERVIEW
========

On some systems running Minify, an attacker may be able to reveal the contents of
arbitrary files. You are strongly advised to follow the instructions below to manually
patch your system, and upgrade to Minify 2.1.7 when possible.


AFFECTED VERSIONS
-----------------

All versions within 2.x are likely affected, and all can be patched via the instructions
below.


PATCH INSTRUCTIONS
------------------

Open /min/index.php. A comment block begins on line 2.

Insert a line break so that the comment begins on line 3.

Copy and paste the following code onto line 2:

     if (isset($_GET['f'])) {
         $_GET['f'] = str_replace("\x00", '', (string)$_GET['f']);
     }

Save the file.


DETAILS
-------

On some PHP systems, file system functions accept parameters containing null bytes
("\x00"), but do not handle them correctly. See:
http://www.php.net/manual/en/security.filesystem.nullbytes.php

An attacker may be able to use Minify to reveal the contents of any file PHP has access to
within the document root, including sensitive configuration files.

Thanks to Matt Mecham for reporting this vulnerability.


MINIFY 2.1.7
------------

You are strongly encouraged to upgrade to Minify 2.1.7, available at these URLS:

* http://code.google.com/p/minify/downloads/detail?name=minify-2.1.7.zip
* https://github.com/mrclay/minify/archive/2.1.7.zip

For further support, email min...@googlegroups.com.


Steve Clay
--
http://www.mrclay.org/