Author Topic: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php  (Read 132864 times)

0 Members and 1 Guest are viewing this topic.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #15 on: May 28, 2006, 11:18:42 AM »
in sessoins.php replace
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
  }
with:
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
    $this->session_id = preg_replace('/[^a-z0-9]+/i', '', $this->session_id);
  }
It should do the trick.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #16 on: May 28, 2006, 09:46:08 PM »
Thanks a lot, I hope it will help :)

May I post this on the original vB.org thread for the vBulletin addon to help out others also having problems with this issue? I'm sure most users are never taking a look into this thread/board.

Of course I would tell them that you've made it and that it's not my work.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #17 on: May 28, 2006, 11:46:19 PM »
sure you can, but please provide a link to this topic ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #18 on: June 04, 2006, 03:57:11 AM »
I'm still affected with this bug, some images got spammed again with those links from users never registered (these were the first ones I saw after I've checked this), maybe it's not a sql injection bug but a bug in the comments system or in the sessions handling, is there any method available to enable a debug logging or something to see where the hole is located? I need help with this since the amount of these spam bots is growing :(
« Last Edit: June 04, 2006, 04:36:38 AM by vBFreak »

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #19 on: June 04, 2006, 04:15:39 AM »
some images got spammed again with those links from users never registered

disable permission for guests posting comments or install image validation mod for comments. nothing to do with this or other security holes.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #20 on: June 04, 2006, 04:34:38 AM »
If I visit my gallery as a guest I don't have anything to enter a comment. I'm just wondering how this can be enabled then, where can I disable this?

[EDIT]hrm, you're absolutely right, but it seems not to be enabled in every location, strange...
But I can't find something to disable that[/EDIT]

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #21 on: June 04, 2006, 10:48:48 AM »
its under category permissions in ACP (Admin Control Panel)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #22 on: June 07, 2006, 08:48:35 AM »
Hmm, I have guest posting disabled everywhere and still got spammed again yesterday for the first time after applying this patch.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #23 on: June 07, 2006, 03:10:16 PM »
and the spammer is not a registered member? please show it.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #24 on: June 07, 2006, 06:22:16 PM »
Nope, that's what surprised me as well. After this patch I've had 0 problems with comment spam, until yesterday when some 'Kavin' had left a bunch of comments. So I deleted them and then went on to delete the user, except there was no registered user.
I don't know exactly what you mean with 'show it'. Show what?

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #25 on: June 08, 2006, 02:44:53 AM »
A link to the site please.

"Kavin" was he as a guest or as a none existing member? (did the comment he left had user_id? - check with phpmyadmin or something.)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #26 on: June 08, 2006, 09:27:57 PM »
Just checked seeing as there were a a few new ones.
Aside from a few more bots registering there were a few new comments left by a 'Kavin' who turned out to point to the userid I'd made using the instructions from this thread.
Which I don't get because I used a non-obvious username for that id and ofcourse a different password than listed there, plus I've set the account to be non-visible so noone else can see the id name when a spider is crawling the gallery.
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #27 on: June 09, 2006, 12:39:34 AM »
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
That is the most probably.
So, if that is the case, then perhaps you'll need either try to trace the "kavin" bot in access logs and get its identification string and ban it, or discontinue using that mod.
Anyways, since this issue has nothing to do with the security fix from this topic, please continue discussion under the "threat bots as members" mod, because it seems to have problems...
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline 8o8o8.com

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #28 on: June 20, 2006, 09:53:10 AM »
thankx

Offline amodpg

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #29 on: June 26, 2006, 11:20:25 PM »
sir,
    i just downloaded new version but seems the text required to change in the first post of this thread is not yet implemented, i can find the
"$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());" in the session file included in the zip file i just downloaded.

one of my firends gallery hosted by me has 1000's of xxx comments for his personal photo graphs.

any suggestions to fix it.

regards,
amod