4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
October 18, 2018, 07:47:37 AM

Login with username, password and session length
Search:     Advanced search
Follow 4images on twitter: Click here to follow!
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: «« « 1 [2] 3 » »» Print
Author Topic: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php  (Read 106218 times)
vBFreak
Newbie
*
Offline Offline

Posts: 42

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #15 on: May 27, 2006, 09:54:24 PM »

Since I don't know how to attach a file in here, I've put in the whole code of my sessions.php and replaced my vb-license number with XXXXXXXX for my own privacy.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: sessions.php                                         *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die("Security violation");
}

//-----------------------------------------------------
//--- Start Configuration -----------------------------
//-----------------------------------------------------
define('USER_INTEGRATION''VBULLETIN');
define('VBLICENCE_NUMBER''XXXXXXXX'); //REPLACE XXXXXXXX with your Licence Number, usually on top of your vB files

// Set here the URL to your vBulletin forum. WITH trailing slash!
$url_app           "http://www.gerritsforum.de/";

define('SESSION_NAME''s'); // Default of vBulletin is "s".
define('COOKIE_PREFIX''bb'); //Default of vBulletin is "bb".
define('COOKIE_TIMEOUT','600'); //Set the same with your vB timeout, in second
define('ALBUM_FOLDER','/gallery/'); //Your Album Folder WITH trailing slash

// Define here the name of the template database table.
define('VB_TEMPLATE_TABLE'VB_TABLE_PREFIX.'template');

// Set her the corresponding database fields of the user table.
// If there is no corresponding field in the new user table, 
// leave the value blank. Normally no need to change.
$user_table_fields = array(
  "user_id" => "userid",
  "user_level" => "usergroupid",
  "user_name" => "username",
  "user_password" => "password",
  "user_email" => "email",
  "user_showemail" => "",
  "user_allowemails" => "",
  "user_invisible" => "",
  "user_joindate" => "joindate",
  "user_activationkey" => "",
  "user_lastaction" => "lastactivity",
  "user_location" => "",
  "user_lastvisit" => "lastvisit",
  "user_comments" => "user_album_comments",
  "user_homepage" => "homepage",
  "user_icq" => "icq"
);


// Set here different URL's to your vBulletin forum.
// Normally no need to change.
$url_register      $url_app."register.php?do=signup";
$url_lost_password $url_app."login.php?do=lostpw";
$url_control_panel $url_app."usercp.php";
$url_mailform      $url_app."sendmessage.php?do=mailmember&u={user_id}"
$url_show_profile  $url_app."member.php?u={user_id}";
$url_login         $url_app."login.php";
//$url_logout        = $url_app."login.php?do=logout&logouthash=".$user_info['logouthash'];
$clientscript_md5  $url_app."clientscript/vbulletin_md5.js";

//-----------------------------------------------------
//--- End Configuration -------------------------------
//-----------------------------------------------------

function get_user_table_field($add$user_field) {
  global $user_table_fields;
  return (!empty($user_table_fields[$user_field])) ? $add.$user_table_fields[$user_field] : "";
}

class 
Session {

  var $session_id;
  var $user_ip;
  var $user_location;
  var $current_time;
  var $session_timeout;
  var $mode "get";
  var $session_info = array();
  var $user_info = array();

  function Session() {
    global $cookietimeout;
    $this->session_timeout $cookietimeout;
    $this->user_ip $this->get_user_ip();
    $this->user_location ALBUM_FOLDER.''.$this->get_user_location();
    $this->current_time time();
    $this->demand_session();
  }

  function set_cookie_data($name$value$permanent 1) {
    $cookie_expire = ($permanent) ? $this->current_time 60 60 24 365 0;
    setcookie($name$value$cookie_expireCOOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);
  }

  function read_cookie_data($name) {
    global $HTTP_COOKIE_VARS;
    return (isset($HTTP_COOKIE_VARS[$name])) ? $HTTP_COOKIE_VARS[$name] : 0;
  }

  function get_session_id() {
    global $HTTP_GET_VARS$HTTP_POST_VARS;
    if ($this->session_id $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id false;
      }
    }
  }

  function demand_session() {
    $this->get_session_id();
    if (!$this->load_session_info()) {
      $this->delete_old_sessions();
      $user_id = ($this->read_cookie_data(COOKIE_PREFIX."userid")) ? intval($this->read_cookie_data(COOKIE_PREFIX."userid")) : GUEST;
// $user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST; 
     $this->start_session($user_id);
    }
    else {
      $this->user_info $this->load_user_info($this->session_info['userid']);
      $update_cutoff = ($this->user_info['user_id'] != GUEST) ? $this->current_time $this->user_info['user_lastaction'] : $this->current_time $this->session_info['lastactivity'];
      if ($update_cutoff 60) {
        $this->update_session();
        $this->delete_old_sessions();
      }
    }
  }

  function start_session($user_id GUEST$login_process 0) {
    global $site_db;
    
    $this
->user_info $this->load_user_info($user_id);
    if ($this->user_info['user_id'] != GUEST && !$login_process) {
      if ($this->read_cookie_data(COOKIE_PREFIX."password") === md5($this->user_info['user_password'].''.VBLICENCE_NUMBER)  && $this->user_info['user_level'] != USER_AWAITING) {
        $this->set_cookie_data(COOKIE_PREFIX."password"$this->user_info['user_password']);
      }
      else {
        $this->set_cookie_data(COOKIE_PREFIX."password"""0);
        $this->user_info $this->load_user_info(GUEST);
      }
    }
    $this->session_id $this->generate_session_id();
    $sql "INSERT INTO ".SESSIONS_TABLE.
            (sessionhash, userid, host, useragent, lastactivity, location, styleid) 
            VALUES 
            ('
$this->session_id', ".$this->user_info['user_id'].", '$this->user_ip', '".$_SERVER['HTTP_USER_AGENT']."', $this->current_time, '$this->user_location', '".$this->read_cookie_data(COOKIE_PREFIX."styleid")."')";
    $site_db->query($sql);
    $this->session_info['session_user_id'] = $this->user_info['user_id'];
    $this->session_info['session_lastaction'] = $this->current_time;
    $this->session_info['session_location'] = $this->user_location;
    $this->session_info['session_ip'] = $this->user_ip;

    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    $this->set_cookie_data(COOKIE_PREFIX."sessionhash"$this->session_id0);
    $this->set_cookie_data(COOKIE_PREFIX."lastvisit"$this->current_time);
    $this->set_cookie_data(COOKIE_PREFIX."userid"$this->user_info['user_id']);
    return true;
  }

  function login($user_name ""$user_password ""$auto_login 0$set_auto_login 1) {
    global $url_login;
    header("Location: $url_login");
  }

  function logout($user_id GUEST) {
    global $url_logout;
    header("Location: $url_logout");
  }

  function delete_old_sessions() {
    global $site_db;
    $expiry_time $this->current_time $this->session_timeout;
    $sql "DELETE FROM ".SESSIONS_TABLE.
            WHERE lastactivity < 
$expiry_time";
// BM: temporary take this out, assume Forum always has someone browsing 
//    $site_db->query($sql);

    $sql "SELECT sessionhash 
            FROM "
.SESSIONS_TABLE;
    $result $site_db->query($sql);
    if ($result) {
      $session_ids_sql "";
      while ($row $site_db->fetch_array($result)) {
        $session_ids_sql .= (($session_ids_sql != "") ? ", " "") . "'".$row['sessionhash']."'";
      }
    }
    if (!empty($session_ids_sql)) {
      $sql "DELETE FROM ".SESSIONVARS_TABLE.
              WHERE session_id NOT IN (
$session_ids_sql)";
      $site_db->query($sql);
    }
    return true;
  }

  function update_session() {
    global $site_db;

$sql "REPLACE INTO ".SESSIONS_TABLE."
           (sessionhash, userid, lastactivity, location, host)
           VALUES
           ('
$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";

    $site_db->query($sql);
    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    return;
  }

  function generate_session_id() {
    global $site_db;
    $sid md5(uniqid(microtime()));
    $i 0;
    while ($i == 0) {
      $sql "SELECT sessionhash 
              FROM "
.SESSIONS_TABLE.
              WHERE sessionhash = '
$sid'";
      if ($site_db->is_empty($sql)) {
        $i 1;
      }
      else {
        $i 0;
        $sid md5(uniqid(microtime()));
      }
    }
    return $sid;
  }

  function return_session_info() {
    return $this->session_info;
  }

  function return_user_info() {
    return $this->user_info;
  }
  
  
function freeze() {
    return;
  }

  function load_session_info() {
    global $site_db;
    if (!$this->session_id) {
      return false;
    }
    $this->session_info = array();
    $sql "SELECT sessionhash, lastactivity, host, userid 
            FROM "
.SESSIONS_TABLE.
            WHERE sessionhash = '
$this->session_id
            AND host = '
$this->user_ip'";
    $this->session_info $site_db->query_firstrow($sql);
    if (!isset($this->session_info['userid'])) {
      return false;
    }
    else {
      $sql "SELECT sessionvars_name, sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE session_id = '
$this->session_id'";
      $result $site_db->query($sql);
      while ($row $site_db->fetch_array($result)) {
        $this->session_info[$row['sessionvars_name']] = $row['sessionvars_value'];
      }
      return $this->session_info;
    }
  }

  function load_user_info($user_id GUEST) {
    global $site_db$user_table_fields;

    if ($user_id != GUEST) {
      $sql "SELECT u.*, l.*
              FROM "
.USERS_TABLE." u, ".LIGHTBOXES_TABLE." l 
              WHERE "
.get_user_table_field("u.""user_id")." = $user_id AND l.user_id = ".get_user_table_field("u.""user_id");
      $user_info $site_db->query_firstrow($sql);
     if (!$user_info) {
        $sql "SELECT *
                FROM "
.USERS_TABLE."
                WHERE "
.get_user_table_field("""user_id")." = $user_id";
        $user_info $site_db->query_firstrow($sql);
  
      
if ($user_info) {
         $lightbox_id get_random_key(LIGHTBOXES_TABLE"lightbox_id");
          $sql "INSERT INTO ".LIGHTBOXES_TABLE.
                  (lightbox_id, user_id, lightbox_lastaction, lightbox_image_ids) 
                  VALUES 
                  ('
$lightbox_id', ".$user_info[$user_table_fields['user_id']].", $this->current_time, '')";
          $site_db->query($sql);
          $user_info['lightbox_lastaction'] = $this->current_time;
          $user_info['lightbox_image_ids'] = "";
        }
      }
    }
    if (empty($user_info[$user_table_fields['user_id']])) {
      $user_info = array();
      $user_info['user_id'] = GUEST;
      $user_info['user_level'] = GUEST;
      $user_info['user_lastaction'] = $this->current_time;
      $user_info['user_lastvisit'] = ($this->read_cookie_data(COOKIE_PREFIX."lastvisit")) ? $this->read_cookie_data(COOKIE_PREFIX."lastvisit") : $this->current_time;
    }
    foreach ($user_table_fields as $key => $val) {
      if (isset($user_info[$val])) {
        $user_info[$key] = $user_info[$val];
      }
      elseif (!isset($user_info[$key])) {
        $user_info[$key] = "";
      }
    }
      $user_info['logouthash'] = md5($user_info['user_id'] . $user_info['salt'] . VBLICENCE_NUMBER);
    return $user_info;
  }

  function set_session_var($var_name$value) {
    global $site_db;
    $sql "SELECT session_id 
            FROM "
.SESSIONVARS_TABLE.
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    if ($site_db->is_empty($sql)) {
      $sql "INSERT INTO ".SESSIONVARS_TABLE.
              (session_id, sessionvars_name, sessionvars_value) 
              VALUES 
              ('
$this->session_id', '$var_name', '$value')";
      $site_db->query($sql);
    }
    else {
      $sql "UPDATE ".SESSIONVARS_TABLE.
              SET sessionvars_value = '
$value
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $site_db->query($sql);
    }
    $this->session_info[$var_name] = $value;
    return true;
  }

  function get_session_var($var_name) {
    global $site_db;
    if (isset($this->session_info[$var_name])) {
      return $this->session_info[$var_name];
    }
    else {
      $sql "SELECT sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $value $site_db->query_firstrow($sql);
      if ($value) {
        $this->session_info[$var_name] = $value['sessionvars_value'];
        return $value['sessionvars_value'];
      }
      else {
        return "";
      }
    }
  }

  function drop_session_var($var_name) {
    unset($this->session_info[$var_name]);
/*    global $site_db;
    $sql = "DELETE FROM ".SESSIONVARS_TABLE." 
            WHERE sessionvars_name = '$var_name' AND session_id = '$this->session_id'";
    return ($site_db->query($sql)) ? 1 : 0;
*/
  }

  function get_user_ip() {
    global $HTTP_SERVER_VARS$HTTP_ENV_VARS;
    $ip = (!empty($HTTP_SERVER_VARS['REMOTE_ADDR'])) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ((!empty($HTTP_ENV_VARS['REMOTE_ADDR'])) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));
    //$ip = preg_replace("/[^\.0-9]+/", "", $ip);
    return substr($ip050);
  }

  function get_user_location() {
    global $self_url;
    return (defined("IN_CP")) ? "Control Panel" preg_replace(array("/([?|&])action=[^?|&]*/""/([?|&])mode=[^?|&]*/""/([?|&])phpinfo=[^?|&]*/""/([?|&])printstats=[^?|&]*/""/[?|&]".URL_ID."=[^?|&]*/""/[?|&]l=[^?|&]*/""/[&?]+$/"), array(""""""""""""""), addslashes($self_url));
  }

  function url($url$amp "&amp;") {
    global $l;
    $dummy_array explode("#"$url);
    $url $dummy_array[0];

    if ($this->mode == "get" && strpos($url$this->session_id) === false) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

    if (!empty($l)) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= "l=".$l;
    }

    $url .= (isset($dummy_array[1])) ? "#".$dummy_array[1] : "";
    return $url;
  }
//end of class

//-----------------------------------------------------
//--- Start Session -----------------------------------
//-----------------------------------------------------
$optionstemp $site_db->query_firstrow("SELECT template FROM ".VB_TEMPLATE_TABLE." WHERE title='options'");
eval(
$optionstemp['template']);

define('COOKIE_NAME''');
define('COOKIE_PATH'$cookiedomain);
define('COOKIE_DOMAIN'$cookiepath);
$secure = (isset($SERVER_PORT) && $SERVER_PORT == "443") ? 0;
define('COOKIE_SECURE'$secure);

//Start Session
$site_sess = new Session();

// Get Userinfo
$session_info $site_sess->return_session_info();
$user_info $site_sess->return_user_info();

// Set USERGROUP levels
if (in_array($user_info[user_level], $admingroups)) 
{
define('ADMIN'$user_info[user_level]);
}
else 
define('ADMIN',ADMIN_DEFAULT);

if (
in_array($user_info[user_level], $usergroups)) 
{
define('USER'$user_info[user_level]);

else 
define('USER',USER_DEFAULT);

if (
in_array($user_info[user_level], $waitinggroups)) 
{
define('USER_AWAITING'$user_info[user_level]);
}
else 
define('USER_AWAITING',USER_AWAITING_DEFAULT);

//-----------------------------------------------------
//--- Get User Caches ---------------------------------
//-----------------------------------------------------
$num_total_online 0;
$num_visible_online 0;
$num_invisible_online 0;
$num_registered_online 0;
$num_guests_online 0;
$user_online_list "";
$prev_user_ids = array();
$prev_session_ips = array();

if (
defined("GET_USER_ONLINE") && ($config['display_whosonline'] == || $user_info['user_level'] == ADMIN)) {
  if (!isset($cookietimeout)) {
    $cookietimeout COOKIE_TIMEOUT;
  }
  $time_out time() - $cookietimeout;
  $sql "SELECT s.userid, s.lastactivity, s.host".get_user_table_field(", u.""user_id").get_user_table_field(", u.""user_level").get_user_table_field(", u.""user_name").get_user_table_field(", u.""user_invisible").
  FROM "
.SESSIONS_TABLE." s 
  LEFT JOIN "
.USERS_TABLE." u ON (".get_user_table_field("u.""user_id")." = s.userid) 
  WHERE s.lastactivity >= 
$time_out 
  ORDER BY "
.get_user_table_field("u.""user_id")." ASC, s.host ASC";
  $result $site_db->query($sql);
  while ($row $site_db->fetch_array($result)) {
    if ($row['userid'] != GUEST && isset($row[$user_table_fields['user_name']])) {
      if (!isset($prev_user_ids[$row['userid']])) {
        $is_invisible = (isset($row[$user_table_fields['user_invisible']]) && $row[$user_table_fields['user_invisible']] == 1) ? 0;
        $invisibleuser = ($is_invisible) ? "*" "";
        $username = (isset($row[$user_table_fields['user_level']]) && $row[$user_table_fields['user_level']] == ADMIN && $config['highlight_admin'] == 1) ? sprintf("<b>%s</b>"$row[$user_table_fields['user_name']]) : $row[$user_table_fields['user_name']];
        if (!$is_invisible || $user_info['user_level'] == ADMIN) {
          $user_online_list .= ($user_online_list != "") ? ", " "";
          $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/"$row['userid'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$row['userid'];
          $user_online_list .= "<a href=\"".$site_sess->url($user_profile_link)."\">".$username."</a>".$invisibleuser;
        }
        (!$is_invisible) ? $num_visible_online++ : $num_invisible_online++;
        $num_registered_online++;
      }
      $prev_user_ids[$row['userid']] = 1;
    }
    else {
      if (!isset($prev_session_ips[$row['host']])) {
        $num_guests_online++;
      }
    }
    $prev_session_ips[$row['host']] = 1;
  }
  $num_total_online $num_registered_online $num_guests_online;

  $site_template->register_vars(array(
    "num_total_online" => $num_total_online,
    "num_invisible_online" => $num_invisible_online,
    "num_registered_online" => $num_registered_online,
    "num_guests_online" => $num_guests_online,
    "user_online_list" => $user_online_list,
    "lang_user_online" => str_replace('{num_total_online}'$num_total_online$lang['user_online']),
    "lang_user_online_detail" => str_replace(array('{num_registered_online}','{num_invisible_online}','{num_guests_online}'), array($num_registered_online,$num_invisible_online,$num_guests_online), $lang['user_online_detail']),
  ));
  $whos_online $site_template->parse_template("whos_online");
  $site_template->register_vars("whos_online"$whos_online);
  unset($whos_online);
  unset($prev_user_ids);
  unset($prev_session_ips);
}
?>

I'm also using a changed version of constants.php, I've also attached it, maybe you need it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: constants.php                                        *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die(
"Security violation");
}
// If 4images has problems to find out the right URL, define it here.
define('SCRIPT_URL''http://www.gerritsforum.de/gallery'); //no trailing slash
define('VB_TABLE_PREFIX',''); // your vb tableprefix. vB default is blank

// Table names
define('CATEGORIES_TABLE'$table_prefix.'categories');
define('COMMENTS_TABLE'$table_prefix.'comments');
define('GROUP_ACCESS_TABLE'$table_prefix.'groupaccess');
define('GROUP_MATCH_TABLE'$table_prefix.'groupmatch');
define('GROUPS_TABLE'$table_prefix.'groups');
define('IMAGES_TABLE'$table_prefix.'images');
define('IMAGES_TEMP_TABLE'$table_prefix.'images_temp');
define('LIGHTBOXES_TABLE'$table_prefix.'lightboxes');
define('POSTCARDS_TABLE'$table_prefix.'postcards');
define('SESSIONS_TABLE'VB_TABLE_PREFIX.'session'); 
define('SESSIONVARS_TABLE'$table_prefix.'sessionvars');
define('SETTINGS_TABLE'$table_prefix.'settings');
define('USERS_TABLE'VB_TABLE_PREFIX.'user');
define('WORDLIST_TABLE'$table_prefix.'wordlist');
define('WORDMATCH_TABLE'$table_prefix.'wordmatch');


// URL Parameters
define('URL_IMAGE_ID''image_id');
define('URL_CAT_ID''cat_id');
define('URL_USER_ID''user_id');
define('URL_POSTCARD_ID''postcard_id');
define('URL_COMMENT_ID''comment_id');
define('URL_PAGE''page');
define('URL_ID''id');


// User default levels
define('GUEST'0);  // GUEST group or ID
define('USER_AWAITING_DEFAULT'3);
define('USER_DEFAULT'2);
define('ADMIN_DEFAULT'6);

// User groups level
$waitinggroups = array(134131421); // vB Group should be waiting for moderate. seperate each group by comma
$usergroups = array(2578915192023); // Groups that are USERS in album. seperate each group by comma
$admingroups = array(6); // vB groups that are ADMINS in album. seperate each group by comma

// Permission levels
define('AUTH_ALL'0);
define('AUTH_USER'2);
define('AUTH_ACL'3);
define('AUTH_ADMIN'9);


// Group types
define('GROUPTYPE_GROUP'1);
define('GROUPTYPE_SINGLE'2);


// Chmod for files and directories created by 4images
define('CHMOD_FILES'0666);
define('CHMOD_DIRS'0777);


// Will be used to replace the {xxx} tage if the value is empty.
// Netscape Browser sometimes need this to display table cell background colors.
define('REPLACE_EMPTY''&nbsp;');


// Max rating value
define('MAX_RATING'5);


// Days postcards will be held in the database
define('POSTCARD_EXPIRY'10);


// Time offset for your website. Sometimes usefull if your server is located
// in other timezones.
define('TIME_OFFSET'0);


// All words <= MIN_SEARCH_KEYWORD_LENGTH and >= MAX_SEARCH_KEYWORD_LENGTH
// are not added to the search index
define('MIN_SEARCH_KEYWORD_LENGTH'3);
define('MAX_SEARCH_KEYWORD_LENGTH'25);

// If you set this to 1, admins will authenticated additionally with cookies.
// If you use "User Integration", you should set this to 0.
define('ADMIN_SAFE_LOGIN'0);


// If you use GD higher 2.0.1 and PHP higher 4.0.6 set this to 1.
// Your thumbnails will be created with better quality
define('CONVERT_IS_GD2'0);


// If you have a lot of images in your database,
// the random image function could make your programm slow.
// Try first to set "SHOW_RANDOM_CAT_IMAGE" to 0.
define('SHOW_RANDOM_IMAGE'1);
define('SHOW_RANDOM_CAT_IMAGE'1);


// Check existence of remote image files.
// If you choose 1, you could get sometimes timeout errors
define('CHECK_REMOTE_FILES'0);


// Allow execution of PHP code in templates
define('EXEC_PHP_CODE'1);

// Data paths
define('MEDIA_DIR''data/media');
define('THUMB_DIR''data/thumbnails');
define('MEDIA_TEMP_DIR''data/tmp_media');
define('THUMB_TEMP_DIR''data/tmp_thumbnails');
define('DATABASE_DIR''data/database');
define('TEMPLATE_DIR''templates');

// Script version
define('SCRIPT_VERSION''1.7.2');
// Debug contants
// define("PRINT_STATS", 1);
// define("PRINT_QUERIES", 1);
// define('PRINT_CACHE_MESSAGES', 1);
?>
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #16 on: May 28, 2006, 11:18:42 AM »

in sessoins.php replace
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
  }
with:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
    $this->session_id = preg_replace('/[^a-z0-9]+/i', '', $this->session_id);
  }
It should do the trick.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
vBFreak
Newbie
*
Offline Offline

Posts: 42

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #17 on: May 28, 2006, 09:46:08 PM »

Thanks a lot, I hope it will help Smile

May I post this on the original vB.org thread for the vBulletin addon to help out others also having problems with this issue? I'm sure most users are never taking a look into this thread/board.

Of course I would tell them that you've made it and that it's not my work.
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #18 on: May 28, 2006, 11:46:19 PM »

sure you can, but please provide a link to this topic Wink
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
vBFreak
Newbie
*
Offline Offline

Posts: 42

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #19 on: June 04, 2006, 03:57:11 AM »

I'm still affected with this bug, some images got spammed again with those links from users never registered (these were the first ones I saw after I've checked this), maybe it's not a sql injection bug but a bug in the comments system or in the sessions handling, is there any method available to enable a debug logging or something to see where the hole is located? I need help with this since the amount of these spam bots is growing Sad
« Last Edit: June 04, 2006, 04:36:38 AM by vBFreak » Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #20 on: June 04, 2006, 04:15:39 AM »

some images got spammed again with those links from users never registered

disable permission for guests posting comments or install image validation mod for comments. nothing to do with this or other security holes.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
vBFreak
Newbie
*
Offline Offline

Posts: 42

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #21 on: June 04, 2006, 04:34:38 AM »

If I visit my gallery as a guest I don't have anything to enter a comment. I'm just wondering how this can be enabled then, where can I disable this?

[EDIT]hrm, you're absolutely right, but it seems not to be enabled in every location, strange...
But I can't find something to disable that[/EDIT]
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #22 on: June 04, 2006, 10:48:48 AM »

its under category permissions in ACP (Admin Control Panel)
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
XIII
Pre-Newbie

Offline Offline

Posts: 6

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #23 on: June 07, 2006, 08:48:35 AM »

Hmm, I have guest posting disabled everywhere and still got spammed again yesterday for the first time after applying this patch.
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #24 on: June 07, 2006, 03:10:16 PM »

and the spammer is not a registered member? please show it.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
XIII
Pre-Newbie

Offline Offline

Posts: 6

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #25 on: June 07, 2006, 06:22:16 PM »

Nope, that's what surprised me as well. After this patch I've had 0 problems with comment spam, until yesterday when some 'Kavin' had left a bunch of comments. So I deleted them and then went on to delete the user, except there was no registered user.
I don't know exactly what you mean with 'show it'. Show what?
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #26 on: June 08, 2006, 02:44:53 AM »

A link to the site please.

"Kavin" was he as a guest or as a none existing member? (did the comment he left had user_id? - check with phpmyadmin or something.)
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
XIII
Pre-Newbie

Offline Offline

Posts: 6

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #27 on: June 08, 2006, 09:27:57 PM »

Just checked seeing as there were a a few new ones.
Aside from a few more bots registering there were a few new comments left by a 'Kavin' who turned out to point to the userid I'd made using the instructions from this thread.
Which I don't get because I used a non-obvious username for that id and ofcourse a different password than listed there, plus I've set the account to be non-visible so noone else can see the id name when a spider is crawling the gallery.
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #28 on: June 09, 2006, 12:39:34 AM »

Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
That is the most probably.
So, if that is the case, then perhaps you'll need either try to trace the "kavin" bot in access logs and get its identification string and ban it, or discontinue using that mod.
Anyways, since this issue has nothing to do with the security fix from this topic, please continue discussion under the "threat bots as members" mod, because it seems to have problems...
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
8o8o8.com
Newbie
*
Offline Offline

Posts: 10

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #29 on: June 20, 2006, 09:53:10 AM »

thankx
Logged
Pages: «« « 1 [2] 3 » »» Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.083 seconds with 19 queries.