4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
August 20, 2018, 03:03:20 PM

Login with username, password and session length
Search:     Advanced search
You're looking for some 4images templates and styles? Then visit this thread to show websites with 4images templates to download.
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7 / 1.7.1] Security fix in sessions.php
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: «« « 1 [2] 3 4 5 » »» Print
Author Topic: [1.7 / 1.7.1] Security fix in sessions.php  (Read 225490 times)
arindra
Jr. Member
**
Offline Offline

Posts: 97

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #15 on: June 13, 2005, 11:36:24 AM »

have done it ... am using integration with Invisionboard .
but can someone explain what this fix does exactly ?
Logged
martrix
Hero Member
*****
Offline Offline

Posts: 755

Thank You
-Given: 0
-Receive: 6


View Profile WWW
« Reply #16 on: June 13, 2005, 04:54:15 PM »

Bitte hab Verständnis dafür, dass ich darauf nicht näher eingehe. Es gibt viele Installationen die diesen Fix nicht haben und wenn ich erkläre wie und wo man das ausnutzt...naja du verstehst Wink

Gruß Jan
in other language and other words:

Please understand that I won't give you more information on this fix.
There are many 4images installations out there without this fix installed and when I explain you, how one may misuse that... well...hope you understand Wink

in short:
things you would not like could happen without this fix being implemented...
Logged

MAяTRIX

Unsichtbar
Newbie
*
Offline Offline

Posts: 14

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #17 on: June 14, 2005, 05:08:33 PM »

thanks...  Very Happy
Logged

TariqAlAli
Newbie
*
Offline Offline

Posts: 13

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #18 on: June 15, 2005, 07:42:50 AM »

HI all

I believe this fix stopps anonymous from uploading files to your tmp folder via apache where you can even run those files remotely..

I was a victim. an intruder was uploading SPAM Email scripts and running them remotely. I just did the changes and hope this will fix it.. if it works I will update you.


Regards

Tariq AlAli
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #19 on: June 15, 2005, 07:45:33 AM »

HI all

I believe this fix stopped anonymous from uploading files to your tmp folder via apache where you can even run those files remotely..

I was a victim. an intruder was uploading SPAM Email scripts and running them remotely. I just did the changes and hope this will fix it.. if it works I will update you.


Regards

Tariq AlAli
what u just discribed seems to be your server issue, and not 4images.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
TariqAlAli
Newbie
*
Offline Offline

Posts: 13

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #20 on: June 15, 2005, 07:59:29 AM »

HI all

I believe this fix stopped anonymous from uploading files to your tmp folder via apache where you can even run those files remotely..

I was a victim. an intruder was uploading SPAM Email scripts and running them remotely. I just did the changes and hope this will fix it.. if it works I will update you.


Regards

Tariq AlAli
what u just discribed seems to be your server issue, and not 4images.

well this happened to me since day one i installed 4images, anyhow as I mentioned "It might be". Since I modified the file the intruder had stopped the penetration to the server.

Also I noticed when I installed 4images a month ago that if i log in with my account and give a photo URL (Session) to a user, he will be login in with my session/ID.

I will be doing several exercises and will update you accordingly.

Thank you again.

Regards


Tariq AlAli
Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #21 on: June 15, 2005, 08:04:21 AM »

Also I noticed when I installed 4images a month ago that if i log in with my account and give a photo URL (Session) to a user, he will be login in with my session/ID.i
that is a perfectly normal behavour.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
TariqAlAli
Newbie
*
Offline Offline

Posts: 13

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #22 on: June 16, 2005, 09:51:43 AM »

HI All

My thoughts going to be 100% correct. The security bug was the reason for hacking my server. It is been 48hrs since i implemented the new fix and the hacker did not login to the server.

I will give it another 72hrs; before I announce that the hack was from that bug and will try to post you how to penerate the servers with that bug.

Thank you all.

Logged
V@no
If you don't tell me what to do, I won't tell you where you should go :)
Administrator
4images Guru
*****
Offline Offline

Posts: 17849

Thank You
-Given: 47
-Receive: 577

mmm PHP...


View Profile WWW
« Reply #23 on: June 16, 2005, 02:23:49 PM »

I will give it another 72hrs; before I announce that the hack was from that bug and will try to post you how to penerate the servers with that bug.
via PM please, not public.
Logged

Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)
martrix
Hero Member
*****
Offline Offline

Posts: 755

Thank You
-Given: 0
-Receive: 6


View Profile WWW
« Reply #24 on: June 16, 2005, 09:47:21 PM »

will try to post you how to penerate the servers with that bug.
Oh my god! Don't even think about giving out this information publicly! PLEASE!
Send it to Jan or V@no via PM, but not in a public thread in this forum - I beg you!
Logged

MAяTRIX

SonGokuuu
Jr. Member
**
Offline Offline

Posts: 58

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #25 on: June 17, 2005, 05:07:47 PM »

Ich habe das Bugfix nun aufgespielt, allerdings wird nun nicht mehr unten über den Usern, die online sind, der Text Es sind x Benutzer und x Besucher online angezeigt. Wie kann man diesen wiederherstellen und das Sicherheitsloch trotzdem schließen?


Falls ihr nicht wisst was ich meine:  http://www.zetzero.net/Anime-Folio/
(Unten im oberen Teil ein hellgrauer Balken, dort steht die Schrift die sonst drin stand aber nicht mehr, darunter dann die Usernamen, die online sind, allerdings mit oben etwas Platz)
Logged

RoadDogg
Sr. Member
****
Offline Offline

Posts: 488

Thank You
-Given: 1
-Receive: 1


View Profile WWW
« Reply #26 on: June 18, 2005, 09:34:33 AM »

Der Fix hat damit aber nichts zu tun, da musst du noch was anderes geändert haben?
Logged

For support requests please don´t forget link to your Gallery/to phpinfo.php
1
2
3
<?
phpinfo()
?>
safe_mode must turned OFF
Please check Error Messages
SonGokuuu
Jr. Member
**
Offline Offline

Posts: 58

Thank You
-Given: 0
-Receive: 0


View Profile WWW
« Reply #27 on: June 18, 2005, 02:55:26 PM »

Nein, habe lediglich bei der Datei den oben angegebenen Part ersetzt und dann überspielt, sonst wurden keine Änderungen durchgeführt.
Logged

nd.h
Pre-Newbie

Offline Offline

Posts: 2

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #28 on: June 20, 2005, 07:44:35 PM »

Gehe ich recht in der Annahme, dass diese Zeile nicht vorhanden ist, wenn ich die Galerie in phpBB integriert habe?
(ich weis leider nicht mehr, welche Zeilen dabei entfernt wurden)
Logged

the foolish ones taught more to me
than the wise ones ever could
calvin russel
RoadDogg
Sr. Member
****
Offline Offline

Posts: 488

Thank You
-Given: 1
-Receive: 1


View Profile WWW
« Reply #29 on: June 20, 2005, 08:18:25 PM »

Wenige Beiträge weiter oben steht das:

no this line :$user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST;

I integrated phpBB 2.0.15 .
that version does not have this hole, dont worry about this fix Wink

Logged

For support requests please don´t forget link to your Gallery/to phpinfo.php
1
2
3
<?
phpinfo()
?>
safe_mode must turned OFF
Please check Error Messages
Pages: «« « 1 [2] 3 4 5 » »» Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.151 seconds with 19 queries.