Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - kai

Pages: 1 [2] 3 4
16
A cross site scripting vulnerability and possible sql injection in the 4images admin panel 1.7 - 1.7.10 has been found.

To fix this:

In admin/categories.php

find

$cat_parent_id = (isset($HTTP_GET_VARS['cat_parent_id'])) ? $HTTP_GET_VARS['cat_parent_id'] : 0;

and replace it with

$cat_parent_id = (isset($HTTP_GET_VARS['cat_parent_id'])) ? intval($HTTP_GET_VARS['cat_parent_id']) : 0;

17
Mods & Plugins (Releases & Support) / iPhone / iPad App: GalleryControl
« on: August 23, 2011, 08:11:33 PM »
"Gallery Control" is an administrative iPhone and iPad App to control up to 2 4images galleries your are running.
You can monitor live what's happening in your gallery...

"Gallery Control" on iTunes:
http://itunes.apple.com/de/app/gallerycontrol/id450482295?l=de&ls=1&mt=8

The App has been developed by Uwe Lammer


iPhone:







iPad:








18
Bug Fixes & Patches / [1.7.10] Fix for Auto-Login
« on: June 15, 2011, 05:11:29 PM »
If the auto-login is not working on your 1.7.10 installation of 4images please use this fix:

in includes/session.php

find

$this->set_cookie_data("userpass"$this->user_info['user_password']);

and replace with

$this->set_cookie_data("userpass"md5($this->user_info['user_password']));

19
Feedback & Suggestions / 4images 1.7.10 - Feedback
« on: May 01, 2011, 11:20:12 PM »
Bitte nutzt diesen Thread für Feedback, Kommentare und Anregungen zum 4images 1.7.10 Release.
Für Bug Reports und Troubleshooting bitte dieses Forum nutzen.

Please use this thread for feedback and comments about the 4images 1.7.10 release.
For bug reporting and troubleshooting please use this forum.

20
News & Announcements / 4images 1.7.10
« on: May 01, 2011, 11:12:19 PM »
:flag-de: Die neue Version 4images 1.7.10 wurde veröffentlicht. Das Release bringt neue Funktionen, Detailverbesserungen, behebt bugs und sicherheitsrelevante Fehler.
Wir empfehlen allen Nutzern ein Update auf die aktuelle Version. Alle Änderungen und Features sind in der Datei "docs/Changelog.txt" aufgelistet.

:flag-en: The new version 4images 1.7.10 has been released. This release comes with some improvements, bugfixes, security fixes and minor changes.
We recommend all users to update to the current version. All changes and features are listed in "docs/Changelog.txt".

Download:
http://www.4homepages.de/4images/download.php

Demo:
http://www.4homepages.de/4images/demo.php


Für Feedback zur 4images 1.7.10 Version bitte diesen Thread nutzen.

Please use this thread for feedback about the 4images 1.7.10 version.

21
A input validation error vulnerability in 4images 1.7 - 1.7.9 has been found.

To fix this:

in download.php

find

$file = array();

and replace with

$file = array();
$file_path null;
$file_name null;


and find

while ($image_row $site_db->fetch_array($result)) {

and replace with

while ($image_row $site_db->fetch_array($result)) {
$file_path null;
$file_name null;

22
A multiple path disclousure vulnerability in 4images 1.7 - 1.7.9 has been found.

To fix this:

In global.php

find


$action 
= (isset($HTTP_POST_VARS['action'])) ?
stripslashes(trim($HTTP_POST_VARS['action'])) :
stripslashes(trim($HTTP_GET_VARS['action']));


and replace with


$action 
= (isset($HTTP_POST_VARS['action'])) ? 
stripslashes(trim((string)$HTTP_POST_VARS['action'])) : 
stripslashes(trim((string)$HTTP_GET_VARS['action']));


find


$mode 
= (isset($HTTP_POST_VARS['mode'])) ? 
stripslashes(trim($HTTP_POST_VARS['mode'])) : 
stripslashes(trim($HTTP_GET_VARS['mode']));


and replace with


$mode 
= (isset($HTTP_POST_VARS['mode'])) ? 
stripslashes(trim((string)$HTTP_POST_VARS['mode'])) : 
stripslashes(trim((string)$HTTP_GET_VARS['mode']));


find


$search_keywords 
= (isset($HTTP_POST_VARS['search_keywords'])) ? 
trim($HTTP_POST_VARS['search_keywords']) : trim($HTTP_GET_VARS['search_keywords']);


and replace with


$search_keywords 
= (isset($HTTP_POST_VARS['search_keywords'])) ?
trim((string)$HTTP_POST_VARS['search_keywords']) :
trim((string)$HTTP_GET_VARS['search_keywords']);


find


$search_user 
= (isset($HTTP_POST_VARS['search_user'])) ?
trim($HTTP_POST_VARS['search_user']) : trim($HTTP_GET_VARS['search_user']);


and replace with


$search_user 
= (isset($HTTP_POST_VARS['search_user'])) ?
trim((string)$HTTP_POST_VARS['search_user']) :
trim((string)$HTTP_GET_VARS['search_user']);


and in includes/page_header.php

find

$cookie_rated = isset($HTTP_COOKIE_VARS[$cookie_name.'rated']) ?
unserialize(stripslashes($HTTP_COOKIE_VARS[$cookie_name.'rated'])) : array();


and replace with

$cookie_rated = isset($HTTP_COOKIE_VARS[$cookie_name.'rated']) ? explode(" ",
stripslashes((string)$HTTP_COOKIE_VARS[$cookie_name.'rated'])) : array();


find

setcookie($cookie_name.'rated'serialize($cookie_rated), $cookie_expire,
COOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);


and replace with

setcookie($cookie_name.'rated'implode(" "$cookie_rated), $cookie_expire,
COOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);

23
A possible sql injection vulnerability in 4images 1.7 - 1.7.9 has been found.
With this logged in admin users could alter queries to the application SQL database.

To fix this:

In admin/categories.php

find 2 x

  $auth_viewcat $HTTP_POST_VARS['auth_viewcat'];
  
$auth_viewimage $HTTP_POST_VARS['auth_viewimage'];
  
$auth_download $HTTP_POST_VARS['auth_download'];
  
$auth_upload $HTTP_POST_VARS['auth_upload'];
  
$auth_directupload $HTTP_POST_VARS['auth_directupload'];
  
$auth_vote $HTTP_POST_VARS['auth_vote'];
  
$auth_sendpostcard $HTTP_POST_VARS['auth_sendpostcard'];
  
$auth_readcomment $HTTP_POST_VARS['auth_readcomment'];
  
$auth_postcomment $HTTP_POST_VARS['auth_postcomment'];


and replace with

  $auth_viewcat intval($HTTP_POST_VARS['auth_viewcat']);
  
$auth_viewimage intval($HTTP_POST_VARS['auth_viewimage']);
  
$auth_download intval($HTTP_POST_VARS['auth_download']);
  
$auth_upload intval($HTTP_POST_VARS['auth_upload']);
  
$auth_directupload intval($HTTP_POST_VARS['auth_directupload']);
  
$auth_vote intval($HTTP_POST_VARS['auth_vote']);
  
$auth_sendpostcard intval($HTTP_POST_VARS['auth_sendpostcard']);
  
$auth_readcomment intval($HTTP_POST_VARS['auth_readcomment']);
  
$auth_postcomment intval($HTTP_POST_VARS['auth_postcomment']);

24
Bug Fixes & Patches / [1.7.9] Fix for search
« on: January 05, 2011, 11:25:59 AM »
In 4images 1.7.9 the search with more than one keyword, the use of operators (AND OR NOT) and two-word-keywords like "red car" is not working properly.
To fix this please apply this patch to the 3 files:

/includes/functions.php
/search.php
/includes/search_utils.php

The patched files are attached to this post (see below).
The fix will also be included in the next release of 4images.

Tip: If you want to search for a two-word-keyword like "red car", then you have to enter the ".



1.) search in /includes/functions.php:


foreach ($split_keywords as $key => $val) {
	
$keywords .= (($keywords != "" ) ? ", " "")."<a href=\"".$site_sess->url(ROOT_PATH."search.php?search_keywords=".urlencode($val))."\">".format_text($val2)."</a>";

and replace with:

    
foreach ($split_keywords as $key => $val) {
      
$url_val $val;
      if (
strpos($url_val' ') !== false) {
        
$url_val '"' $url_val '"';
      }
      
$keywords .= (($keywords != "" ) ? ", " "")."<a href=\"".$site_sess->url(ROOT_PATH."search.php?search_keywords=".urlencode($url_val))."\">".format_text($val2)."</a>";



2.) search in /search.php:


$split_words 
prepare_searchwords($search_keywordstrue);

and replace with:

$split_words 
prepare_searchwords_for_search($search_keywords);



3.) in /includes/search_utils.php:

search for

function prepare_searchwords($val$for_search false)

insert above:

function prepare_searchwords_for_search($val)
{
	
$val strip_tags(trim(stripslashes($val)));
	
$val convert_special($val);
	
$val strtolower($val);
	
$val str_replace(array('+''-'), array(' and '' not '), $val);
	
$val preg_replace('/\s+/'' '$val);

	
$tokens = array();
	
for (
$nextToken strtok($val' '); $nextToken !== false$nextToken strtok(' ')) {
	
	
if (
$nextToken[0] == '"') {
	
	
	
$nextToken $nextToken[strlen($nextToken)-1] == '"' substr($nextToken1, -1) : substr($nextToken1) . ' ' strtok('"');
	
	
}
	
	
$tokens[] = $nextToken;
	
}
	
return 
$tokens;
}


search for
"#[\n\t\r^\$\(\)<>\"\|@\?%~\+\.\[\]{}:\/=!§\\\\]+#s"

and replace with
"#[\n\t\r^\$\(\)<>\"\|,@\?%~\+\.\[\]{}:\/=!§\\\\]+#s"


3.1) search:

function prepare_searchwords($val$for_search false)
{

insert below:

  
// Backwards compatibility
  
if ($for_search) {
      return 
prepare_searchwords_for_search($val);
  }


3.2) search:

    
if ($for_search) {
      
$search_array = array(
        
"/\s+\+/",
        
"/\s+\-/"
      
);

      
$replace_array = array(
        
" and ",
        
" not "
      
);

      
$val preg_replace($search_array$replace_array$val);
    } else {
      
$val str_replace("*"""$val);
    }

and replace with:

    $val 
str_replace("*"""$val);


3.3) search:

      array_walk
($split_words'trim_value');

and replace with:

      $split_words 
array_map('trim'$split_words);
      
$split_words array_map('strip_tags'$split_words);
      
$split_words array_map('convert_special'$split_words);
      
$split_words array_map('strtolower'$split_words);


3.4) search:

    
if ($for_search && ($word == "and" || $word == "und" || $word == "or" || $word == "oder" || $word == "not")) {
      
$clean_words[] = $word;

and replace with:

    
if ($word == "and" || $word == "und" || $word == "or" || $word == "oder" || $word == "not") {


3.5) search and remove:

  
}

  if (
$for_search) {
    
// Add whole string for image_keyword search
    
$clean_words[] = implode(' '$clean_words);


25
A minor security vulnerability has  been found which leads to path disclosure.

To  fix this:

In includes/paging.php

find

$this->page $page;
$this->perpage $perpage;
$this->num_rows_all $num_rows_all;

if (!isset(
$this->page) || !intval($this->page)) {
  
$this->page 1;
}
if (!
$this->num_rows_all) {


and replace with

$this->page intval($page);
$this->perpage intval($perpage);
$this->num_rows_all intval($num_rows_all);

if (
$this->page <= 0) {
  
$this->page 1;
}
if (
$this->perpage <= 0) {
  
$this->perpage 1;
}
if (
$this->num_rows_all <= 0) {

26
If you upload an image which has the same words in title, description and keywords you can get a "DB Error: Bad SQL Query: INSERT INTO 4images_wordmatch (image_id, ..." message.

To fix this:

in includes/search_utils.php

FIND:
array_walk($split_words'trim_value');

and REPLACE WITH:
$split_words array_map('trim'$split_words);
$split_words array_map('strip_tags'$split_words);
$split_words array_map('convert_special'$split_words);
$split_words array_map('strtolower'$split_words);


27
Feedback & Suggestions / 4images 1.7.9 - Feedback
« on: November 11, 2010, 09:22:03 AM »
Bitte nutzt diesen Thread für Feedback, Kommentare und Anregungen zum 4images 1.7.9 Release.
Für Bug Reports und Troubleshooting bitte dieses Forum nutzen.

Please use this thread for feedback and comments about the 4images 1.7.9 release.
For bug reporting and troubleshooting please use this forum.

28
News & Announcements / 4images 1.7.9
« on: November 11, 2010, 09:21:16 AM »
:flag-de: Die neue Version 4images 1.7.9 wurde veröffentlicht. Das Release bringt Detailverbesserungen, behebt einge bugs und zwei sicherheitsrelevante Fehler.
Wir empfehlen allen Nutzern ein Update auf die aktuelle Version. Alle Änderungen und Features sind in der Datei "docs/Changelog.txt" aufgelistet.

:flag-en: The new version 4images 1.7.9 has been released. This release comes with some improvements, bugfixes, 2 security fixes and minor changes.
We recommend all users to update to the current version. All changes and features are listed in "docs/Changelog.txt".

Download:
http://www.4homepages.de/4images/download.php

Demo:
http://www.4homepages.de/4images/demo.php


Für Feedback zur 4images 1.7.9 Version bitte diesen Thread nutzen.

Please use this thread for feedback about the 4images 1.7.9 version.

29
Bug Fixes & Patches / [1.7 - 1.7.8] Security fix for CSRF vulnerability
« on: October 27, 2010, 12:10:43 PM »
A cross-site request forgery vulnerability in 4images 1.7 - 1.7.8 has been found.

To fix this please follow these 4 steps:

1.
Download the attached file csrf_utils.php file and copy it into includes/ folder of your 4images installation.


2.
Open global.php and search for the following line:

@include(ROOT_PATH.'config.php');

and insert the following code ABOVE this line:

// Initialize CSRF protection configuration
$csrf_protection_enable      1;
$csrf_protection_frontend    1;
$csrf_protection_backend     1;
$csrf_protection_expires     7200;
$csrf_protection_name        '__csrf';
$csrf_protection_xhtml       1;


In the same file, search for the line:

include_once(ROOT_PATH.'includes/captcha_utils.php');

and insert the following code BELOW this line:

//-----------------------------------------------------
//--- CSRF protection ---------------------------------
//-----------------------------------------------------
include_once(ROOT_PATH.'includes/csrf_utils.php');



3.
Open includes/page_header.php and search for the following line (at the end for the file):

?>

and insert the following code ABOVE this line:

if ($csrf_protection_enable && $csrf_protection_frontend) {
  
csrf_start(true);
}



4.
Open admin/admin_global.php and search for the following line:

include_once(ROOT_PATH.'admin/admin_functions.php');

and insert the following code BELOW this line:

if ($csrf_protection_enable && $csrf_protection_backend) {
  
csrf_start();
}




Thanks to Russ McRee for finding and reporting this vulnerability!

30
A cross site scripting vulnerability in 4images 1.7 - 1.7.8 has been found.

To fix this:

In admin/admin_functions.php

find

echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";

and replace it with

echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";


find

echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";


find

echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";


If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
  
// Translate all non-unicode entities
  
$chars preg_replace(
    
'/&(?!(#[0-9]+|[a-z]+);)/si',
    
'&amp;',
    
$chars
  
);

  
$chars str_replace(">""&gt;",   $chars);
  
$chars str_replace("<""&lt;",   $chars);
  
$chars str_replace('"'"&quot;"$chars);
  return 
$chars;
}


Thanks to Secunia Research for finding and reporting this vulnerability!

Pages: 1 [2] 3 4