Author Topic: [1.7 / 1.7.1] Security fix in sessions.php  (Read 269753 times)

0 Members and 1 Guest are viewing this topic.

Offline fotograf74

  • Newbie
  • *
  • Posts: 29
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #60 on: December 24, 2005, 09:24:36 PM »
Canīt find the line:
$user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST;

in my session.php

Offline TheOracle

  • Hero Member
  • *****
  • Posts: 875
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #61 on: December 25, 2005, 01:48:10 PM »
In your includes/sessions.php file,

find :

Quote

$this->delete_old_sessions();


and the line right below is the one you're looking for - which should be

this one :

Quote

$user_id = ($this->read_cookie_data("userid")) ? ...


replace that entire line

with this one :

Code: [Select]

$user_id = ($this->read_cookie_data("userid")) ? intval($this->read_cookie_data("userid")) : GUEST;


Merry Christmas.

Offline fotograf74

  • Newbie
  • *
  • Posts: 29
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #62 on: January 08, 2006, 01:25:31 PM »
Sorry in my sesions.php I canīt finde this line

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: sessions.php                                         *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7                                                  *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Main part is adapted from of phpBB, (C) 2001 The phpBB Group        *
 *    phpBB is released under the GNU General Public License              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die(
"Security violation");
}

//-----------------------------------------------------
//--- Start Configuration -----------------------------
//-----------------------------------------------------

// Define here the name of the session. Default of phpBB is "sid".
define('SESSION_NAME''sid');

// Define here the name of the banlist and config database tables.
// Maybe you only need to change the table prefix if you another
// than the phpBB default "phpbb_".
define('PHPBB_BANLIST_TABLE''phpbb_banlist');
define('PHPBB_CONFIG_TABLE''phpbb_config');

// Set her the corresponding database fields of the user table.
// If there is no corresponding field in the new user table,
// leave the value blank. Normally no need to change.
$user_table_fields = array(
  
"user_id" => "user_id",
  
"user_level" => "user_level",
  
"user_name" => "username",
  
"user_password" => "user_password",
  
"user_email" => "user_email",
  
"user_showemail" => "user_viewemail",
  
"user_allowemails" => "",
  
"user_invisible" => "user_allow_viewonline",
  
"user_joindate" => "user_regdate",
  
"user_activationkey" => "user_actkey",
  
"user_lastaction" => "user_session_time",
  
"user_location" => "user_session_page",
  
"user_lastvisit" => "user_lastvisit",
  
"user_comments" => "",
  
"user_homepage" => "user_website",
  
"user_icq" => "user_icq"
);

// Set here the URL to your phpBB forum. WITH trailing slash!
$url_app           "http://www.myforum.de";

// Set here different URL's to your phpBB forum.
// Normally no need to change.
$url_register      $url_app."profile.php?mode=register";
$url_lost_password $url_app."profile.php?mode=sendpassword";
$url_control_panel $url_app."profile.php?mode=editprofile";
$url_mailform      $url_app."profile.php?mode=email&u={user_id}";
$url_show_profile  $url_app."profile.php?mode=viewprofile&u={user_id}";
$url_login         $url_app."login.php";
$url_logout        $url_app."login.php?logout=true";

//-----------------------------------------------------
//--- End Configuration -------------------------------
//-----------------------------------------------------

define('USER_INTEGRATION''PHPBB');

function 
get_user_table_field($add$user_field) {
  global 
$user_table_fields;
  return (!empty(
$user_table_fields[$user_field])) ? $add.$user_table_fields[$user_field] : "";
}

class 
Session {

  var 
$session_id;
  var 
$user_ip;
  var 
$user_location;
  var 
$current_time;
  var 
$session_timeout;
  var 
$mode "get";
  var 
$session_info = array();
  var 
$user_info = array();

  function 
Session() {
    global 
$config$board_config;
    
$this->session_timeout $board_config['session_length'];
    
$this->user_ip $this->get_user_ip();
    
$this->user_location 1;
    
$this->current_time time();
    
$this->session_pagestart($this->user_ip0);
  }

  function 
session_pagestart($user_ip$thispage_id) {
    global 
$site_db$board_config;
  global $HTTP_COOKIE_VARS$HTTP_GET_VARS$HTTP_POST_VARS$SID;

    
$cookiename $board_config['cookie_name'];
  $cookiepath $board_config['cookie_path'];
  $cookiedomain $board_config['cookie_domain'];
  $cookiesecure $board_config['cookie_secure'];

  if ( isset($HTTP_COOKIE_VARS[$cookiename '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename '_data']) )
  {
  $this->session_id = isset($HTTP_COOKIE_VARS[$cookiename '_sid']) ? $HTTP_COOKIE_VARS[$cookiename '_sid'] : '';
  $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename '_data'])) : array();
  if (!is_array($sessiondata)) {
    $sessiondata = array();
  }
  $this->mode "cookie";
  }
  else
  {
  $sessiondata = array();
  if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        
$this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset(
$HTTP_POST_VARS[SESSION_NAME])) {
        
$this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        
$this->session_id false;
      }
  }

  
//
  
// Does a session exist?
  
//
  
if ( !empty($this->session_id) )
  
{
  
$valid_session 1;
  
if (!$this->load_session_info()) {
      
$this->session_info['session_user_id'] = GUEST;
      
$valid_session 0;
      }
      
$this->user_info $this->load_user_info($this->session_info['session_user_id']);

  
if ( $valid_session )
  
{
  
$SID = ( $this->mode == "get" ) ? SESSION_NAME.'=' $this->session_id '';

  
if ( $this->current_time $this->session_info['session_time'] > 60 )
  
{
  
$sql "UPDATE " SESSIONS_TABLE "
   SET session_time = 
$this->current_time, session_page = $thispage_id
   WHERE session_id = '
$this->session_id'
   AND session_ip = '
$user_ip'";
  
$site_db->query($sql);

  
if ( $this->user_info['user_id'] != GUEST )
  
{
  
$sql "UPDATE " USERS_TABLE "
   SET user_session_time = 
$this->current_time, user_session_page = $thispage_id
   WHERE user_id = " 
$this->user_info['user_id'];
  
$site_db->query($sql);
  
}
   $this->delete_old_sessions();
    setcookie($cookiename '_data'serialize($sessiondata), $this->current_time 31536000$cookiepath$cookiedomain$cookiesecure);
   setcookie($cookiename '_sid'$this->session_id0$cookiepath$cookiedomain$cookiesecure);
     }
   return $this->user_info;
  }
  }

  $user_id = ( isset($sessiondata['userid']) ) ? $sessiondata['userid'] : GUEST;
  $this->user_info $this->session_begin($user_id$user_ip$thispage_idTRUE);
  return $this->user_info;

  }

  function 
session_begin($user_id$user_ip$page_id$auto_create 0$enable_autologin 0) {
    global 
$site_db$board_config;
  global $HTTP_COOKIE_VARS$HTTP_GET_VARS$HTTP_POST_VARS$SID;

    
$cookiename $board_config['cookie_name'];
  $cookiepath $board_config['cookie_path'];
  $cookiedomain $board_config['cookie_domain'];
  $cookiesecure $board_config['cookie_secure'];

  if ( isset($HTTP_COOKIE_VARS[$cookiename '_sid']) || isset($HTTP_COOKIE_VARS[$cookiename '_data']) )
  {
  $this->session_id = isset($HTTP_COOKIE_VARS[$cookiename '_sid']) ? $HTTP_COOKIE_VARS[$cookiename '_sid'] : '';
  $sessiondata = isset($HTTP_COOKIE_VARS[$cookiename '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename '_data'])) : array();
  $this->mode "cookie";
  }
  else
  {
  $sessiondata = array();
  if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        
$this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset(
$HTTP_POST_VARS[SESSION_NAME])) {
        
$this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        
$this->session_id false;
      }
  }

  $last_visit 0;
  $expiry_time $this->current_time $board_config['session_length'];

  $this->user_info $this->load_user_info($user_id);
  $user_id $this->user_info['user_id'];

    if ( 
$user_id != GUEST )
  {
  $auto_login_key $this->user_info['user_password'];

  if ( $auto_create )
  {
  
if ( isset($sessiondata['autologinid']) && $this->user_info['user_active'] )
   {
   // We have to login automagically
   if( $sessiondata['autologinid'] == $auto_login_key )
  {
  
// autologinid matches password
   $login 1;
   $enable_autologin 1;
   }
  else
  
{
   // No match; don't login, set as anonymous user
   $login 0;
   $enable_autologin 0;
   $user_id GUEST;
  
}
   }
   else
  {
  // Autologin is not set. Don't login, set as anonymous user
  
$login 0;
   $enable_autologin 0;
   $user_id GUEST;
  }
  
}
   else
  {
   $login 1;
  
}
  }
    else
  {
  $login 0;
  
$enable_autologin 0;
  
$user_id GUEST;
  }

  //
  // Initial ban check against user id, IP and email address
  
//
  preg_match('/(..)(..)(..)(..)/'$user_ip$user_ip_parts);

  $sql "SELECT ban_ip, ban_userid, ban_email
   FROM " 
PHPBB_BANLIST_TABLE "
   WHERE ban_ip IN ('" 
$user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . $user_ip_parts[4] . "', '" $user_ip_parts[1] . $user_ip_parts[2] . $user_ip_parts[3] . "ff', '" $user_ip_parts[1] . $user_ip_parts[2] . "ffff', '" $user_ip_parts[1] . "ffffff')
   OR ban_userid = 
$user_id";
  
if ( $user_id != GUEST )
  
{
  
$sql .= " OR ban_email LIKE '" str_replace("\'""''"$this->user_info['user_email']) . "'
   OR ban_email LIKE '" 
substr(str_replace("\'""''"$this->user_info['user_email']), strpos(str_replace("\'""''"$this->user_info['user_email']), "@")) . "'";
  
}
  
$result $site_db->query($sql);

  
if ( $ban_info $site_db->fetch_array($result) )
  
{
  
if ( $ban_info['ban_ip'] || $ban_info['ban_userid'] || $ban_info['ban_email'] )
  
{
  
header("Location: $url_login");
        exit;
  
}
  
}

  
//
  
// Create or update the session
  
//
  
$sql "UPDATE " SESSIONS_TABLE "
   SET session_user_id = 
$user_id, session_start = $this->current_time, session_time = $this->current_time, session_page = $page_id, session_logged_in = $login
   WHERE session_id = '" 
$this->session_id "'
   AND session_ip = '
$user_ip'";
  
if ( !$site_db->query($sql) || !$site_db->affected_rows() )
  
{
  
$this->session_id md5(uniqid($user_ip));

  
$sql "INSERT INTO " SESSIONS_TABLE "
   (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
   VALUES ('
$this->session_id', $user_id$this->current_time$this->current_time, '$user_ip', $page_id$login)";
  
$site_db->query($sql);
  
}

  
if ( $user_id != GUEST )
  
{
  
$last_visit = ( $this->user_info['user_session_time'] > ) ? $this->user_info['user_session_time'] : $this->current_time;

  
$sql "UPDATE " USERS_TABLE "
   SET user_session_time = 
$this->current_time, user_session_page = $page_id, user_lastvisit = $last_visit
   WHERE user_id = 
$user_id";
  
$site_db->query($sql);

  
$this->user_info['user_lastvisit'] = $last_visit;

  
$sessiondata['autologinid'] = ( $enable_autologin && $this->mode == "cookie" ) ? $auto_login_key '';
  
$sessiondata['userid'] = $user_id;
  
}

  
$this->user_info['user_id'] = $user_id;
  
$this->session_info['session_id'] = $this->session_id;
  
$this->session_info['session_ip'] = $user_ip;
  
$this->session_info['session_user_id'] = $user_id;
  
$this->session_info['session_logged_in'] = $login;
  
$this->session_info['session_page'] = $page_id;
  
$this->session_info['session_start'] = $this->current_time;
  
$this->session_info['session_time'] = $this->current_time;

  
setcookie($cookiename '_data'serialize($sessiondata), $this->current_time 31536000$cookiepath$cookiedomain$cookiesecure);
  
setcookie($cookiename '_sid'$this->session_id0$cookiepath$cookiedomain$cookiesecure);

  
$SID = ( $this->mode == "get" ) ? SESSION_NAME.'=' $this->session_id '';

  
return $this->user_info;
  }

  function 
login($user_name ""$user_password ""$auto_login 0$set_auto_login 1) {
    global 
$url_login;
    
header("Location: $url_login");
  }

  function 
logout($user_id GUEST) {
    global 
$url_logout;
    
header("Location: $url_logout");
  }

  function 
delete_old_sessions() {
    global 
$site_db$board_config;
    
$expiry_time $this->current_time $board_config['session_length'];
    
$sql "DELETE FROM ".SESSIONS_TABLE."
            WHERE session_time < 
$expiry_time";
    
$site_db->query($sql);

    
$sql "SELECT session_id
            FROM "
.SESSIONS_TABLE;
    
$result $site_db->query($sql);
    if (
$result) {
      
$session_ids_sql "";
      while (
$row $site_db->fetch_array($result)) {
        
$session_ids_sql .= (($session_ids_sql != "") ? ", " "") . "'".$row['session_id']."'";
      }
    }
    if (!empty(
$session_ids_sql)) {
      
$sql "DELETE FROM ".SESSIONVARS_TABLE."
              WHERE session_id NOT IN (
$session_ids_sql)";
      
$site_db->query($sql);
    }
    return 
true;
  }

  function 
return_session_info() {
    return 
$this->session_info;
  }

  function 
return_user_info() {
    return 
$this->user_info;
  }

  function 
freeze() {
    return;
  }

  function 
load_session_info() {
    global 
$site_db;
    if (empty(
$this->session_id)) {
      return 
false;
    }
    
$ip_sql = ($this->mode == "get") ? " AND session_ip = '$this->user_ip'" "";
    
$this->session_info = array();
    
$sql "SELECT *
            FROM "
.SESSIONS_TABLE."
            WHERE session_id = '
$this->session_id'
            
$ip_sql";
    
$this->session_info $site_db->query_firstrow($sql);
    if (empty(
$this->session_info['session_user_id'])) {
      return 
false;
    }
    else {
      
$sql "SELECT sessionvars_name, sessionvars_value
              FROM "
.SESSIONVARS_TABLE."
              WHERE session_id = '
$this->session_id'";
      
$result $site_db->query($sql);
      while (
$row $site_db->fetch_array($result)) {
        
$this->session_info[$row['sessionvars_name']] = $row['sessionvars_value'];
      }
      return 
$this->session_info;
    }
  }

  function 
load_user_info($user_id GUEST) {
    global 
$site_db$user_table_fields;

    if (
$user_id != GUEST) {
      
$sql "SELECT u.*, l.*
              FROM "
.USERS_TABLE." u, ".LIGHTBOXES_TABLE." l
              WHERE "
.get_user_table_field("u.""user_id")." = $user_id AND l.user_id = ".get_user_table_field("u.""user_id");
      
$user_info $site_db->query_firstrow($sql);
      if (!
$user_info) {
        
$sql "SELECT *
                FROM "
.USERS_TABLE."
                WHERE "
.get_user_table_field("""user_id")." = $user_id";
        
$user_info $site_db->query_firstrow($sql);
        if (
$user_info) {
          
$lightbox_id get_random_key(LIGHTBOXES_TABLE"lightbox_id");
          
$sql "INSERT INTO ".LIGHTBOXES_TABLE."
                  (lightbox_id, user_id, lightbox_lastaction, lightbox_image_ids)
                  VALUES
                  ('
$lightbox_id', ".$user_info[$user_table_fields['user_id']].", $this->current_time, '')";
          
$site_db->query($sql);
          
$user_info['lightbox_lastaction'] = $this->current_time;
          
$user_info['lightbox_image_ids'] = "";
        }
      }
    }
    if (empty(
$user_info[$user_table_fields['user_id']])) {
      
$user_info = array();
      
$user_info['user_id'] = GUEST;
      
$user_info['user_level'] = GUEST;
      
$user_info['user_lastaction'] = $this->current_time;
    }

    foreach (
$user_table_fields as $key => $val) {
      if (isset(
$user_info[$val])) {
        if (
$val == "user_allow_viewonline") {
          
$user_info[$key] = ($user_info[$val] == 1) ? 1;
        }
        else {
          
$user_info[$key] = $user_info[$val];
        }
      }
      elseif (!isset(
$user_info[$key])) {
        
$user_info[$key] = "";
      }
    }
    if (isset(
$user_info['user_active']) && $user_info['user_active'] == 0) {
      
$user_info['user_level'] = USER_AWAITING;
    }
    return 
$user_info;
  }

  function 
set_session_var($var_name$value) {
    global 
$site_db;
    
$sql "SELECT session_id
            FROM "
.SESSIONVARS_TABLE."
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    if (
$site_db->is_empty($sql)) {
      
$sql "INSERT INTO ".SESSIONVARS_TABLE."
              (session_id, sessionvars_name, sessionvars_value)
              VALUES
              ('
$this->session_id', '$var_name', '$value')";
      
$site_db->query($sql);
    }
    else {
      
$sql "UPDATE ".SESSIONVARS_TABLE."
              SET sessionvars_value = '
$value'
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      
$site_db->query($sql);
    }
    
$this->session_info[$var_name] = $value;
    return 
true;
  }

  function 
get_session_var($var_name) {
    global 
$site_db;
    if (isset(
$this->session_info[$var_name])) {
      return 
$this->session_info[$var_name];
    }
    else {
      
$sql "SELECT sessionvars_value
              FROM "
.SESSIONVARS_TABLE."
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      
$value $site_db->query_firstrow($sql);
      if (
$value) {
        
$this->session_info[$var_name] = $value['sessionvars_value'];
        return 
$value['sessionvars_value'];
      }
      else {
        return 
"";
      }
    }
  }

  function 
drop_session_var($var_name) {
    global 
$site_db;
    
$sql "DELETE FROM ".SESSIONVARS_TABLE."
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    return (
$site_db->query($sql)) ? 0;
  }

  function 
get_user_ip() {
    global 
$HTTP_SERVER_VARS$HTTP_ENV_VARS$REMOTE_ADDR;

    if( 
getenv('HTTP_X_FORWARDED_FOR') != '' )
    {
    $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );

    if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/"getenv('HTTP_X_FORWARDED_FOR'), $ip_list) )
    {
    $private_ip = array('/^127\.0\.0\.1/''/^192\.168\..*/''/^172\.16\..*/''/^10..*/''/^224..*/''/^240..*/');
    $client_ip preg_replace($private_ip$client_ip$ip_list[1]);
    }
    }
    else
    {
    $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
    }

    
$ip_sep explode('.'$client_ip);
  return sprintf('%02x%02x%02x%02x'$ip_sep[0], $ip_sep[1], $ip_sep[2], $ip_sep[3]);
  }

  function 
get_user_location() {
    global 
$self_url;
    return (
defined("IN_CP")) ? "Control Panel" preg_replace(array("/([?|&])action=[^?|&]*/""/([?|&])mode=[^?|&]*/""/([?|&])phpinfo=[^?|&]*/""/([?|&])printstats=[^?|&]*/""/[?|&]".URL_ID."=[^?|&]*/""/[?|&]l=[^?|&]*/""/[&?]+$/"), array(""""""""""""""), addslashes($self_url));
  }

  
/* ORIGINAL CODE
  function url($url, $amp = "&amp;") {
    global $l;
    $dummy_array = explode("#", $url);
    $url = $dummy_array[0];

    if ($this->mode == "get" && !preg_match("/".SESSION_NAME."=/i", $url)) {
      $url .= preg_match("/\?/", $url) ? "$amp" : "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

    if (!empty($l)) {
      $url .= preg_match("/\?/", $url) ? "$amp" : "?";
      $url .= "l=".$l;
    }

    $url .= (isset($dummy_array[1])) ? "#".$dummy_array[1] : "";
    return $url;
  }
*/
  
function url($url$amp "&amp;") {
    global 
$l$user_info;
    
$dummy_array explode("#"$url);
    
$url $dummy_array[0];
    
$url str_replace('&amp;''&'$url);
    if (!
defined('IN_CP')) {
      if (
strstr($url'index.php')) {
        
$url str_replace('index.php'''$url);
      }
      elseif (
strstr($url'search.php')) {
        if (
strstr($url'page=')) {
          
preg_match('#page=([0-9]+)&?#'$url$matches);
          if (isset(
$matches[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('search.php''search.'.$matches[1].'.htm'$url);
            
$query str_replace('page='.$matches[1].'&'''$query);
            
$query str_replace('&page='.$matches[1], ''$query);
            
$query str_replace('page='.$matches[1], ''$query);
            if (!empty(
$query)) {
              
$url .= '?' $query;
            }
          }
        }
        else {
          
$url str_replace('search.php''search.htm'$url);
        }
      }
      elseif (
strstr($url'lightbox.php')) {
        if (
strstr($url'page=')) {
          
preg_match('#page=([0-9]+)&?#'$url$matches);
          if (isset(
$matches[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('lightbox.php''lightbox.'.$matches[1].'.htm'$url);
            
$query str_replace('page='.$matches[1].'&'''$query);
            
$query str_replace('&page='.$matches[1], ''$query);
            
$query str_replace('page='.$matches[1], ''$query);
            if (!empty(
$query)) {
                
$url .= '?' $query;
            }
          }
        }
        else {
          
$url str_replace('lightbox.php''lightbox.htm'$url);
        }
      }
      elseif (
strstr($url'categories.php')) {
        if (
strstr($url'cat_id=') && strstr($url'page=')) {
          
preg_match('#cat_id=([0-9]+)&?#'$url$matches1);
          
preg_match('#page=([0-9]+)&?#'$url$matches2);
          if (isset(
$matches1[1]) && isset($matches2[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('categories.php''cat'.$matches1[1].'.'.$matches2[1].'.htm'$url);
            
$query str_replace('cat_id='.$matches1[1].'&'''$query);
            
$query str_replace('&cat_id='.$matches1[1], ''$query);
            
$query str_replace('cat_id='.$matches1[1], ''$query);
            
$query str_replace('page='.$matches2[1].'&'''$query);
            
$query str_replace('&page='.$matches2[1], ''$query);
            
$query str_replace('page='.$matches2[1], ''$query);
            if (!empty(
$query)) {
              
$url .= '?' $query;
            }
          }
        }
        elseif (
strstr($url'cat_id=')) {
          
preg_match('#cat_id=([0-9]+)&?#'$url$matches);
          if (isset(
$matches[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('categories.php''cat'.$matches[1].'.htm'$url);
            
$query str_replace('cat_id='.$matches[1].'&'''$query);
            
$query str_replace('&cat_id='.$matches[1], ''$query);
            
$query str_replace('cat_id='.$matches[1], ''$query);
            if (!empty(
$query)) {
              
$url .= '?' $query;
            }
          }
        }
        else {
          
$url str_replace('categories.php''cat.htm'$url);
        }
      }
      elseif (
strstr($url'details.php?image_id=')) {
        if (
strstr($url'image_id=') && strstr($url'mode=')) {
          
preg_match('#image_id=([0-9]+)&?#'$url$matches1);
          
preg_match('#mode=([a-zA-Z0-9]+)&?#'$url$matches2);
          if (isset(
$matches1[1]) && isset($matches2[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('details.php''img'.$matches1[1].'.'.$matches2[1].'.htm'$url);
            
$query str_replace('image_id='.$matches1[1].'&'''$query);
            
$query str_replace('&image_id='.$matches1[1], ''$query);
            
$query str_replace('image_id='.$matches1[1], ''$query);
            
$query str_replace('mode='.$matches2[1].'&'''$query);
            
$query str_replace('&mode='.$matches2[1], ''$query);
            
$query str_replace('mode='.$matches2[1], ''$query);
            if (!empty(
$query)) {
              
$url .= '?' $query;
            }
          }
        }
        else {
          
preg_match('#image_id=([0-9]+)&?#'$url$matches);
          if (isset(
$matches[1])) {
            
$split explode('?'$url);
            
$url $split[0];
            
$query = @$split[1];
            
$url   str_replace('details.php''img'.$matches[1].'.htm'$url);
            
$query str_replace('image_id='.$matches[1].'&'''$query);
            
$query str_replace('&image_id='.$matches[1], ''$query);
            
$query str_replace('image_id='.$matches[1], ''$query);
            if (!empty(
$query)) {
              
$url .= '?' $query;
            }
          }
        }
      }
      elseif (
strstr($url'postcards.php?image_id=')) {
        
preg_match('#image_id=([0-9]+)&?#'$url$matches);
        if (isset(
$matches[1])) {
          
$split explode('?'$url);
          
$url $split[0];
          
$query = @$split[1];
          
$url   str_replace('postcards.php''postcard.img'.$matches[1].'.htm'$url);
          
$query str_replace('image_id='.$matches[1].'&'''$query);
          
$query str_replace('&image_id='.$matches[1], ''$query);
          
$query str_replace('image_id='.$matches[1], ''$query);
          if (!empty(
$query)) {
            
$url .= '?' $query;
          }
        }
      }
    }
    if (
$this->mode == "get" && strstr($url$this->session_id)) {
      
$url .= strpos($url'?') !== false '&' '?';
      
$url .= SESSION_NAME."=".$this->session_id;
    }
    if (!empty(
$l)) {
      
$url .= strpos($url'?') ? '&' '?';
      
$url .= "l=".$l;
    }
    
$url str_replace('&'$amp$url);
    
$url .= isset($dummy_array[1]) ? "#".$dummy_array[1] : "";
    return 
$url;
  }
//end of class

//-----------------------------------------------------
//--- Start Session -----------------------------------
//-----------------------------------------------------
$board_config = array();
$sql "SELECT * FROM " PHPBB_CONFIG_TABLE;
$result $site_db->query($sql);
while(
$row $site_db->fetch_array($result)) {
  
$board_config[$row['config_name']] = $row['config_value'];
}

//Start Session
$site_sess = new Session();

// Get Userinfo
$session_info $site_sess->return_session_info();
$user_info $site_sess->return_user_info();

//-----------------------------------------------------
//--- Get User Caches ---------------------------------
//-----------------------------------------------------
$num_total_online 0;
$num_visible_online 0;
$num_invisible_online 0;
$num_registered_online 0;
$num_guests_online 0;
$user_online_list "";
$prev_user_ids = array();
$prev_session_ips = array();

if (
defined("GET_USER_ONLINE") && ($config['display_whosonline'] == || $user_info['user_level'] == ADMIN)) {
  
$time_out time() - 300;
  
$sql "SELECT ".get_user_table_field("u.""user_id").get_user_table_field(", u.""user_level").get_user_table_field(", u.""user_name").get_user_table_field(", u.""user_invisible").", s.session_user_id, s.session_time, s.session_ip
  FROM "
.USERS_TABLE." u, ".SESSIONS_TABLE." s
  WHERE "
.get_user_table_field("u.""user_id")." = s.session_user_id AND (s.session_time >= $time_out OR ".get_user_table_field("u.""user_lastaction")." >= $time_out)
  ORDER BY "
.get_user_table_field("u.""user_id")." ASC, s.session_ip ASC";
  
$result $site_db->query($sql);
  while (
$row $site_db->fetch_array($result)) {
    if (
$row['session_user_id'] != GUEST) {
      if (!isset(
$prev_user_ids[$row['session_user_id']])) {
        
$is_invisible = (isset($row[$user_table_fields['user_invisible']]) && $row[$user_table_fields['user_invisible']] == 0) ? 0;
        
$invisibleuser = ($is_invisible) ? "*" "";
        
$username = (isset($row[$user_table_fields['user_level']]) && $row[$user_table_fields['user_level']] == ADMIN && $config['highlight_admin'] == 1) ? sprintf("<b>%s</b>"$row[$user_table_fields['user_name']]) : $row[$user_table_fields['user_name']];
        if (!
$is_invisible || $user_info['user_level'] == ADMIN) {
          
$user_online_list .= ($user_online_list != "") ? ", " "";
          
$user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/"$row['session_user_id'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$row['session_user_id'];
          
$user_online_list .= "<a href=\"".$site_sess->url($user_profile_link)."\">".$username."</a>".$invisibleuser;
        }
        (!
$is_invisible) ? $num_visible_online++ : $num_invisible_online++;
        
$num_registered_online++;
      }
      
$prev_user_ids[$row['session_user_id']] = 1;
    }
    else {
      if (!isset(
$prev_session_ips[$row['session_ip']])) {
        
$num_guests_online++;
      }
    }
    
$prev_session_ips[$row['session_ip']] = 1;
  }
  
$num_total_online $num_registered_online $num_guests_online;

  
$site_template->register_vars(array(
    
"num_total_online" => $num_total_online,
    
"num_invisible_online" => $num_invisible_online,
    
"num_registered_online" => $num_registered_online,
    
"num_guests_online" => $num_guests_online,
    
"user_online_list" => $user_online_list,
    
"lang_user_online" => str_replace('{num_total_online}'$num_total_online$lang['user_online']),
    
"lang_user_online_detail" => str_replace(array('{num_registered_online}','{num_invisible_online}','{num_guests_online}'), array($num_registered_online,$num_invisible_online,$num_guests_online), $lang['user_online_detail']),
  ));
  
$whos_online $site_template->parse_template("whos_online");
  
$site_template->register_vars("whos_online"$whos_online);
  unset(
$whos_online);
  unset(
$prev_user_ids);
  unset(
$prev_session_ips);
}
?>

Offline Ston4Img

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #63 on: January 08, 2006, 03:17:29 PM »
The Lini "$this->delete_old_sessions();" was in the current download included with the modification (the Post from "theOracle")

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #64 on: January 08, 2006, 08:27:23 PM »
Please read the replys before you complain :P ;)

no this line :$user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST;

I integrated phpBB 2.0.15 .
that version does not have this hole, dont worry about this fix ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline madace77

  • Newbie
  • *
  • Posts: 26
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #65 on: January 18, 2006, 03:59:20 PM »
Is this fix already implemented in the version i'm about to get from the Download section?
Grüße,
MadAce

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #66 on: January 18, 2006, 11:59:25 PM »
Unless you are getting version newer then v1.7.1 (which is not out yet) then no, these fixes are not implemented into current version.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Morgan

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #67 on: March 15, 2006, 10:25:29 PM »
Is this fix important for integrated 4images 1.7 version for Runcms/E-Xoops? I can't find a code to replace in sessions.php, seems that there is no such line - user's login/logout integrated with CMS. I use russian language in 4images 1.7 and Runcms 1.2-)

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #68 on: March 16, 2006, 12:52:03 AM »
Perhaps if you would attach your sessions.php (as a .txt file), then I could answer your question ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #69 on: May 03, 2006, 10:18:59 AM »
Theres another fix for sessions.php:
http://www.4homepages.de/forum/index.php?topic=12807.0
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline bazm

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7 / 1.7.1] Security fix in sessions.php
« Reply #70 on: August 15, 2018, 07:56:09 AM »
Find $string = preg_replace('#</(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i',"",$string);
and replace with
$string = preg_replace('#</(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*(>|$)#i',"",$string);

bazmineh.com

bitdefendercenter.ir