4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
November 20, 2018, 11:08:03 PM

Login with username, password and session length
Search:     Advanced search
4images is now on facebook. Click here and become a fan!
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7 / 1.7.1] Security fix in search.php and register.php
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] 2 3 4 » »» Print
Author Topic: [1.7 / 1.7.1] Security fix in search.php and register.php  (Read 147605 times)
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« on: December 27, 2005, 10:19:37 AM »

This is an important security fix.
Это очень важная заплатка для опасной дыры в скрипте

Step 1

In search.php any variables or other code that is located below copyright notice
В search.php всё что находится ниже копирайта (который заканьчиватся этой строкой):
1
*************************************************************************/
and above
и выше:
1
$main_template = 'search';


must be moved below
должно быть перенесено ниже:
1
include(ROOT_PATH.'global.php');

In default 4images, the block that must be moved is:
В свежей 4images кусок кода который должен быть перемещён выглядит так:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}
$org_search_keywords = $search_keywords;

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}
$org_search_user = $search_user;

if (isset($HTTP_POST_VARS['search_terms'])) {
  $search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 1 : 0;
}
else {
  $search_terms = 0;
}

if (isset($HTTP_POST_VARS['search_fields'])) {
  $search_fields = trim($HTTP_POST_VARS['search_fields']);
}
else {
  $search_fields = "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}



Step 2

In register.php find:
В register.php найдите:
1
2
3
4
      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }

Insert below:
Добавьте ниже:
1
2
3
4
5
      elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }


Then in lang/<your language>/main.php at the end, above closing ?> insert:
Затем в lang/<ваш языковой пакет>/main.php в самый конец файла, выше закрывающей ?> добавьте:
1
$lang['username_bad_characters'] = "Username contains not allowed character(s)";


Step 3

In global.php find:
В global.php найдите:
1
2
3
//-----------------------------------------------------
//--- Start DB ----------------------------------------
//-----------------------------------------------------

Insert above:
Добавьте выше:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}

If you wish, you can remove this block of code from search.php to increase perfomance (very insignificaly).
Если вы хотите, то можете удалить такой-же блок кода из search.php, но это не обязательно.



In the attachment below you can find already modifyed default search.php, register.php and global.php
Вы можете загрузить исправленные search.php, register.php и global.php из приложеного архива.

* search_register_global_v1.7.1.zip (10.35 KB - downloaded 760 times.)
* search_register_global_v1.7.zip (10.15 KB - downloaded 725 times.)
« Last Edit: April 04, 2006, 01:41:53 AM by V@no » Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
piet
Pre-Newbie

Offline Offline

Posts: 3

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #1 on: December 27, 2005, 02:28:52 PM »

Thank you very much!
Logged
TheOracle
Hero Member
*****
Offline Offline

Posts: 875

Thank You
-Given: 0
-Receive: 3


View Profile
« Reply #2 on: December 27, 2005, 03:07:20 PM »

Actually, I don't get this ...

why would :

Quote  [Expand]

$main_template = 'search';


need to be moved below the global.php line ?

All 4images's PHP files (on the root path - even the index.php file) has the $main_template string on top of the GET_CACHES line ...
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #3 on: December 27, 2005, 03:14:42 PM »

That is why my earlier suggestion was "Re-read three times, reply ones" Wink

There is nothing says about moving that line...it says "the code above it"
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
Eagle Eye
Full Member
***
Offline Offline

Posts: 191

Thank You
-Given: 2
-Receive: 0


View Profile
« Reply #4 on: December 27, 2005, 05:43:40 PM »

Thanks  Very Happy
Logged
ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #5 on: December 27, 2005, 07:36:32 PM »

hallo zusammen,
leider ist es hier ein bisschen kompliziert geschrieben...

habe ich es richtig verstanden dass dies so kommt

vorher:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

nachher

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

if (isset(
$HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}


hat jemand schon erfahrung mit der register.php, leider kann man danach immer noch mit #123 anmelden
gemäss vanos anweisungen müsste dies so klappen (bad_charactere)

Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
Acidgod
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2420

Thank You
-Given: 0
-Receive: 2

It's me?


View Profile WWW
« Reply #6 on: December 27, 2005, 07:46:49 PM »

Also Du hast es richtig gemacht... Vielleicht hätte V@no es so schreiben sollen... (o:

move the code between

1
*************************************************************************/

and

1
$main_template = 'search';

below this Line:

1
include(ROOT_PATH.'global.php');
Logged

ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #7 on: December 27, 2005, 07:51:05 PM »

gut, ich habe schon gesehen dass dieser teil mitten im script war, dann war dies
der fehler oder die lücke  Laughing

habe die register.php bearbeitet aber so wie er schreibt sollte man danach z.b
#ivan nicht mehr nehmen können.

leider funktioniert dies bei mir nicht
wieso?

Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
torment
Pre-Newbie

Offline Offline

Posts: 5

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #8 on: December 28, 2005, 09:26:34 AM »

das selbe problem habe ich auch...

nach diesem fix konnte man nicht als #username# registieren konnen. aber das funktioniert bei mir auch nicht.
Logged
ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #9 on: December 28, 2005, 11:02:17 AM »

hello vano,

Unfortunately, he functions did not step 2 with register.php (username special characters)
apparently with other user also not. use 4images 1.7.1

I can still provide following user:

#ivan
Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #10 on: December 28, 2005, 02:47:47 PM »

mmm...it was not ment restrict all "special" characters, but only < and >
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #11 on: December 28, 2005, 02:56:59 PM »

hello vano,


elseif (preg_match("#[<>]#", $user_name))

that is not the special characters (bold)??



Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #12 on: December 28, 2005, 03:05:04 PM »

no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
ivan
4images Moderator
4images Guru
*****
Offline Offline

Posts: 2279

Thank You
-Given: 4
-Receive: 31


View Profile WWW
« Reply #13 on: December 28, 2005, 03:09:50 PM »

okay vano thanks..
Logged

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery
RoadDogg
Sr. Member
****
Offline Offline

Posts: 488

Thank You
-Given: 1
-Receive: 1


View Profile WWW
« Reply #14 on: December 29, 2005, 11:21:18 AM »

Thanks for the fix, V@no!
Logged

For support requests please don´t forget link to your Gallery/to phpinfo.php
1
2
3
<?
phpinfo()
?>
safe_mode must turned OFF
Please check Error Messages
Pages: [1] 2 3 4 » »» Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.16 seconds with 19 queries.