Security: Fix for LFI found by thongngo

Author: ajinabraham

APITester/views.py

@@ -48,7 +48,7 @@ def APIFuzzer(request):
     try:
         if request.method == 'GET':
             MD5=request.GET['md5']
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 URLS = getListOfURLS(MD5,False)
                 if (len(URLS)) == 0:
@@ -71,7 +71,7 @@ def APIFuzzer(request):
                 return HttpResponseRedirect('/error/')
         elif request.method =="POST":
             MD5=request.POST['md5']
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 SCOPE_URLS = [] #All DOMAINS that needs to be tested
                 SCOPE_TESTS = [] #All TESTS that needs to be executed
@@ -128,7 +128,7 @@ def StartScan(request):
     try:
         if request.method =="POST":
             MD5=request.POST['md5']
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 #Scan Mode
                 SCAN_MODE=request.POST['scanmode']

DynamicAnalyzer/views.py

@@ -38,7 +38,7 @@ def DynamicAnalyzer(request):
             if re.findall(";|\$\(|\|\||&&",PKG) or re.findall(";|\$\(|\|\||&&",LNCH):
                 print "[ATTACK] Possible RCE"
                 return HttpResponseRedirect('/error/') 
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 # Delete ScreenCast Cache
                 SCREEN_FILE=os.path.join(settings.SCREEN_DIR, 'screen.png')
@@ -82,7 +82,7 @@ def GetEnv(request):
             if re.findall(";|\$\(|\|\||&&",PKG) or re.findall(";|\$\(|\|\||&&",LNCH):
                 print "[ATTACK] Possible RCE"
                 return HttpResponseRedirect('/error/') 
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 DIR=settings.BASE_DIR
                 APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
@@ -113,7 +113,7 @@ def TakeScreenShot(request):
     try:
         if request.method == 'POST':
             MD5=request.POST['md5']
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 data = {}
                 r=random.randint(1, 1000000)
@@ -263,7 +263,7 @@ def FinalTest(request):
             if re.findall(";|\$\(|\|\||&&",PACKAGE):
                 print "[ATTACK] Possible RCE"
                 return HttpResponseRedirect('/error/') 
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 #Stop ScreenCast Client if it is running
                 tcp_server_mode = "off"
@@ -307,7 +307,7 @@ def DumpData(request):
             data = {}
             PACKAGE=request.POST['pkg']
             MD5=request.POST['md5']
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 if re.findall(";|\$\(|\|\||&&",PACKAGE):
                     print "[ATTACK] Possible RCE"
@@ -353,7 +353,7 @@ def ExportedActivityTester(request):
     try:
         MD5=request.POST['md5']
         PKG=request.POST['pkg']
-        m=re.match('[0-9a-f]{32}',MD5)
+        m=re.match('^[0-9a-f]{32}$',MD5)
         if m:
             if re.findall(";|\$\(|\|\||&&",PKG):
                 print "[ATTACK] Possible RCE"
@@ -410,7 +410,7 @@ def ActivityTester(request):
     try:
         MD5=request.POST['md5']
         PKG=request.POST['pkg']
-        m=re.match('[0-9a-f]{32}',MD5)
+        m=re.match('^[0-9a-f]{32}$',MD5)
         if m:
             if re.findall(";|\$\(|\|\||&&",PKG):
                 print "[ATTACK] Possible RCE"
@@ -473,7 +473,7 @@ def Report(request):
             if re.findall(";|\$\(|\|\||&&",PKG):
                 print "[ATTACK] Possible RCE"
                 return HttpResponseRedirect('/error/') 
-            m=re.match('[0-9a-f]{32}',MD5)
+            m=re.match('^[0-9a-f]{32}$',MD5)
             if m:
                 DIR=settings.BASE_DIR
                 APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
@@ -891,7 +891,7 @@ def View(request):
         fil=''
         rtyp=''
         dat=''
-        m=re.match('[0-9a-f]{32}',request.GET['md5'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
         if m:
             fil=request.GET['file']
             MD5=request.GET['md5']

MalwareAnalyzer/malwaredb/malwaredomainlist

@@ -3038,4 +3038,28 @@
 "2016/05/12_08:01","oceanviewfootmassage.com/js/BKTbCv.html","192.254.225.146","-","Compromised site, leads to Locky","Registrar Abuse Contact [email protected]","46606","0","US",
 "2016/05/12_08:36","www.airsonett.se","193.44.13.93","193-44-13-93.net.tnm.se.","pseudo darkleech on compromised site leads to Angler EK","-","3301","0","SE",
 "2016/05/12_09:49","chashmawala.com/mn3yhds","142.4.1.197","142-4-1-197.unifiedlayer.com.","Locky ransomware","-","46606","0","US",
-"2016/05/12_10:40","lojasrana.com:7080/ujh3jmd","186.202.183.138","pleskcl0243.hospedagemdesites.ws."
+"2016/05/12_10:40","lojasrana.com:7080/ujh3jmd","186.202.183.138","pleskcl0243.hospedagemdesites.ws.","Locky ransomware","-","27715","0","BR",
+"2016/05/12_10:40","scrubs.dresscool.co/zcv3hhs","107.180.25.1","ip-107-180-25-1.ip.secureserver.net.","Locky ransomware","[email protected]","26496","0","US",
+"2016/05/12_12:39","www.jobbainorge.nu/","195.74.38.95","cl-11.atm.binero.net.","pseudo darkleech on compromised site leads to Angler EK","-","41528","0","SE",
+"2016/05/12_12:39","microencapsulation.readmyweather.com/satire/pairing/58798892_pkfpfGESM","69.162.126.172","172-126-162-69.static.reverse.lstn.net.","Angler EK","Registrar Abuse Contact [email protected]","46475","0","US",
+"2016/05/12_14:22","www.autoappassionati.it/","109.233.126.14","cpanel01.infinitynet.it.","pseudo darkleech on compromised site leads to Angler EK","-","48815","0","IT",
+"2016/05/12_14:23","tannpastnevicher.themakershop.co.uk/mj/o/3557/","69.162.126.172","172-126-162-69.static.reverse.lstn.net.","Angler EK","Colyton Industrial Designs ltd / -","46475","0","US",
+"2016/05/13_13:23","www.imageprecision.com/","188.121.41.53","n1nw8shg125.shr.prod.ams1.secureserver.net.","pseudo darkleech on compromised site leads to Angler EK","-","26496","0","NL",
+"2016/05/13_13:23","arbeiderspartij.be-spry.co.uk/NTQBuUVxO/gXyyX/IobVvqD-pRXCfMd/","85.25.41.91","static-ip-85-25-41-91.inaddr.ip-pool.com.","Angler EK","H R Searle / -","8972","0","DE",
+"2016/05/15_15:23","meuble-ligansadaequabat.thepinkskip.co.uk/hoteliers/6719/66/01/511758321.html","188.165.167.255","-","Angler EK","Brian Barr / -","16276","0","FR",
+"2016/05/16_10:40","sign.cdrn70.xyz/hfziso4.html","93.190.140.154","-","gateway to Angler EK","-","49981","0","NL",
+"2016/05/16_11:15","inclination.cdrn70.xyz/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","-","49981","0","NL",
+"2016/05/16_11:51","no-id.eu/987t5t7g","83.137.194.81","server6.hosting2go.nl.","trojan","NOT DISCLOSED! / -","34233","0","NL",
+"2016/05/16_11:55","press.centraljoias.com/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","Registrant [email protected]","49981","0","NL",
+"2016/05/16_12:00","gutter.celebway.net/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","Registrar Abuse Contact [email protected]","49981","0","NL",
+"2016/05/16_12:35","charge.cenzorate-expertize.ro/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","-","49981","0","NL",
+"2016/05/16_12:40","excitable.charmedmultimedia.eu/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","NOT DISCLOSED! / -","49981","0","NL",
+"2016/05/16_18:05","sunlite.com.au/j76jn5nbv","27.124.119.225","server-69-r12.ipv4.au.syrahost.com.","Locky ransomware","Wayne Hughes / Visit whois.ausregistry.com.au for Web based WhoIs","38719","0","AU",
+"2016/05/17_07:17","uwzorg.info/k76gf34g4g","89.105.197.30","mail.teurlings.biz.","Locky ransomware","MAM Teurlings / [email protected]","24875","0","NL",
+"2016/05/17_09:54","actinomorphous.excelwood.co.uk/euNsbCci/FAUk/Olvp/82749/SAitPlttYB-35817144-hgs.png","37.130.229.104","uk.server.","Angler EK","Decora Blind Systems / -","13213","0","GB",
+"2016/05/17_10:32","www.gptecno.it/","178.255.186.250","www010.avanzati.it.","pseudo darkleech on compromised site leads to Angler EK","-","42425","0","IT",
+"2016/05/17_10:32","armstrongcreekgeleedpotig.imber.me.uk/VDBGs/ftPRd/ZXyG-lBfzftj/","37.130.229.104","uk.server.","Angler EK","Nominet UK / -","13213","0","GB",
+"2016/05/17_13:34","passagegoldtravel.com/678y8h","23.229.182.198","ip-23-229-182-198.ip.secureserver.net.","Locky ransomware","-","26496","0","US",
+"2016/05/18_07:28","spreadware.com/09jhg54g","162.244.95.27","-","Locky ransomware","Registrar Abuse Contact [email protected]","53667","0","US",
+"2016/05/18_15:05","www.cafecalluna.nl/","193.239.186.142","sweb02.plinq.nl.","pseudo darkleech on compromised site leads to Angler EK","-","35224","0","NL",
+"2016/05/18_15:05","brunowtrahoque-miagola.unishadeverticalsystem.com/1331481-positivity-misdiagnosis-refrigerants-slim-twinkles-array.png","63.143.54.198","198-54-143-63.static.reverse.lstn.

StaticAnalyzer/views.py

@@ -34,7 +34,7 @@ def PDF(request):
     try:
         MD5=request.GET['md5']
         TYP=request.GET['type']
-        m=re.match('[0-9a-f]{32}',MD5)
+        m=re.match('^[0-9a-f]{32}$',MD5)
         if m:
             if (TYP=='APK' or TYP=='ANDZIP'):
                 DB=StaticAnalyzerAndroid.objects.filter(MD5=MD5)
@@ -159,7 +159,7 @@ def PDF(request):
         pass
 def Java(request):
     try:
-        m=re.match('[0-9a-f]{32}',request.GET['md5'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
         typ=request.GET['type']
         if m:
             MD5=request.GET['md5']
@@ -198,7 +198,7 @@ def Java(request):
         return HttpResponseRedirect('/error/')
 def Smali(request):
     try:
-        m=re.match('[0-9a-f]{32}',request.GET['md5'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
         if m:
             MD5=request.GET['md5']
             SRC=os.path.join(settings.UPLD_DIR, MD5+'/smali_source/')
@@ -224,7 +224,7 @@ def Smali(request):
         return HttpResponseRedirect('/error/')
 def Find(request):
     try:
-        m=re.match('[0-9a-f]{32}',request.POST['md5'])
+        m=re.match('^[0-9a-f]{32}$',request.POST['md5'])
         if m:
             MD5=request.POST['md5']
             q=request.POST['q']
@@ -265,7 +265,7 @@ def Find(request):
 def ViewSource(request):
     try:
         fil=''
-        m=re.match('[0-9a-f]{32}',request.GET['md5'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
         if m and (request.GET['file'].endswith('.java') or request.GET['file'].endswith('.smali')):
             fil=request.GET['file']
             MD5=request.GET['md5']
@@ -304,7 +304,7 @@ def ManifestView(request):
         MD5=request.GET['md5']  #MD5
         TYP=request.GET['type'] #APK or SOURCE
         BIN=request.GET['bin']
-        m=re.match('[0-9a-f]{32}',MD5)
+        m=re.match('^[0-9a-f]{32}$',MD5)
         if m and (TYP=='eclipse' or TYP=='studio' or TYP=='apk') and (BIN=='1' or BIN=='0'):
             APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
             TOOLS_DIR=os.path.join(DIR, 'StaticAnalyzer/tools/')  #TOOLS DIR
@@ -326,7 +326,7 @@ def StaticAnalyzer(request):
     try:
         #Input validation
         TYP=request.GET['type']
-        m=re.match('[0-9a-f]{32}',request.GET['checksum'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['checksum'])
         if ((m) and (request.GET['name'].lower().endswith('.apk') or request.GET['name'].lower().endswith('.zip')) and ((TYP=='zip') or (TYP=='apk'))):
             DIR=settings.BASE_DIR        #BASE DIR
             APP_NAME=request.GET['name'] #APP ORGINAL NAME
@@ -1754,7 +1754,7 @@ def StaticAnalyzer_iOS(request):
         print "[INFO] iOS Static Analysis Started"
         TYP=request.GET['type']
         RESCAN= str(request.GET.get('rescan', 0))
-        m=re.match('[0-9a-f]{32}',request.GET['checksum'])
+        m=re.match('^[0-9a-f]{32}$',request.GET['checksum'])
         if ((m) and (request.GET['name'].lower().endswith('.ipa') or request.GET['name'].lower().endswith('.zip')) and ((TYP=='ipa') or (TYP=='ios'))):
             DIR=settings.BASE_DIR        #BASE DIR
             APP_NAME=request.GET['name'] #APP ORGINAL NAME
@@ -1963,7 +1963,7 @@ def ViewFile(request):
         typ=request.GET['type']
         MD5=request.GET['md5']
         mode=request.GET['mode']
-        m=re.match('[0-9a-f]{32}',MD5)
+        m=re.match('^[0-9a-f]{32}$',MD5)
         ext=fil.split('.')[-1]
         f=re.search("plist|db|sqlitedb|sqlite|txt|m",ext)
         if m and f and re.findall('xml|db|txt|m',typ) and re.findall('ios|ipa',mode):