[1.7.2] Security fix for global.php

[V@no]

If you downloaded 4images v1.7.2 before 25-04-2006 you should apply this fix!
If you downloaded it after that date, then you should not worry about it, the download package already conteins this fix.

Step 1

In global.php
find:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4 5 6 7 8 9 10 11 12 13

/* $val = str_replace("\r\n", "\n", $val); $val = str_replace("\r",   "\n", $val); $val = strtr($val, $search2, $replace2);       $val = str_replace("\r", '', $val);  // \r === \x0D */ /* do {         $oldval = $val;         $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);       } while ($oldval != $val); */

Replace with:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4 5 6 7 8 9

$val = str_replace("\r\n", "\n", $val);       $val = str_replace("\r",   "\n", $val);       $val = strtr($val, $search2, $replace2);       $val = str_replace("\r", '', $val);  // \r === \x0D       do {         $oldval = $val;         $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);       } while ($oldval != $val);

Or you can download 4images package from this page and replace global.php from that package.

Step 2

And in case someone already used this hole on your site, you should find and delete any user who has < and > tags in their name (well, atleast these who has <script or other HTML tags) (personaly I would not feel bad even perm ban for that)
For that go to ACP (Admin Control Panel) -> Edit users -> in the "Userame conteins" field enter: < and click "Find"
Repeat search for >

[EDIT]
For these who cant find the code above, you probably have something like this instead:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4

$val = str_replace("\r\n", "\n", $val);       $val = str_replace("\r",   "\n", $val);       $val = strtr($val, $search2, $replace2);       $val = str_replace("\r", '', $val);  // \r === \x0D

(note, there is no /* and */ around that block of code!
So, replace this block with the code above.

[qwertz]

thank you, for your update-info! 

andreas

[devilsoulblack]

thanks

[konradin]

This passage is not in my global.php!

In my global.php only I can find this:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

$search2 =       "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";   $replace2 = //str_repeat("\r", strlen($search2));       "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";   foreach ($array as $key => $val) {     if (is_array($val)) {       $val = clean_array($val);     } else {       $val = preg_replace($search, $replace, $val);       $val = str_replace("\r\n", "\n", $val);       $val = str_replace("\r",   "\n", $val);       $val = strtr($val, $search2, $replace2);       $val = str_replace("\r", '', $val);  // \r === \x0D     }     $array[$key] = $val;   }   return $array;

What do I have to do,
Thanks and bye

[egyptsons]

Done
Thanks V@no

[mentally]

i also cant find this in global.php

[izzy]

This passage is not in my global.php!

In my global.php only I can find this:

Just to confirm I have the same global.php as konradin. The file is dated 08/03/06 6:19pm.

The thread heading is related to register.php which I take as being an error.

[boywonder]

I think the post title needs to be changed as its confusing. It should be global.php that needs changing not register.php.

I have the same problem as the message by "konradin" above.

Thanks.

[NCochise]

I've searched my global.php also and cannot find the code string shown above.

Does this mean those of us who cannot find it do not have the security breech?

Or is this just another one of those fixes that might be a fix until somebody finds out it didn't really fix what it was intended to fix, but instead was really an unfix for something else already fixed, but not fixed any more, because this fix is not really a fix at all, but a fixation of the mind?

When you get this figured out, gimme a call cuz I'm fixin' to logout of this security fix topic and fixin' to get somethin' to eat... if wife was kind enough to fix din din already.


Fix ya later!

[caballonegro]

Ist eine Änderung denn auch notwendig wenn 4images bei registrierungen auf die Userdatenbank von phpbb zugreift?

danke u. gruß

[Optimum]

Same here, can't find either piece (the old and the new) of the code in global or register.
Guess it doesn't need fixing then..

Thx,
Mat

[Michael]

Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??

[Fat Bastard]

I would like to know too!

[Jan]

This passage is not in my global.php!

In my global.php only I can find this:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

$search2 =  "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";  $replace2 = //str_repeat("\r", strlen($search2));  "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";  foreach ($array as $key => $val) {  if (is_array($val)) {  $val = clean_array($val);  } else {  $val = preg_replace($search, $replace, $val);  $val = str_replace("\r\n", "\n", $val);  $val = str_replace("\r", "\n", $val);  $val = strtr($val, $search2, $replace2);  $val = str_replace("\r", '', $val); // \r === \x0D  }  $array[$key] = $val;  }  return $array;

What do I have to do,
Thanks and bye

Add:

Code:  [Select]  [Expand]  [Hide line numbers]

1 2 3 4

do {         $oldval = $val;         $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);       } while ($oldval != $val);

after

Code:  [Select]  [Expand]  [Hide line numbers]

1	$val = str_replace("\r", '', $val); // \r === \x0D

[mawenzi]

Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??

Eine 4images-Installation Version 1.7 mit allen "Security Fixes" enthält nicht dieses "Security Hole" !

An 4images installation version 1.7 with all "security fixes" does not contain this "security hole"!