4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: V@no on December 27, 2005, 10:19:37 AM

Title: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on December 27, 2005, 10:19:37 AM
(http://img307.imageshack.us/img307/6874/gb3vq.gif) This is an important security fix.
(http://img307.imageshack.us/img307/682/ru0cy.gif) Это очень важная заплатка для опасной дыры в скрипте

Step 1

(http://img307.imageshack.us/img307/6874/gb3vq.gif) In search.php any variables or other code that is located below copyright notice
(http://img307.imageshack.us/img307/682/ru0cy.gif) В search.php всё что находится ниже копирайта (который заканьчиватся этой строкой):
Code: [Select]
*************************************************************************/(http://img307.imageshack.us/img307/6874/gb3vq.gif) and above
(http://img307.imageshack.us/img307/682/ru0cy.gif) и выше:
Code: [Select]
$main_template = 'search';

(http://img307.imageshack.us/img307/6874/gb3vq.gif) must be moved below
(http://img307.imageshack.us/img307/682/ru0cy.gif) должно быть перенесено ниже:
Code: [Select]
include(ROOT_PATH.'global.php');
(http://img307.imageshack.us/img307/6874/gb3vq.gif) In default 4images, the block that must be moved is:
(http://img307.imageshack.us/img307/682/ru0cy.gif) В свежей 4images кусок кода который должен быть перемещён выглядит так:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}
$org_search_keywords = $search_keywords;

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}
$org_search_user = $search_user;

if (isset($HTTP_POST_VARS['search_terms'])) {
  $search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 1 : 0;
}
else {
  $search_terms = 0;
}

if (isset($HTTP_POST_VARS['search_fields'])) {
  $search_fields = trim($HTTP_POST_VARS['search_fields']);
}
else {
  $search_fields = "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}



Step 2

(http://img307.imageshack.us/img307/6874/gb3vq.gif) In register.php find:
(http://img307.imageshack.us/img307/682/ru0cy.gif) В register.php найдите:
Code: [Select]
      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }

(http://img307.imageshack.us/img307/6874/gb3vq.gif) Insert below:
(http://img307.imageshack.us/img307/682/ru0cy.gif) Добавьте ниже:
Code: [Select]
      elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }


(http://img307.imageshack.us/img307/6874/gb3vq.gif) Then in lang/<your language>/main.php at the end, above closing ?> insert:
(http://img307.imageshack.us/img307/682/ru0cy.gif) Затем в lang/<ваш языковой пакет>/main.php в самый конец файла, выше закрывающей ?> добавьте:
Code: [Select]
$lang['username_bad_characters'] = "Username contains not allowed character(s)";

Step 3

(http://img307.imageshack.us/img307/6874/gb3vq.gif) In global.php find:
(http://img307.imageshack.us/img307/682/ru0cy.gif) В global.php найдите:
Code: [Select]
//-----------------------------------------------------
//--- Start DB ----------------------------------------
//-----------------------------------------------------

(http://img307.imageshack.us/img307/6874/gb3vq.gif) Insert above:
(http://img307.imageshack.us/img307/682/ru0cy.gif) Добавьте выше:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}

(http://img307.imageshack.us/img307/6874/gb3vq.gif) If you wish, you can remove this block of code from search.php to increase perfomance (very insignificaly).
(http://img307.imageshack.us/img307/682/ru0cy.gif) Если вы хотите, то можете удалить такой-же блок кода из search.php, но это не обязательно.



(http://img307.imageshack.us/img307/6874/gb3vq.gif) In the attachment below you can find already modifyed default search.php, register.php and global.php
(http://img307.imageshack.us/img307/682/ru0cy.gif) Вы можете загрузить исправленные search.php, register.php и global.php из приложеного архива.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: piet on December 27, 2005, 02:28:52 PM
Thank you very much!
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: TheOracle on December 27, 2005, 03:07:20 PM
Actually, I don't get this ...

why would :

Quote

$main_template = 'search';


need to be moved below the global.php line ?

All 4images's PHP files (on the root path - even the index.php file) has the $main_template string on top of the GET_CACHES line ...
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on December 27, 2005, 03:14:42 PM
That is why my earlier suggestion was "Re-read three times, reply ones" ;)

There is nothing says about moving that line...it says "the code above it"
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Eagle Eye on December 27, 2005, 05:43:40 PM
Thanks  :D
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on December 27, 2005, 07:36:32 PM
hallo zusammen,
leider ist es hier ein bisschen kompliziert geschrieben...

habe ich es richtig verstanden dass dies so kommt

vorher:
Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

nachher

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

if (isset(
$HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}


hat jemand schon erfahrung mit der register.php, leider kann man danach immer noch mit #123 anmelden
gemäss vanos anweisungen müsste dies so klappen (bad_charactere)

Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Acidgod on December 27, 2005, 07:46:49 PM
Also Du hast es richtig gemacht... Vielleicht hätte V@no es so schreiben sollen... (o:

move the code between

Code: [Select]
*************************************************************************/
and

Code: [Select]
$main_template = 'search';
below this Line:

Code: [Select]
include(ROOT_PATH.'global.php');
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on December 27, 2005, 07:51:05 PM
gut, ich habe schon gesehen dass dieser teil mitten im script war, dann war dies
der fehler oder die lücke  :lol:

habe die register.php bearbeitet aber so wie er schreibt sollte man danach z.b
#ivan nicht mehr nehmen können.

leider funktioniert dies bei mir nicht
wieso?

Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: torment on December 28, 2005, 09:26:34 AM
das selbe problem habe ich auch...

nach diesem fix konnte man nicht als #username# registieren konnen. aber das funktioniert bei mir auch nicht.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on December 28, 2005, 11:02:17 AM
hello vano,

Unfortunately, he functions did not step 2 with register.php (username special characters)
apparently with other user also not. use 4images 1.7.1

I can still provide following user:

#ivan
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on December 28, 2005, 02:47:47 PM
mmm...it was not ment restrict all "special" characters, but only < and >
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on December 28, 2005, 02:56:59 PM
hello vano,


elseif (preg_match("#[<>]#", $user_name))

that is not the special characters (bold)??



Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on December 28, 2005, 03:05:04 PM
no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on December 28, 2005, 03:09:50 PM
okay vano thanks..
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: RoadDogg on December 29, 2005, 11:21:18 AM
Thanks for the fix, V@no!
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: brakstar on December 30, 2005, 12:55:24 AM
Hi all, What they can do without this fix ?  :?:

I have a 1.1 beta 3 p version of smf ....
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on December 30, 2005, 01:06:35 AM
hmmm....huh?
what SMF has anything to do with 4images? this is 4images support forum not SMF ;)
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 01, 2006, 06:32:46 PM
no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.

Mhh. I can register a User with < and >  after the Update !!! :?:

(http://people.freenet.de/stonyce/forum/sec-update.jpg)

Edit:
My register.php:
/** START **********************************************
ADD ab elseif
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/

      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }
    }
    elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }

/** ENDE **********************************************
ADD
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: fotograf74 on January 08, 2006, 02:27:49 PM
Hmm,

I fixed my code, but now I can´t use the search function. I get no result.
I think that was not your idea with the sexurity fix.

What´s the problem. I use now the old code again.

Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 08, 2006, 03:11:54 PM
Servus Fotograf74.
Irgendwelche Modifikationen bereits eingebaut? Wenn nicht lade dir 4Images erneut runter und tausche die Dateien aus.

Have you some modification in your 4images? Download 4images again and insert the orginal files.

Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: fotograf74 on January 08, 2006, 05:06:23 PM
Habe natürlich einige Modifikationen eingebaut
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 08, 2006, 05:38:28 PM
Habe natürlich einige Modifikationen eingebaut
Tja. Ohne Sicherungen siehst du jetzt "alt" aus  :?
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on January 08, 2006, 08:25:57 PM
Attach your search.php to the reply.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 08, 2006, 08:31:30 PM
Hi V@ano!

Have u an idea for my "problem"???

Mhh. I can register a User with < and >  after the Update !!! :?:

(http://people.freenet.de/stonyce/forum/sec-update.jpg)

Edit:
My register.php:
/** START **********************************************
ADD ab elseif
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/

      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }
    }
    elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }

/** ENDE **********************************************
ADD
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on January 08, 2006, 08:42:08 PM
Hi V@ano!

Have u an idea for my "problem"???
Please atach your register.php, better yet, if you can show a URL to your site, then rename  register.php that is on your server to register.phps (do not upload new register.phps) and show url to it. (PM me if you dont want it to be public)
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 08, 2006, 09:01:00 PM
http://people.freenet.de/stonyce/register.txt
The 4Images is only "local" ... anyhow often (-->  :?:)
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on January 08, 2006, 09:57:33 PM
Ok, you've inserted the code in the wrong place. You must move the added code (blue) above the red baracket:
Quote
      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }
    }
    elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Ston4Img on January 08, 2006, 10:13:45 PM
Thank you!
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: hyde101 on January 13, 2006, 03:35:47 PM
Thanks, modified as above on 1.7
Tried to Search, works fine,
Tried to register (seems to work fine)

Thank You
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: fotograf74 on January 14, 2006, 07:13:05 PM
Hmm,

I fixed my code, but now I can´t use the search function. I get no result.
I think that was not your idea with the sexurity fix.

What´s the problem. I use now the old code again.



Attach your search.php to the reply.

Here is my search.php:
Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

$search_id = array();

if (
$search_user != "" && $show_result == 1) {
  
$search_user str_replace('*''%'trim($search_user));
  
$sql "SELECT ".get_user_table_field("""user_id")."
          FROM "
.USERS_TABLE."
          WHERE "
.get_user_table_field("""user_name")." LIKE '$search_user'";
  
$result $site_db->query($sql);
  
$search_id['user_ids'] = "";
  if (
$result) {
    while (
$row $site_db->fetch_array($result)) {
      
$search_id['user_ids'] .= (($search_id['user_ids'] != "") ? ", " "").$row[$user_table_fields['user_id']];
    }
    
$site_db->free_result($result);
  }
}

if (
$search_keywords != "" && $show_result == 1) {
  
$search_keywords strip_tags(trim($search_keywords));
  
$search_keywords convert_special($search_keywords);
  
$search_keywords strtolower($search_keywords);

  
$search_array = array(
    
"/\s+\+/",
    
"/\s+\-/",
    
"/[&|#][a-z0-9]*;/siU",
    
"#([^]_a-z0-9-=\"'\/])([a-z]+?)://([^, \(\)<>\n\r]+)#si",
    
"#([^]_a-z0-9-=\"'\/])www\.([a-z0-9\-]+)\.([a-z0-9\-.\~]+)((?:/[^, \(\)<>\n\r]*)?)#si",
    
"#[-_'`´]+#s",
    
"#[\n\t\r^\$&\(\)<>\"\|,@\?%~\+\.\[\]{}:\/=\#;!§\\\\]+#s"
  
);

  
$replace_array = array(
    
" and ",
    
" not ",
    
" ",
    
" ",
    
" ",
    
"",
    
" "
  
);
  
$search_keywords preg_replace($search_array$replace_array$search_keywords);
  
$split_words preg_split("/\s+/"$search_keywords);

  
$match_field_sql = ($search_fields != "all" && isset($search_match_fields[$search_fields])) ? "AND m.".$search_match_fields[$search_fields]." = 1" "";
  
$stopword_list get_stopwords();
  
$search_word_cache = array();
  for (
$i 0$i sizeof($split_words); $i++) {
    if (
$split_words[$i] == "and" || $split_words[$i] == "und" || $split_words[$i] == "or" || $split_words[$i] == "oder" || $split_words[$i] == "not") {
      
$search_word_cache[$i] = ($search_terms) ? "and" $split_words[$i];
    }
    elseif (
$split_words[$i] != "" && strlen($split_words[$i]) >= MIN_SEARCH_KEYWORD_LENGTH && strlen($split_words[$i]) <= MAX_SEARCH_KEYWORD_LENGTH && !in_array($split_words[$i], $stopword_list)) {
      
$sql "SELECT m.image_id
              FROM "
.WORDLIST_TABLE." w, ".WORDMATCH_TABLE." m
              WHERE w.word_text LIKE '"
.addslashes(str_replace("*""%"$split_words[$i]))."'
              AND m.word_id = w.word_id
              
$match_field_sql";
      
$result $site_db->query($sql);
      
$search_word_cache[$i] = array();
      while (
$row $site_db->fetch_array($result)) {
        
$search_word_cache[$i][$row['image_id']] = 1;
      }
      
$site_db->free_result();
    }
  }

  
$is_first_word 1;
  
$operator "or";
  
$image_id_list = array();
  for (
$i 0$i sizeof($search_word_cache); $i++) {
    if (
$search_word_cache[$i] == "and" || $search_word_cache[$i] == "und" || $search_word_cache[$i] == "or" || $search_word_cache[$i] == "oder" || $search_word_cache[$i] == "not") {
      if (!
$is_first_word) {
        
$operator $search_word_cache[$i];
      }
    }
    elseif (
is_array($search_word_cache[$i])) {
      if (
$search_terms) {
        
$operator "and";
      }
      foreach (
$search_word_cache[$i] as $key => $val) {
        if (
$is_first_word || $operator == "or" || $operator == "oder") {
          
$image_id_list[$key] = 1;
        }
        elseif (
$operator == "not") {
          unset(
$image_id_list[$key]);
        }
      }
      if ((
$operator == "and" || $operator == "und") && !$is_first_word) {
        foreach (
$image_id_list as $key => $val) {
          if (!isset(
$search_word_cache[$i][$key])) {
            unset(
$image_id_list[$key]);
          }
        }
      }
    }
    
$is_first_word 0;
  }

  
$search_id['image_ids'] = "";
  foreach (
$image_id_list as $key => $val) {
    
$search_id['image_ids'] .= (($search_id['image_ids'] != "") ? ", " "").$key;
  }
  unset(
$image_id_list);
}

if (
$search_new_images && $show_result == 1) {
  
$search_id['search_new_images'] = 1;
}

if (
$search_cat && $show_result == 1) {
  
$search_id['search_cat'] = $search_cat;
}

if (!empty(
$search_id)) {
  
$site_sess->set_session_var("search_id"serialize($search_id));
  
$session_info['search_id'] = $search_id;
}

include(
ROOT_PATH.'includes/page_header.php');

$num_rows_all 0;
if (
$show_result == 1) {
  if (!isset(
$session_info['searchid']) || empty($session_info['searchid'])) {
    
$session_info['search_id'] = $site_sess->get_session_var("search_id");
  }

  if (!empty(
$session_info['search_id'])) {
    
$search_id unserialize($session_info['search_id']);
  }

  
$sql_where_query "";

  if (!empty(
$search_id['image_ids'])) {
    
$sql_where_query .= "AND i.image_id IN (".$search_id['image_ids'].") ";
  }

  if (!empty(
$search_id['user_ids'])) {
    
$sql_where_query .= "AND i.user_id IN (".$search_id['user_ids'].") ";
  }

  if (!empty(
$search_id['search_new_images']) && $search_id['search_new_images'] == 1) {
    
$new_cutoff time() - 60 60 24 $config['new_cutoff'];
    
$sql_where_query .= "AND i.image_date >= $new_cutoff ";
  }

  if (!empty(
$search_id['search_cat']) && $search_id['search_cat'] != 0) {
    
$cat_id_sql 0;
    
$sub_cat_ids get_subcat_ids($search_id['search_cat'], $search_id['search_cat'], $cat_parent_cache);
    if (
check_permission("auth_viewcat"$search_id['search_cat'])) {
      
$cat_id_sql .= ", ".$search_id['search_cat'];
      if (!empty(
$sub_cat_ids[$search_id['search_cat']])) {
        foreach (
$sub_cat_ids[$search_id['search_cat']] as $val) {
          if (
check_permission("auth_viewcat"$val)) {
            
$cat_id_sql .= ", ".$val;
          }
        }
      }
    }
  }
  else {
    
$cat_id_sql get_auth_cat_sql("auth_viewcat");
  }

  if (!empty(
$sql_where_query)) {
    
$sql "SELECT COUNT(*) AS num_rows_all
            FROM "
.IMAGES_TABLE." i
            WHERE i.image_active = 1 
$sql_where_query
            AND i.cat_id IN (
$cat_id_sql)";
    
$row $site_db->query_firstrow($sql);
    
$num_rows_all $row['num_rows_all'];
  }
}

if (!
$num_rows_all && $show_result == 1)  {
  
$msg preg_replace("/".$site_template->start."search_keywords".$site_template->end."/"$search_keywords$lang['search_no_results']);
}

//-----------------------------------------------------
//--- Show Search Results -----------------------------
//-----------------------------------------------------
if ($num_rows_all && $show_result == 1)  {
  
$link_arg $site_sess->url(ROOT_PATH."search.php?show_result=1");

  include(
ROOT_PATH.'includes/paging.php');
  
$getpaging = new Paging($page$perpage$num_rows_all$link_arg);
  
$offset $getpaging->get_offset();
  
$site_template->register_vars(array(
    
"paging" => $getpaging->get_paging(),
    
"paging_stats" => $getpaging->get_paging_stats()
  ));

  
$imgtable_width ceil((intval($config['image_table_width'])) / $config['image_cells']);
  if ((
substr($config['image_table_width'], -1)) == "%") {
    
$imgtable_width .= "%";
  }

  
$additional_sql "";
  if (!empty(
$additional_image_fields)) {
    foreach (
$additional_image_fields as $key => $val) {
      
$additional_sql .= ", i.".$key;
    }
  }

  
$sql "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_description, i.image_keywords, i.image_date, i.image_active, i.image_media_file, i.image_thumb_file, i.image_download_url, i.image_allow_comments, i.image_comments, i.image_downloads, i.image_votes, i.image_rating, i.image_hits".$additional_sql.", c.cat_name".get_user_table_field(", u.""user_name")."
          FROM "
.IMAGES_TABLE." i,  ".CATEGORIES_TABLE." c
          LEFT JOIN "
.USERS_TABLE." u ON (".get_user_table_field("u.""user_id")." = i.user_id)
          WHERE i.image_active = 1
          
$sql_where_query
          AND c.cat_id = i.cat_id AND i.cat_id IN (
$cat_id_sql)
          ORDER BY "
.$config['image_order']." ".$config['image_sort']."
          LIMIT 
$offset$perpage";
  
$result $site_db->query($sql);

  
$thumbnails "<table width=\"".$config['image_table_width']."\" border=\"0\" cellpadding=\"".$config['image_table_cellpadding']."\" cellspacing=\"".$config['image_table_cellspacing']."\">\n";

  
$count 0;
  
$bgcounter 0;
  while (
$image_row $site_db->fetch_array($result)) {
    if (
$count == 0) {
      
$row_bg_number = ($bgcounter++ % == 0) ? 2;
      
$thumbnails .= "<tr class=\"imagerow".$row_bg_number."\">\n";
    }
    
$thumbnails .= "<td width=\"".$imgtable_width."\" valign=\"top\">\n";
    
show_image($image_row"search");
    
$thumbnails .= $site_template->parse_template("thumbnail_bit");
    
$thumbnails .= "\n</td>\n";
    
$count++;
    if (
$count == $config['image_cells']) {
      
$thumbnails .= "</tr>\n";
      
$count 0;
    }
  } 
// end while
  
if ($count 0)  {
    
$leftover = ($config['image_cells'] - $count);
    if (
$leftover >= 1) {
      for (
$i 0$i $leftover$i++) {
        
$thumbnails .= "<td width=\"".$imgtable_width."\">\n&nbsp;\n</td>\n";
      }
      
$thumbnails .= "</tr>\n";
    }
  }
  
$thumbnails .= "</table>\n";
  
$content $thumbnails;
  unset(
$thumbnails);
// end if
else {
  
$site_template->register_vars(array(
    
"search_keywords" => htmlspecialchars(stripslashes($org_search_keywords)),
    
"search_user" => htmlspecialchars(stripslashes($org_search_user)),
    
"lang_search_by_keyword" => $lang['search_by_keyword'],
    
"lang_search_by_username" => $lang['search_by_username'],
    
"lang_new_images_only" => $lang['new_images_only'],
    
"lang_search_terms" => $lang['search_terms'],
    
"lang_or" => $lang['or'],
    
"lang_and" => $lang['and'],
    
"lang_category" => $lang['category'],
    
"lang_search_fields" => $lang['search_fields'],
    
"lang_all_fields" => $lang['all_fields'],
    
"lang_name_only" => $lang['name_only'],
    
"lang_description_only" => $lang['description_only'],
    
"lang_keywords_only" => $lang['keywords_only'],
    
"category_dropdown" => get_category_dropdown($cat_id)
  ));

  if (!empty(
$additional_image_fields)) {
    
$additional_field_array = array();
    foreach (
$additional_image_fields as $key => $val) {
      if (isset(
$lang[$key.'_only'])) {
        
$additional_field_array['lang_'.$key.'_only'] = $lang[$key.'_only'];
      }
    }
    if (!empty(
$additional_field_array)) {
      
$site_template->register_vars($additional_field_array);
    }
  }
  
$content $site_template->parse_template("search_form");
}

//-----------------------------------------------------
//--- Clickstream -------------------------------------
//-----------------------------------------------------
// $clickstream = "<span class=\"clickstream\"><a href=\"".$site_sess->url(ROOT_PATH."index.php")."\" class=\"clickstream\">".$lang['home']."</a>".$config['category_separator'].$lang['search']."</span>"; // Original code
// MOD: Dynamic page title BLOCK BEGIN
if (!empty($search_id['search_new_images'])) {
  if( 
$search_id['search_new_images'] == )
    
$txt_clickstream $lang['new_images'];
  else
    
$txt_clickstream $lang['new_images_since'];
}
else {
  
$txt_clickstream $lang['search'];
}
$clickstream "<span class=\"clickstream\"><a title=\"".$lang['home']."\" href=\"".$site_sess->url(ROOT_PATH."index.php")."\" class=\"clickstream\">".$lang['home']."</a>".$config['category_separator'].(($search_keywords) ? "<a href=\"".$site_sess->url(ROOT_PATH."search.php")."\" class=\"clickstream\">".$lang['search']."</a>".$config['category_separator'].$search_keywords $txt_clickstream)."</span>";  // Show search keywords
$page_title $config['category_separator'].$txt_clickstream;
// MOD: Dynamic page title BLOCK END

//-----------------------------------------------------
//--- Print Out ---------------------------------------
//-----------------------------------------------------
$site_template->register_vars(array(
  
"content" => $content,
  
"msg" => $msg,
  
"clickstream" => $clickstream,
  
"page_title" => $page_title// MOD: Dynamic page title
  
"lang_search" => $lang['search']
));
// MOD: Dynamic page title BLOCK BEGIN
//-----------------------------------------------------
//--- Parse Header & Footer ---------------------------
//-----------------------------------------------------
if (isset($main_template) && $main_template) {
  
$header $site_template->parse_template("header");
  
$footer $site_template->parse_template("footer");
  
$site_template->register_vars(array(
    
"header" => $header,
    
"footer" => $footer
  
));
  unset(
$header);
  unset(
$footer);
}
// MOD: Dynamic page title BLOCK END
$site_template->print_template($site_template->parse_template($main_template));
include(
ROOT_PATH.'includes/page_footer.php');
?>

Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on January 14, 2006, 07:19:06 PM
mmm...I ment attach the search.php with the fix implemented...what you showed has no fix installed...

Ok, I think it would be best just to attach already fixed files to the original post...

P.S. if you see "attach", that means attach the file, not show the source ;)
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: likeaflower on January 17, 2006, 07:23:00 AM
I just downloaded the gallery script and installed it today - is that one I downloaded already modified?
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on January 17, 2006, 07:40:11 AM
I just downloaded the gallery script and installed it today - is that one I downloaded already modified?
No.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on February 19, 2006, 07:12:00 PM
I found an issue with search.php after these changes...and added Step 3 that fixes that issue.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: nobby on February 19, 2006, 09:06:15 PM
Hallo,

ich habe auf Seite 1 den Link (search.php + register.php+global.php.zip) gefunden. Sind diese Dateien jetzt die Modifizierten incl. des
Sicherheitspatches?


Bei soviel durcheinander (English und Deutsch) blickt man ja garnicht mehr durch.  :(

Ich bin des Englishen nur brocken weise mächtig, im grund eher schlecht als recht.

Gruß
Nobby
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: TIMT on February 19, 2006, 09:21:57 PM
Hallo nobby

Ja, dies sollten die modifizierten Dateien sein. V@no hat neu Step 3 publiziert.

Das Problem war:
Nach einer Suche von Bildern (z.B. Keyword "Baum") wurden alle Bilder mit entsprechendem Keyword angezeigt. Nach einem Klick auf den "Lightbox" Button wurde das Bild zwar in die Lightbox abgelegt, aber das Suchresultat wurde nicht mehr angezeigt. Stattdessen wurde die Maske "Erweiterte Suche" angezeigt.

Gruss
TIMT
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: nobby on February 19, 2006, 09:29:19 PM
Hallo nobby

Ja, dies sollten die modifizierten Dateien sein. V@no hat neu Step 3 publiziert.

Das Problem war:
Nach einer Suche von Bildern (z.B. Keyword "Baum") wurden alle Bilder mit entsprechendem Keyword angezeigt. Nach einem Klick auf den "Lightbox" Button wurde das Bild zwar in die Lightbox abgelegt, aber das Suchresultat wurde nicht mehr angezeigt. Stattdessen wurde die Maske "Erweiterte Suche" angezeigt.

Gruss
TIMT

Danke für Deine schnelle Antwort !   :D
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: ivan on February 20, 2006, 11:47:59 AM
hello vano

here my search.php

I have inserted security fixed in search.php, You scribe, one should extinguish code perch!
(If you wish, you can remove this block of code from search.php to increase perfomance (very insignificaly).)

Unfortunately, is mine modified search.php and does not know exactly what I should extinguish, can you help me?

gruss ivan



Code: [Select]
REMOVED
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on February 20, 2006, 02:31:43 PM
here is a tip:
Download the zip package from the attachment and compare it with the original search.php
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Washi on February 26, 2006, 09:12:38 PM
Vano, if everything works correctly on my server, I don't need to do this update again, do I? I don't understand what changed from the original update. Thanks!
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Saiman on March 01, 2006, 10:40:29 PM
Why are the files are not atached longer?
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: jovan on April 03, 2006, 12:04:36 PM
Quote
In the attachment below you can find already modifyed default search.php, register.php and global.php
and where i can get this attachment. i can't see it!
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on April 04, 2006, 01:44:53 AM
Vano, if everything works correctly on my server, I don't need to do this update again, do I?
If your site security is not in the priority for you, then no, you dont need to apply this fix, but then, dont cry if your gallery get hacked through this security hole...

P.S. I've attached the modifyed files for v1.7 and v1.7.1 in the original post.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Supoplex on April 06, 2006, 07:28:45 PM
I have 4images 1.7.2.
Are Security and  search  bugs are fixed?
 :roll:
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: IcEcReaM on April 06, 2006, 08:02:14 PM
yes, in 1.72 already build in all know security fixes,
and there are no fixes for 1.72 at the moment.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: Supoplex on April 07, 2006, 12:34:22 PM
but i'm still having some errors like:
Validate images after delite or..  i get this :
Code: [Select]
Warning: copy(./../data/media/2/yh_2.jpg): failed to open stream: No such file or directory in /var/www/vhosts/yours.lt/subdomains/proektaslt/httpdocs/admin/admin_functions.php on line 111
Error adding image: asdasd (yh_2.jpg)
and Add categories a get this :
Code: [Select]
Warning: ftp_login() expects parameter 1 to be resource, boolean given in /var/www/vhosts/yours.lt/subdomains/mysite/httpdocs/admin/categories.php on line 86
Mauvaise connexion FTPEssaye de se connecter a ftp.yours.lt for user
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: V@no on April 07, 2006, 02:29:59 PM
re check steps and configuration of safe mode mod that you've installed.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: tansamalaja on September 04, 2007, 10:59:08 AM
Man hat mich darauf aufmerksam gemacht, dass die search.php eine Sicherheitslücke haben soll und für sql-injection anfällig ist. Ich habe auch einen Link zu dem entsprechenden Script, möchte diesen aber natürlich nicht veröffentlichen. Wenn also einer der Admins sich mal mit mir in Verbindung setzt, Jan habe ich schon eine PN geschickt, bin ab Donnerstag wieder online.
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: kai on September 04, 2007, 11:28:43 AM
@ tansamalaja:

Der Bug den Du meinst ist aus 2006 und wurde damals gleich gefixt:
http://www.4homepages.de/forum/index.php?topic=14604.0

Zudem enthält die aktuelle Version 4images 1.7.4 allle Fixes.
Download hier: http://www.4homepages.de/4images/download.php
Title: Re: [1.7 / 1.7.1] Security fix in search.php and register.php
Post by: tansamalaja on September 04, 2007, 12:01:22 PM
Dann ist ja gut...  8)