Author Topic: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php  (Read 127403 times)

0 Members and 1 Guest are viewing this topic.

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
This is an important security fix.

Open includes/sessions.php and find the following line:

Code: [Select]
$this->session_id = session_id();
replace this line with the following code:

Code: [Select]
$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());
« Last Edit: May 03, 2006, 11:49:16 AM by Jan »
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline mawenzi

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.500
    • View Profile
Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
« Reply #1 on: May 03, 2006, 11:47:13 AM »
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?
Your first three "must do" before you ask a question ! ( © by V@no )
- please read the Forum Rules ...
- please study the FAQ ...
- please try to Search for your answer ...

You are on search for top 4images MOD's ?
- then please search here ... Mawenzi's Top 100+ MOD List (unsorted sorted) ...

Offline DBCapricorn

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #2 on: May 04, 2006, 02:43:24 AM »
Always on it. Thanks for looking out for us. :)

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #3 on: May 05, 2006, 02:29:21 PM »
the first one is enough ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #4 on: May 08, 2006, 02:13:30 AM »
Betrifft das auch die User, die die vBulletin-Integration verwenden? Ich kann in der ganzen Datei $this->session_id = session_id(); nirgends finden...

--

Are users of the vBulletin gallery integration also affected? I can't find these lines or $this->session_id = session_id(); at all...

Offline Bugfixed

  • Jr. Member
  • **
  • Posts: 96
    • View Profile
    • Lavinya
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #5 on: May 10, 2006, 04:38:57 PM »
I'm using phpbb+4images integration system. in /galeri/includes/sesion.php "$this->session_id = session_id();" not line. please help.
<?php echo 'Hello, World!'; ?>

Offline JensF

  • Addicted member
  • ******
  • Posts: 1.028
    • View Profile
    • http://www.terraristik-galerie.de
Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
« Reply #6 on: May 11, 2006, 12:22:06 AM »
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?

Ich denke nicht, oder?? Ich jedenfalls kann den Teil nicht in meiner sessions.php finden...
Mit freundlichem Gruß
Jens Funk



-> Sorry for my bad English <-

Offline flo31083

  • Newbie
  • *
  • Posts: 14
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #7 on: May 18, 2006, 01:46:54 PM »
I have the newest version only 1 week ago ago down-loaded participates that fixed there already? or do I have to change that again now? thus was the down load updated?


sorry for ma english


in german

ich hab die neuste version erst vor 1 woche runtergeladen ist der fix da schon dabei ? oder muss ich das jetzt nochmal selbst ändern ? also würde der download aktualisiert ?

Offline kai

  • Administrator
  • Addicted member
  • *****
  • Posts: 1.418
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
« Reply #8 on: May 18, 2006, 10:52:26 PM »
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?

Exactly, this fix is only for 1.7.1 and 1.7.2, not for 1.7
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline kai

  • Administrator
  • Addicted member
  • *****
  • Posts: 1.418
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #9 on: May 18, 2006, 11:01:10 PM »
I have the newest version only 1 week ago ago down-loaded participates that fixed there already? or do I have to change that again now? thus was the down load updated?

Yes, the fix is included in the current download (since 3rd of may 2006).
If you're not sure, search in includes/sessions.php for code Jan posted in the first post.
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #10 on: May 26, 2006, 05:23:31 PM »
I don't know why, even if I don't know if it was this bug I had spam bots in my gallery yesterday whose used a sql injection bug on my gallery to spam user comments with advertisement for porno links and so on...

As I've already said above I'm using the vBulletin integration and I can't find the line mentioned above...

what can I do?

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #11 on: May 26, 2006, 11:40:56 PM »
I don't know why, even if I don't know if it was this bug I had spam bots in my gallery yesterday whose used a sql injection bug on my gallery to spam user comments with advertisement for porno links and so on...
and how did you get to this conclusion? do you have proof they used a hole in 4images? (not that I'm judging you ;))
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #12 on: May 27, 2006, 04:29:39 AM »
I'm sure since they were not registered and if you're not registered you're unable to post comments, I've tested that.

Also as I've viewed the comments in my admin cp to delete them, some fields seemed to be empty or so, the comment overview of the picture where they had spammed looked really strange especially for these comments only, so I don't think these comments were made through the 4images gallery itself.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #13 on: May 27, 2006, 07:48:07 PM »
Ok, please attach your sessions.php, I'll take a look at it.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #14 on: May 27, 2006, 09:54:24 PM »
Since I don't know how to attach a file in here, I've put in the whole code of my sessions.php and replaced my vb-license number with XXXXXXXX for my own privacy.

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: sessions.php                                         *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die("Security violation");
}

//-----------------------------------------------------
//--- Start Configuration -----------------------------
//-----------------------------------------------------
define('USER_INTEGRATION''VBULLETIN');
define('VBLICENCE_NUMBER''XXXXXXXX'); //REPLACE XXXXXXXX with your Licence Number, usually on top of your vB files

// Set here the URL to your vBulletin forum. WITH trailing slash!
$url_app           "http://www.gerritsforum.de/";

define('SESSION_NAME''s'); // Default of vBulletin is "s".
define('COOKIE_PREFIX''bb'); //Default of vBulletin is "bb".
define('COOKIE_TIMEOUT','600'); //Set the same with your vB timeout, in second
define('ALBUM_FOLDER','/gallery/'); //Your Album Folder WITH trailing slash

// Define here the name of the template database table.
define('VB_TEMPLATE_TABLE'VB_TABLE_PREFIX.'template');

// Set her the corresponding database fields of the user table.
// If there is no corresponding field in the new user table, 
// leave the value blank. Normally no need to change.
$user_table_fields = array(
  "user_id" => "userid",
  "user_level" => "usergroupid",
  "user_name" => "username",
  "user_password" => "password",
  "user_email" => "email",
  "user_showemail" => "",
  "user_allowemails" => "",
  "user_invisible" => "",
  "user_joindate" => "joindate",
  "user_activationkey" => "",
  "user_lastaction" => "lastactivity",
  "user_location" => "",
  "user_lastvisit" => "lastvisit",
  "user_comments" => "user_album_comments",
  "user_homepage" => "homepage",
  "user_icq" => "icq"
);


// Set here different URL's to your vBulletin forum.
// Normally no need to change.
$url_register      $url_app."register.php?do=signup";
$url_lost_password $url_app."login.php?do=lostpw";
$url_control_panel $url_app."usercp.php";
$url_mailform      $url_app."sendmessage.php?do=mailmember&u={user_id}"
$url_show_profile  $url_app."member.php?u={user_id}";
$url_login         $url_app."login.php";
//$url_logout        = $url_app."login.php?do=logout&logouthash=".$user_info['logouthash'];
$clientscript_md5  $url_app."clientscript/vbulletin_md5.js";

//-----------------------------------------------------
//--- End Configuration -------------------------------
//-----------------------------------------------------

function get_user_table_field($add$user_field) {
  global $user_table_fields;
  return (!empty($user_table_fields[$user_field])) ? $add.$user_table_fields[$user_field] : "";
}

class 
Session {

  var $session_id;
  var $user_ip;
  var $user_location;
  var $current_time;
  var $session_timeout;
  var $mode "get";
  var $session_info = array();
  var $user_info = array();

  function Session() {
    global $cookietimeout;
    $this->session_timeout $cookietimeout;
    $this->user_ip $this->get_user_ip();
    $this->user_location ALBUM_FOLDER.''.$this->get_user_location();
    $this->current_time time();
    $this->demand_session();
  }

  function set_cookie_data($name$value$permanent 1) {
    $cookie_expire = ($permanent) ? $this->current_time 60 60 24 365 0;
    setcookie($name$value$cookie_expireCOOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);
  }

  function read_cookie_data($name) {
    global $HTTP_COOKIE_VARS;
    return (isset($HTTP_COOKIE_VARS[$name])) ? $HTTP_COOKIE_VARS[$name] : 0;
  }

  function get_session_id() {
    global $HTTP_GET_VARS$HTTP_POST_VARS;
    if ($this->session_id $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id false;
      }
    }
  }

  function demand_session() {
    $this->get_session_id();
    if (!$this->load_session_info()) {
      $this->delete_old_sessions();
      $user_id = ($this->read_cookie_data(COOKIE_PREFIX."userid")) ? intval($this->read_cookie_data(COOKIE_PREFIX."userid")) : GUEST;
// $user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST; 
     $this->start_session($user_id);
    }
    else {
      $this->user_info $this->load_user_info($this->session_info['userid']);
      $update_cutoff = ($this->user_info['user_id'] != GUEST) ? $this->current_time $this->user_info['user_lastaction'] : $this->current_time $this->session_info['lastactivity'];
      if ($update_cutoff 60) {
        $this->update_session();
        $this->delete_old_sessions();
      }
    }
  }

  function start_session($user_id GUEST$login_process 0) {
    global $site_db;
    
    $this
->user_info $this->load_user_info($user_id);
    if ($this->user_info['user_id'] != GUEST && !$login_process) {
      if ($this->read_cookie_data(COOKIE_PREFIX."password") === md5($this->user_info['user_password'].''.VBLICENCE_NUMBER)  && $this->user_info['user_level'] != USER_AWAITING) {
        $this->set_cookie_data(COOKIE_PREFIX."password"$this->user_info['user_password']);
      }
      else {
        $this->set_cookie_data(COOKIE_PREFIX."password"""0);
        $this->user_info $this->load_user_info(GUEST);
      }
    }
    $this->session_id $this->generate_session_id();
    $sql "INSERT INTO ".SESSIONS_TABLE.
            (sessionhash, userid, host, useragent, lastactivity, location, styleid) 
            VALUES 
            ('
$this->session_id', ".$this->user_info['user_id'].", '$this->user_ip', '".$_SERVER['HTTP_USER_AGENT']."', $this->current_time, '$this->user_location', '".$this->read_cookie_data(COOKIE_PREFIX."styleid")."')";
    $site_db->query($sql);
    $this->session_info['session_user_id'] = $this->user_info['user_id'];
    $this->session_info['session_lastaction'] = $this->current_time;
    $this->session_info['session_location'] = $this->user_location;
    $this->session_info['session_ip'] = $this->user_ip;

    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    $this->set_cookie_data(COOKIE_PREFIX."sessionhash"$this->session_id0);
    $this->set_cookie_data(COOKIE_PREFIX."lastvisit"$this->current_time);
    $this->set_cookie_data(COOKIE_PREFIX."userid"$this->user_info['user_id']);
    return true;
  }

  function login($user_name ""$user_password ""$auto_login 0$set_auto_login 1) {
    global $url_login;
    header("Location: $url_login");
  }

  function logout($user_id GUEST) {
    global $url_logout;
    header("Location: $url_logout");
  }

  function delete_old_sessions() {
    global $site_db;
    $expiry_time $this->current_time $this->session_timeout;
    $sql "DELETE FROM ".SESSIONS_TABLE.
            WHERE lastactivity < 
$expiry_time";
// BM: temporary take this out, assume Forum always has someone browsing 
//    $site_db->query($sql);

    $sql "SELECT sessionhash 
            FROM "
.SESSIONS_TABLE;
    $result $site_db->query($sql);
    if ($result) {
      $session_ids_sql "";
      while ($row $site_db->fetch_array($result)) {
        $session_ids_sql .= (($session_ids_sql != "") ? ", " "") . "'".$row['sessionhash']."'";
      }
    }
    if (!empty($session_ids_sql)) {
      $sql "DELETE FROM ".SESSIONVARS_TABLE.
              WHERE session_id NOT IN (
$session_ids_sql)";
      $site_db->query($sql);
    }
    return true;
  }

  function update_session() {
    global $site_db;

$sql "REPLACE INTO ".SESSIONS_TABLE."
           (sessionhash, userid, lastactivity, location, host)
           VALUES
           ('
$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";

    $site_db->query($sql);
    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    return;
  }

  function generate_session_id() {
    global $site_db;
    $sid md5(uniqid(microtime()));
    $i 0;
    while ($i == 0) {
      $sql "SELECT sessionhash 
              FROM "
.SESSIONS_TABLE.
              WHERE sessionhash = '
$sid'";
      if ($site_db->is_empty($sql)) {
        $i 1;
      }
      else {
        $i 0;
        $sid md5(uniqid(microtime()));
      }
    }
    return $sid;
  }

  function return_session_info() {
    return $this->session_info;
  }

  function return_user_info() {
    return $this->user_info;
  }
  
  
function freeze() {
    return;
  }

  function load_session_info() {
    global $site_db;
    if (!$this->session_id) {
      return false;
    }
    $this->session_info = array();
    $sql "SELECT sessionhash, lastactivity, host, userid 
            FROM "
.SESSIONS_TABLE.
            WHERE sessionhash = '
$this->session_id
            AND host = '
$this->user_ip'";
    $this->session_info $site_db->query_firstrow($sql);
    if (!isset($this->session_info['userid'])) {
      return false;
    }
    else {
      $sql "SELECT sessionvars_name, sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE session_id = '
$this->session_id'";
      $result $site_db->query($sql);
      while ($row $site_db->fetch_array($result)) {
        $this->session_info[$row['sessionvars_name']] = $row['sessionvars_value'];
      }
      return $this->session_info;
    }
  }

  function load_user_info($user_id GUEST) {
    global $site_db$user_table_fields;

    if ($user_id != GUEST) {
      $sql "SELECT u.*, l.*
              FROM "
.USERS_TABLE." u, ".LIGHTBOXES_TABLE." l 
              WHERE "
.get_user_table_field("u.""user_id")." = $user_id AND l.user_id = ".get_user_table_field("u.""user_id");
      $user_info $site_db->query_firstrow($sql);
     if (!$user_info) {
        $sql "SELECT *
                FROM "
.USERS_TABLE."
                WHERE "
.get_user_table_field("""user_id")." = $user_id";
        $user_info $site_db->query_firstrow($sql);
  
      
if ($user_info) {
         $lightbox_id get_random_key(LIGHTBOXES_TABLE"lightbox_id");
          $sql "INSERT INTO ".LIGHTBOXES_TABLE.
                  (lightbox_id, user_id, lightbox_lastaction, lightbox_image_ids) 
                  VALUES 
                  ('
$lightbox_id', ".$user_info[$user_table_fields['user_id']].", $this->current_time, '')";
          $site_db->query($sql);
          $user_info['lightbox_lastaction'] = $this->current_time;
          $user_info['lightbox_image_ids'] = "";
        }
      }
    }
    if (empty($user_info[$user_table_fields['user_id']])) {
      $user_info = array();
      $user_info['user_id'] = GUEST;
      $user_info['user_level'] = GUEST;
      $user_info['user_lastaction'] = $this->current_time;
      $user_info['user_lastvisit'] = ($this->read_cookie_data(COOKIE_PREFIX."lastvisit")) ? $this->read_cookie_data(COOKIE_PREFIX."lastvisit") : $this->current_time;
    }
    foreach ($user_table_fields as $key => $val) {
      if (isset($user_info[$val])) {
        $user_info[$key] = $user_info[$val];
      }
      elseif (!isset($user_info[$key])) {
        $user_info[$key] = "";
      }
    }
      $user_info['logouthash'] = md5($user_info['user_id'] . $user_info['salt'] . VBLICENCE_NUMBER);
    return $user_info;
  }

  function set_session_var($var_name$value) {
    global $site_db;
    $sql "SELECT session_id 
            FROM "
.SESSIONVARS_TABLE.
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    if ($site_db->is_empty($sql)) {
      $sql "INSERT INTO ".SESSIONVARS_TABLE.
              (session_id, sessionvars_name, sessionvars_value) 
              VALUES 
              ('
$this->session_id', '$var_name', '$value')";
      $site_db->query($sql);
    }
    else {
      $sql "UPDATE ".SESSIONVARS_TABLE.
              SET sessionvars_value = '
$value
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $site_db->query($sql);
    }
    $this->session_info[$var_name] = $value;
    return true;
  }

  function get_session_var($var_name) {
    global $site_db;
    if (isset($this->session_info[$var_name])) {
      return $this->session_info[$var_name];
    }
    else {
      $sql "SELECT sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $value $site_db->query_firstrow($sql);
      if ($value) {
        $this->session_info[$var_name] = $value['sessionvars_value'];
        return $value['sessionvars_value'];
      }
      else {
        return "";
      }
    }
  }

  function drop_session_var($var_name) {
    unset($this->session_info[$var_name]);
/*    global $site_db;
    $sql = "DELETE FROM ".SESSIONVARS_TABLE." 
            WHERE sessionvars_name = '$var_name' AND session_id = '$this->session_id'";
    return ($site_db->query($sql)) ? 1 : 0;
*/
  }

  function get_user_ip() {
    global $HTTP_SERVER_VARS$HTTP_ENV_VARS;
    $ip = (!empty($HTTP_SERVER_VARS['REMOTE_ADDR'])) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ((!empty($HTTP_ENV_VARS['REMOTE_ADDR'])) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));
    //$ip = preg_replace("/[^\.0-9]+/", "", $ip);
    return substr($ip050);
  }

  function get_user_location() {
    global $self_url;
    return (defined("IN_CP")) ? "Control Panel" preg_replace(array("/([?|&])action=[^?|&]*/""/([?|&])mode=[^?|&]*/""/([?|&])phpinfo=[^?|&]*/""/([?|&])printstats=[^?|&]*/""/[?|&]".URL_ID."=[^?|&]*/""/[?|&]l=[^?|&]*/""/[&?]+$/"), array(""""""""""""""), addslashes($self_url));
  }

  function url($url$amp "&amp;") {
    global $l;
    $dummy_array explode("#"$url);
    $url $dummy_array[0];

    if ($this->mode == "get" && strpos($url$this->session_id) === false) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

    if (!empty($l)) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= "l=".$l;
    }

    $url .= (isset($dummy_array[1])) ? "#".$dummy_array[1] : "";
    return $url;
  }
//end of class

//-----------------------------------------------------
//--- Start Session -----------------------------------
//-----------------------------------------------------
$optionstemp $site_db->query_firstrow("SELECT template FROM ".VB_TEMPLATE_TABLE." WHERE title='options'");
eval(
$optionstemp['template']);

define('COOKIE_NAME''');
define('COOKIE_PATH'$cookiedomain);
define('COOKIE_DOMAIN'$cookiepath);
$secure = (isset($SERVER_PORT) && $SERVER_PORT == "443") ? 0;
define('COOKIE_SECURE'$secure);

//Start Session
$site_sess = new Session();

// Get Userinfo
$session_info $site_sess->return_session_info();
$user_info $site_sess->return_user_info();

// Set USERGROUP levels
if (in_array($user_info[user_level], $admingroups)) 
{
define('ADMIN'$user_info[user_level]);
}
else 
define('ADMIN',ADMIN_DEFAULT);

if (
in_array($user_info[user_level], $usergroups)) 
{
define('USER'$user_info[user_level]);

else 
define('USER',USER_DEFAULT);

if (
in_array($user_info[user_level], $waitinggroups)) 
{
define('USER_AWAITING'$user_info[user_level]);
}
else 
define('USER_AWAITING',USER_AWAITING_DEFAULT);

//-----------------------------------------------------
//--- Get User Caches ---------------------------------
//-----------------------------------------------------
$num_total_online 0;
$num_visible_online 0;
$num_invisible_online 0;
$num_registered_online 0;
$num_guests_online 0;
$user_online_list "";
$prev_user_ids = array();
$prev_session_ips = array();

if (
defined("GET_USER_ONLINE") && ($config['display_whosonline'] == || $user_info['user_level'] == ADMIN)) {
  if (!isset($cookietimeout)) {
    $cookietimeout COOKIE_TIMEOUT;
  }
  $time_out time() - $cookietimeout;
  $sql "SELECT s.userid, s.lastactivity, s.host".get_user_table_field(", u.""user_id").get_user_table_field(", u.""user_level").get_user_table_field(", u.""user_name").get_user_table_field(", u.""user_invisible").
  FROM "
.SESSIONS_TABLE." s 
  LEFT JOIN "
.USERS_TABLE." u ON (".get_user_table_field("u.""user_id")." = s.userid) 
  WHERE s.lastactivity >= 
$time_out 
  ORDER BY "
.get_user_table_field("u.""user_id")." ASC, s.host ASC";
  $result $site_db->query($sql);
  while ($row $site_db->fetch_array($result)) {
    if ($row['userid'] != GUEST && isset($row[$user_table_fields['user_name']])) {
      if (!isset($prev_user_ids[$row['userid']])) {
        $is_invisible = (isset($row[$user_table_fields['user_invisible']]) && $row[$user_table_fields['user_invisible']] == 1) ? 0;
        $invisibleuser = ($is_invisible) ? "*" "";
        $username = (isset($row[$user_table_fields['user_level']]) && $row[$user_table_fields['user_level']] == ADMIN && $config['highlight_admin'] == 1) ? sprintf("<b>%s</b>"$row[$user_table_fields['user_name']]) : $row[$user_table_fields['user_name']];
        if (!$is_invisible || $user_info['user_level'] == ADMIN) {
          $user_online_list .= ($user_online_list != "") ? ", " "";
          $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/"$row['userid'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$row['userid'];
          $user_online_list .= "<a href=\"".$site_sess->url($user_profile_link)."\">".$username."</a>".$invisibleuser;
        }
        (!$is_invisible) ? $num_visible_online++ : $num_invisible_online++;
        $num_registered_online++;
      }
      $prev_user_ids[$row['userid']] = 1;
    }
    else {
      if (!isset($prev_session_ips[$row['host']])) {
        $num_guests_online++;
      }
    }
    $prev_session_ips[$row['host']] = 1;
  }
  $num_total_online $num_registered_online $num_guests_online;

  $site_template->register_vars(array(
    "num_total_online" => $num_total_online,
    "num_invisible_online" => $num_invisible_online,
    "num_registered_online" => $num_registered_online,
    "num_guests_online" => $num_guests_online,
    "user_online_list" => $user_online_list,
    "lang_user_online" => str_replace('{num_total_online}'$num_total_online$lang['user_online']),
    "lang_user_online_detail" => str_replace(array('{num_registered_online}','{num_invisible_online}','{num_guests_online}'), array($num_registered_online,$num_invisible_online,$num_guests_online), $lang['user_online_detail']),
  ));
  $whos_online $site_template->parse_template("whos_online");
  $site_template->register_vars("whos_online"$whos_online);
  unset($whos_online);
  unset($prev_user_ids);
  unset($prev_session_ips);
}
?>

I'm also using a changed version of constants.php, I've also attached it, maybe you need it:

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: constants.php                                        *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die(
"Security violation");
}
// If 4images has problems to find out the right URL, define it here.
define('SCRIPT_URL''http://www.gerritsforum.de/gallery'); //no trailing slash
define('VB_TABLE_PREFIX',''); // your vb tableprefix. vB default is blank

// Table names
define('CATEGORIES_TABLE'$table_prefix.'categories');
define('COMMENTS_TABLE'$table_prefix.'comments');
define('GROUP_ACCESS_TABLE'$table_prefix.'groupaccess');
define('GROUP_MATCH_TABLE'$table_prefix.'groupmatch');
define('GROUPS_TABLE'$table_prefix.'groups');
define('IMAGES_TABLE'$table_prefix.'images');
define('IMAGES_TEMP_TABLE'$table_prefix.'images_temp');
define('LIGHTBOXES_TABLE'$table_prefix.'lightboxes');
define('POSTCARDS_TABLE'$table_prefix.'postcards');
define('SESSIONS_TABLE'VB_TABLE_PREFIX.'session'); 
define('SESSIONVARS_TABLE'$table_prefix.'sessionvars');
define('SETTINGS_TABLE'$table_prefix.'settings');
define('USERS_TABLE'VB_TABLE_PREFIX.'user');
define('WORDLIST_TABLE'$table_prefix.'wordlist');
define('WORDMATCH_TABLE'$table_prefix.'wordmatch');


// URL Parameters
define('URL_IMAGE_ID''image_id');
define('URL_CAT_ID''cat_id');
define('URL_USER_ID''user_id');
define('URL_POSTCARD_ID''postcard_id');
define('URL_COMMENT_ID''comment_id');
define('URL_PAGE''page');
define('URL_ID''id');


// User default levels
define('GUEST'0);  // GUEST group or ID
define('USER_AWAITING_DEFAULT'3);
define('USER_DEFAULT'2);
define('ADMIN_DEFAULT'6);

// User groups level
$waitinggroups = array(134131421); // vB Group should be waiting for moderate. seperate each group by comma
$usergroups = array(2578915192023); // Groups that are USERS in album. seperate each group by comma
$admingroups = array(6); // vB groups that are ADMINS in album. seperate each group by comma

// Permission levels
define('AUTH_ALL'0);
define('AUTH_USER'2);
define('AUTH_ACL'3);
define('AUTH_ADMIN'9);


// Group types
define('GROUPTYPE_GROUP'1);
define('GROUPTYPE_SINGLE'2);


// Chmod for files and directories created by 4images
define('CHMOD_FILES'0666);
define('CHMOD_DIRS'0777);


// Will be used to replace the {xxx} tage if the value is empty.
// Netscape Browser sometimes need this to display table cell background colors.
define('REPLACE_EMPTY''&nbsp;');


// Max rating value
define('MAX_RATING'5);


// Days postcards will be held in the database
define('POSTCARD_EXPIRY'10);


// Time offset for your website. Sometimes usefull if your server is located
// in other timezones.
define('TIME_OFFSET'0);


// All words <= MIN_SEARCH_KEYWORD_LENGTH and >= MAX_SEARCH_KEYWORD_LENGTH
// are not added to the search index
define('MIN_SEARCH_KEYWORD_LENGTH'3);
define('MAX_SEARCH_KEYWORD_LENGTH'25);

// If you set this to 1, admins will authenticated additionally with cookies.
// If you use "User Integration", you should set this to 0.
define('ADMIN_SAFE_LOGIN'0);


// If you use GD higher 2.0.1 and PHP higher 4.0.6 set this to 1.
// Your thumbnails will be created with better quality
define('CONVERT_IS_GD2'0);


// If you have a lot of images in your database,
// the random image function could make your programm slow.
// Try first to set "SHOW_RANDOM_CAT_IMAGE" to 0.
define('SHOW_RANDOM_IMAGE'1);
define('SHOW_RANDOM_CAT_IMAGE'1);


// Check existence of remote image files.
// If you choose 1, you could get sometimes timeout errors
define('CHECK_REMOTE_FILES'0);


// Allow execution of PHP code in templates
define('EXEC_PHP_CODE'1);

// Data paths
define('MEDIA_DIR''data/media');
define('THUMB_DIR''data/thumbnails');
define('MEDIA_TEMP_DIR''data/tmp_media');
define('THUMB_TEMP_DIR''data/tmp_thumbnails');
define('DATABASE_DIR''data/database');
define('TEMPLATE_DIR''templates');

// Script version
define('SCRIPT_VERSION''1.7.2');
// Debug contants
// define("PRINT_STATS", 1);
// define("PRINT_QUERIES", 1);
// define('PRINT_CACHE_MESSAGES', 1);
?>