Author Topic: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php  (Read 114786 times)

0 Members and 1 Guest are viewing this topic.

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #15 on: May 27, 2006, 09:54:24 PM »
Since I don't know how to attach a file in here, I've put in the whole code of my sessions.php and replaced my vb-license number with XXXXXXXX for my own privacy.

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: sessions.php                                         *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die("Security violation");
}

//-----------------------------------------------------
//--- Start Configuration -----------------------------
//-----------------------------------------------------
define('USER_INTEGRATION''VBULLETIN');
define('VBLICENCE_NUMBER''XXXXXXXX'); //REPLACE XXXXXXXX with your Licence Number, usually on top of your vB files

// Set here the URL to your vBulletin forum. WITH trailing slash!
$url_app           "http://www.gerritsforum.de/";

define('SESSION_NAME''s'); // Default of vBulletin is "s".
define('COOKIE_PREFIX''bb'); //Default of vBulletin is "bb".
define('COOKIE_TIMEOUT','600'); //Set the same with your vB timeout, in second
define('ALBUM_FOLDER','/gallery/'); //Your Album Folder WITH trailing slash

// Define here the name of the template database table.
define('VB_TEMPLATE_TABLE'VB_TABLE_PREFIX.'template');

// Set her the corresponding database fields of the user table.
// If there is no corresponding field in the new user table, 
// leave the value blank. Normally no need to change.
$user_table_fields = array(
  "user_id" => "userid",
  "user_level" => "usergroupid",
  "user_name" => "username",
  "user_password" => "password",
  "user_email" => "email",
  "user_showemail" => "",
  "user_allowemails" => "",
  "user_invisible" => "",
  "user_joindate" => "joindate",
  "user_activationkey" => "",
  "user_lastaction" => "lastactivity",
  "user_location" => "",
  "user_lastvisit" => "lastvisit",
  "user_comments" => "user_album_comments",
  "user_homepage" => "homepage",
  "user_icq" => "icq"
);


// Set here different URL's to your vBulletin forum.
// Normally no need to change.
$url_register      $url_app."register.php?do=signup";
$url_lost_password $url_app."login.php?do=lostpw";
$url_control_panel $url_app."usercp.php";
$url_mailform      $url_app."sendmessage.php?do=mailmember&u={user_id}"
$url_show_profile  $url_app."member.php?u={user_id}";
$url_login         $url_app."login.php";
//$url_logout        = $url_app."login.php?do=logout&logouthash=".$user_info['logouthash'];
$clientscript_md5  $url_app."clientscript/vbulletin_md5.js";

//-----------------------------------------------------
//--- End Configuration -------------------------------
//-----------------------------------------------------

function get_user_table_field($add$user_field) {
  global $user_table_fields;
  return (!empty($user_table_fields[$user_field])) ? $add.$user_table_fields[$user_field] : "";
}

class 
Session {

  var $session_id;
  var $user_ip;
  var $user_location;
  var $current_time;
  var $session_timeout;
  var $mode "get";
  var $session_info = array();
  var $user_info = array();

  function Session() {
    global $cookietimeout;
    $this->session_timeout $cookietimeout;
    $this->user_ip $this->get_user_ip();
    $this->user_location ALBUM_FOLDER.''.$this->get_user_location();
    $this->current_time time();
    $this->demand_session();
  }

  function set_cookie_data($name$value$permanent 1) {
    $cookie_expire = ($permanent) ? $this->current_time 60 60 24 365 0;
    setcookie($name$value$cookie_expireCOOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);
  }

  function read_cookie_data($name) {
    global $HTTP_COOKIE_VARS;
    return (isset($HTTP_COOKIE_VARS[$name])) ? $HTTP_COOKIE_VARS[$name] : 0;
  }

  function get_session_id() {
    global $HTTP_GET_VARS$HTTP_POST_VARS;
    if ($this->session_id $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id false;
      }
    }
  }

  function demand_session() {
    $this->get_session_id();
    if (!$this->load_session_info()) {
      $this->delete_old_sessions();
      $user_id = ($this->read_cookie_data(COOKIE_PREFIX."userid")) ? intval($this->read_cookie_data(COOKIE_PREFIX."userid")) : GUEST;
// $user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST; 
     $this->start_session($user_id);
    }
    else {
      $this->user_info $this->load_user_info($this->session_info['userid']);
      $update_cutoff = ($this->user_info['user_id'] != GUEST) ? $this->current_time $this->user_info['user_lastaction'] : $this->current_time $this->session_info['lastactivity'];
      if ($update_cutoff 60) {
        $this->update_session();
        $this->delete_old_sessions();
      }
    }
  }

  function start_session($user_id GUEST$login_process 0) {
    global $site_db;
    
    $this
->user_info $this->load_user_info($user_id);
    if ($this->user_info['user_id'] != GUEST && !$login_process) {
      if ($this->read_cookie_data(COOKIE_PREFIX."password") === md5($this->user_info['user_password'].''.VBLICENCE_NUMBER)  && $this->user_info['user_level'] != USER_AWAITING) {
        $this->set_cookie_data(COOKIE_PREFIX."password"$this->user_info['user_password']);
      }
      else {
        $this->set_cookie_data(COOKIE_PREFIX."password"""0);
        $this->user_info $this->load_user_info(GUEST);
      }
    }
    $this->session_id $this->generate_session_id();
    $sql "INSERT INTO ".SESSIONS_TABLE.
            (sessionhash, userid, host, useragent, lastactivity, location, styleid) 
            VALUES 
            ('
$this->session_id', ".$this->user_info['user_id'].", '$this->user_ip', '".$_SERVER['HTTP_USER_AGENT']."', $this->current_time, '$this->user_location', '".$this->read_cookie_data(COOKIE_PREFIX."styleid")."')";
    $site_db->query($sql);
    $this->session_info['session_user_id'] = $this->user_info['user_id'];
    $this->session_info['session_lastaction'] = $this->current_time;
    $this->session_info['session_location'] = $this->user_location;
    $this->session_info['session_ip'] = $this->user_ip;

    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    $this->set_cookie_data(COOKIE_PREFIX."sessionhash"$this->session_id0);
    $this->set_cookie_data(COOKIE_PREFIX."lastvisit"$this->current_time);
    $this->set_cookie_data(COOKIE_PREFIX."userid"$this->user_info['user_id']);
    return true;
  }

  function login($user_name ""$user_password ""$auto_login 0$set_auto_login 1) {
    global $url_login;
    header("Location: $url_login");
  }

  function logout($user_id GUEST) {
    global $url_logout;
    header("Location: $url_logout");
  }

  function delete_old_sessions() {
    global $site_db;
    $expiry_time $this->current_time $this->session_timeout;
    $sql "DELETE FROM ".SESSIONS_TABLE.
            WHERE lastactivity < 
$expiry_time";
// BM: temporary take this out, assume Forum always has someone browsing 
//    $site_db->query($sql);

    $sql "SELECT sessionhash 
            FROM "
.SESSIONS_TABLE;
    $result $site_db->query($sql);
    if ($result) {
      $session_ids_sql "";
      while ($row $site_db->fetch_array($result)) {
        $session_ids_sql .= (($session_ids_sql != "") ? ", " "") . "'".$row['sessionhash']."'";
      }
    }
    if (!empty($session_ids_sql)) {
      $sql "DELETE FROM ".SESSIONVARS_TABLE.
              WHERE session_id NOT IN (
$session_ids_sql)";
      $site_db->query($sql);
    }
    return true;
  }

  function update_session() {
    global $site_db;

$sql "REPLACE INTO ".SESSIONS_TABLE."
           (sessionhash, userid, lastactivity, location, host)
           VALUES
           ('
$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";

    $site_db->query($sql);
    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    return;
  }

  function generate_session_id() {
    global $site_db;
    $sid md5(uniqid(microtime()));
    $i 0;
    while ($i == 0) {
      $sql "SELECT sessionhash 
              FROM "
.SESSIONS_TABLE.
              WHERE sessionhash = '
$sid'";
      if ($site_db->is_empty($sql)) {
        $i 1;
      }
      else {
        $i 0;
        $sid md5(uniqid(microtime()));
      }
    }
    return $sid;
  }

  function return_session_info() {
    return $this->session_info;
  }

  function return_user_info() {
    return $this->user_info;
  }
  
  
function freeze() {
    return;
  }

  function load_session_info() {
    global $site_db;
    if (!$this->session_id) {
      return false;
    }
    $this->session_info = array();
    $sql "SELECT sessionhash, lastactivity, host, userid 
            FROM "
.SESSIONS_TABLE.
            WHERE sessionhash = '
$this->session_id
            AND host = '
$this->user_ip'";
    $this->session_info $site_db->query_firstrow($sql);
    if (!isset($this->session_info['userid'])) {
      return false;
    }
    else {
      $sql "SELECT sessionvars_name, sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE session_id = '
$this->session_id'";
      $result $site_db->query($sql);
      while ($row $site_db->fetch_array($result)) {
        $this->session_info[$row['sessionvars_name']] = $row['sessionvars_value'];
      }
      return $this->session_info;
    }
  }

  function load_user_info($user_id GUEST) {
    global $site_db$user_table_fields;

    if ($user_id != GUEST) {
      $sql "SELECT u.*, l.*
              FROM "
.USERS_TABLE." u, ".LIGHTBOXES_TABLE." l 
              WHERE "
.get_user_table_field("u.""user_id")." = $user_id AND l.user_id = ".get_user_table_field("u.""user_id");
      $user_info $site_db->query_firstrow($sql);
     if (!$user_info) {
        $sql "SELECT *
                FROM "
.USERS_TABLE."
                WHERE "
.get_user_table_field("""user_id")." = $user_id";
        $user_info $site_db->query_firstrow($sql);
  
      
if ($user_info) {
         $lightbox_id get_random_key(LIGHTBOXES_TABLE"lightbox_id");
          $sql "INSERT INTO ".LIGHTBOXES_TABLE.
                  (lightbox_id, user_id, lightbox_lastaction, lightbox_image_ids) 
                  VALUES 
                  ('
$lightbox_id', ".$user_info[$user_table_fields['user_id']].", $this->current_time, '')";
          $site_db->query($sql);
          $user_info['lightbox_lastaction'] = $this->current_time;
          $user_info['lightbox_image_ids'] = "";
        }
      }
    }
    if (empty($user_info[$user_table_fields['user_id']])) {
      $user_info = array();
      $user_info['user_id'] = GUEST;
      $user_info['user_level'] = GUEST;
      $user_info['user_lastaction'] = $this->current_time;
      $user_info['user_lastvisit'] = ($this->read_cookie_data(COOKIE_PREFIX."lastvisit")) ? $this->read_cookie_data(COOKIE_PREFIX."lastvisit") : $this->current_time;
    }
    foreach ($user_table_fields as $key => $val) {
      if (isset($user_info[$val])) {
        $user_info[$key] = $user_info[$val];
      }
      elseif (!isset($user_info[$key])) {
        $user_info[$key] = "";
      }
    }
      $user_info['logouthash'] = md5($user_info['user_id'] . $user_info['salt'] . VBLICENCE_NUMBER);
    return $user_info;
  }

  function set_session_var($var_name$value) {
    global $site_db;
    $sql "SELECT session_id 
            FROM "
.SESSIONVARS_TABLE.
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    if ($site_db->is_empty($sql)) {
      $sql "INSERT INTO ".SESSIONVARS_TABLE.
              (session_id, sessionvars_name, sessionvars_value) 
              VALUES 
              ('
$this->session_id', '$var_name', '$value')";
      $site_db->query($sql);
    }
    else {
      $sql "UPDATE ".SESSIONVARS_TABLE.
              SET sessionvars_value = '
$value
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $site_db->query($sql);
    }
    $this->session_info[$var_name] = $value;
    return true;
  }

  function get_session_var($var_name) {
    global $site_db;
    if (isset($this->session_info[$var_name])) {
      return $this->session_info[$var_name];
    }
    else {
      $sql "SELECT sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $value $site_db->query_firstrow($sql);
      if ($value) {
        $this->session_info[$var_name] = $value['sessionvars_value'];
        return $value['sessionvars_value'];
      }
      else {
        return "";
      }
    }
  }

  function drop_session_var($var_name) {
    unset($this->session_info[$var_name]);
/*    global $site_db;
    $sql = "DELETE FROM ".SESSIONVARS_TABLE." 
            WHERE sessionvars_name = '$var_name' AND session_id = '$this->session_id'";
    return ($site_db->query($sql)) ? 1 : 0;
*/
  }

  function get_user_ip() {
    global $HTTP_SERVER_VARS$HTTP_ENV_VARS;
    $ip = (!empty($HTTP_SERVER_VARS['REMOTE_ADDR'])) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ((!empty($HTTP_ENV_VARS['REMOTE_ADDR'])) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));
    //$ip = preg_replace("/[^\.0-9]+/", "", $ip);
    return substr($ip050);
  }

  function get_user_location() {
    global $self_url;
    return (defined("IN_CP")) ? "Control Panel" preg_replace(array("/([?|&])action=[^?|&]*/""/([?|&])mode=[^?|&]*/""/([?|&])phpinfo=[^?|&]*/""/([?|&])printstats=[^?|&]*/""/[?|&]".URL_ID."=[^?|&]*/""/[?|&]l=[^?|&]*/""/[&?]+$/"), array(""""""""""""""), addslashes($self_url));
  }

  function url($url$amp "&amp;") {
    global $l;
    $dummy_array explode("#"$url);
    $url $dummy_array[0];

    if ($this->mode == "get" && strpos($url$this->session_id) === false) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

    if (!empty($l)) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= "l=".$l;
    }

    $url .= (isset($dummy_array[1])) ? "#".$dummy_array[1] : "";
    return $url;
  }
//end of class

//-----------------------------------------------------
//--- Start Session -----------------------------------
//-----------------------------------------------------
$optionstemp $site_db->query_firstrow("SELECT template FROM ".VB_TEMPLATE_TABLE." WHERE title='options'");
eval(
$optionstemp['template']);

define('COOKIE_NAME''');
define('COOKIE_PATH'$cookiedomain);
define('COOKIE_DOMAIN'$cookiepath);
$secure = (isset($SERVER_PORT) && $SERVER_PORT == "443") ? 0;
define('COOKIE_SECURE'$secure);

//Start Session
$site_sess = new Session();

// Get Userinfo
$session_info $site_sess->return_session_info();
$user_info $site_sess->return_user_info();

// Set USERGROUP levels
if (in_array($user_info[user_level], $admingroups)) 
{
define('ADMIN'$user_info[user_level]);
}
else 
define('ADMIN',ADMIN_DEFAULT);

if (
in_array($user_info[user_level], $usergroups)) 
{
define('USER'$user_info[user_level]);

else 
define('USER',USER_DEFAULT);

if (
in_array($user_info[user_level], $waitinggroups)) 
{
define('USER_AWAITING'$user_info[user_level]);
}
else 
define('USER_AWAITING',USER_AWAITING_DEFAULT);

//-----------------------------------------------------
//--- Get User Caches ---------------------------------
//-----------------------------------------------------
$num_total_online 0;
$num_visible_online 0;
$num_invisible_online 0;
$num_registered_online 0;
$num_guests_online 0;
$user_online_list "";
$prev_user_ids = array();
$prev_session_ips = array();

if (
defined("GET_USER_ONLINE") && ($config['display_whosonline'] == || $user_info['user_level'] == ADMIN)) {
  if (!isset($cookietimeout)) {
    $cookietimeout COOKIE_TIMEOUT;
  }
  $time_out time() - $cookietimeout;
  $sql "SELECT s.userid, s.lastactivity, s.host".get_user_table_field(", u.""user_id").get_user_table_field(", u.""user_level").get_user_table_field(", u.""user_name").get_user_table_field(", u.""user_invisible").
  FROM "
.SESSIONS_TABLE." s 
  LEFT JOIN "
.USERS_TABLE." u ON (".get_user_table_field("u.""user_id")." = s.userid) 
  WHERE s.lastactivity >= 
$time_out 
  ORDER BY "
.get_user_table_field("u.""user_id")." ASC, s.host ASC";
  $result $site_db->query($sql);
  while ($row $site_db->fetch_array($result)) {
    if ($row['userid'] != GUEST && isset($row[$user_table_fields['user_name']])) {
      if (!isset($prev_user_ids[$row['userid']])) {
        $is_invisible = (isset($row[$user_table_fields['user_invisible']]) && $row[$user_table_fields['user_invisible']] == 1) ? 0;
        $invisibleuser = ($is_invisible) ? "*" "";
        $username = (isset($row[$user_table_fields['user_level']]) && $row[$user_table_fields['user_level']] == ADMIN && $config['highlight_admin'] == 1) ? sprintf("<b>%s</b>"$row[$user_table_fields['user_name']]) : $row[$user_table_fields['user_name']];
        if (!$is_invisible || $user_info['user_level'] == ADMIN) {
          $user_online_list .= ($user_online_list != "") ? ", " "";
          $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/"$row['userid'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$row['userid'];
          $user_online_list .= "<a href=\"".$site_sess->url($user_profile_link)."\">".$username."</a>".$invisibleuser;
        }
        (!$is_invisible) ? $num_visible_online++ : $num_invisible_online++;
        $num_registered_online++;
      }
      $prev_user_ids[$row['userid']] = 1;
    }
    else {
      if (!isset($prev_session_ips[$row['host']])) {
        $num_guests_online++;
      }
    }
    $prev_session_ips[$row['host']] = 1;
  }
  $num_total_online $num_registered_online $num_guests_online;

  $site_template->register_vars(array(
    "num_total_online" => $num_total_online,
    "num_invisible_online" => $num_invisible_online,
    "num_registered_online" => $num_registered_online,
    "num_guests_online" => $num_guests_online,
    "user_online_list" => $user_online_list,
    "lang_user_online" => str_replace('{num_total_online}'$num_total_online$lang['user_online']),
    "lang_user_online_detail" => str_replace(array('{num_registered_online}','{num_invisible_online}','{num_guests_online}'), array($num_registered_online,$num_invisible_online,$num_guests_online), $lang['user_online_detail']),
  ));
  $whos_online $site_template->parse_template("whos_online");
  $site_template->register_vars("whos_online"$whos_online);
  unset($whos_online);
  unset($prev_user_ids);
  unset($prev_session_ips);
}
?>

I'm also using a changed version of constants.php, I've also attached it, maybe you need it:

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: constants.php                                        *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die(
"Security violation");
}
// If 4images has problems to find out the right URL, define it here.
define('SCRIPT_URL''http://www.gerritsforum.de/gallery'); //no trailing slash
define('VB_TABLE_PREFIX',''); // your vb tableprefix. vB default is blank

// Table names
define('CATEGORIES_TABLE'$table_prefix.'categories');
define('COMMENTS_TABLE'$table_prefix.'comments');
define('GROUP_ACCESS_TABLE'$table_prefix.'groupaccess');
define('GROUP_MATCH_TABLE'$table_prefix.'groupmatch');
define('GROUPS_TABLE'$table_prefix.'groups');
define('IMAGES_TABLE'$table_prefix.'images');
define('IMAGES_TEMP_TABLE'$table_prefix.'images_temp');
define('LIGHTBOXES_TABLE'$table_prefix.'lightboxes');
define('POSTCARDS_TABLE'$table_prefix.'postcards');
define('SESSIONS_TABLE'VB_TABLE_PREFIX.'session'); 
define('SESSIONVARS_TABLE'$table_prefix.'sessionvars');
define('SETTINGS_TABLE'$table_prefix.'settings');
define('USERS_TABLE'VB_TABLE_PREFIX.'user');
define('WORDLIST_TABLE'$table_prefix.'wordlist');
define('WORDMATCH_TABLE'$table_prefix.'wordmatch');


// URL Parameters
define('URL_IMAGE_ID''image_id');
define('URL_CAT_ID''cat_id');
define('URL_USER_ID''user_id');
define('URL_POSTCARD_ID''postcard_id');
define('URL_COMMENT_ID''comment_id');
define('URL_PAGE''page');
define('URL_ID''id');


// User default levels
define('GUEST'0);  // GUEST group or ID
define('USER_AWAITING_DEFAULT'3);
define('USER_DEFAULT'2);
define('ADMIN_DEFAULT'6);

// User groups level
$waitinggroups = array(134131421); // vB Group should be waiting for moderate. seperate each group by comma
$usergroups = array(2578915192023); // Groups that are USERS in album. seperate each group by comma
$admingroups = array(6); // vB groups that are ADMINS in album. seperate each group by comma

// Permission levels
define('AUTH_ALL'0);
define('AUTH_USER'2);
define('AUTH_ACL'3);
define('AUTH_ADMIN'9);


// Group types
define('GROUPTYPE_GROUP'1);
define('GROUPTYPE_SINGLE'2);


// Chmod for files and directories created by 4images
define('CHMOD_FILES'0666);
define('CHMOD_DIRS'0777);


// Will be used to replace the {xxx} tage if the value is empty.
// Netscape Browser sometimes need this to display table cell background colors.
define('REPLACE_EMPTY''&nbsp;');


// Max rating value
define('MAX_RATING'5);


// Days postcards will be held in the database
define('POSTCARD_EXPIRY'10);


// Time offset for your website. Sometimes usefull if your server is located
// in other timezones.
define('TIME_OFFSET'0);


// All words <= MIN_SEARCH_KEYWORD_LENGTH and >= MAX_SEARCH_KEYWORD_LENGTH
// are not added to the search index
define('MIN_SEARCH_KEYWORD_LENGTH'3);
define('MAX_SEARCH_KEYWORD_LENGTH'25);

// If you set this to 1, admins will authenticated additionally with cookies.
// If you use "User Integration", you should set this to 0.
define('ADMIN_SAFE_LOGIN'0);


// If you use GD higher 2.0.1 and PHP higher 4.0.6 set this to 1.
// Your thumbnails will be created with better quality
define('CONVERT_IS_GD2'0);


// If you have a lot of images in your database,
// the random image function could make your programm slow.
// Try first to set "SHOW_RANDOM_CAT_IMAGE" to 0.
define('SHOW_RANDOM_IMAGE'1);
define('SHOW_RANDOM_CAT_IMAGE'1);


// Check existence of remote image files.
// If you choose 1, you could get sometimes timeout errors
define('CHECK_REMOTE_FILES'0);


// Allow execution of PHP code in templates
define('EXEC_PHP_CODE'1);

// Data paths
define('MEDIA_DIR''data/media');
define('THUMB_DIR''data/thumbnails');
define('MEDIA_TEMP_DIR''data/tmp_media');
define('THUMB_TEMP_DIR''data/tmp_thumbnails');
define('DATABASE_DIR''data/database');
define('TEMPLATE_DIR''templates');

// Script version
define('SCRIPT_VERSION''1.7.2');
// Debug contants
// define("PRINT_STATS", 1);
// define("PRINT_QUERIES", 1);
// define('PRINT_CACHE_MESSAGES', 1);
?>

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #16 on: May 28, 2006, 11:18:42 AM »
in sessoins.php replace
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
  }
with:
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
    $this->session_id = preg_replace('/[^a-z0-9]+/i', '', $this->session_id);
  }
It should do the trick.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #17 on: May 28, 2006, 09:46:08 PM »
Thanks a lot, I hope it will help :)

May I post this on the original vB.org thread for the vBulletin addon to help out others also having problems with this issue? I'm sure most users are never taking a look into this thread/board.

Of course I would tell them that you've made it and that it's not my work.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #18 on: May 28, 2006, 11:46:19 PM »
sure you can, but please provide a link to this topic ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #19 on: June 04, 2006, 03:57:11 AM »
I'm still affected with this bug, some images got spammed again with those links from users never registered (these were the first ones I saw after I've checked this), maybe it's not a sql injection bug but a bug in the comments system or in the sessions handling, is there any method available to enable a debug logging or something to see where the hole is located? I need help with this since the amount of these spam bots is growing :(
« Last Edit: June 04, 2006, 04:36:38 AM by vBFreak »

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #20 on: June 04, 2006, 04:15:39 AM »
some images got spammed again with those links from users never registered

disable permission for guests posting comments or install image validation mod for comments. nothing to do with this or other security holes.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline vBFreak

  • Newbie
  • *
  • Posts: 42
    • View Profile
    • Gerrits Forum
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #21 on: June 04, 2006, 04:34:38 AM »
If I visit my gallery as a guest I don't have anything to enter a comment. I'm just wondering how this can be enabled then, where can I disable this?

[EDIT]hrm, you're absolutely right, but it seems not to be enabled in every location, strange...
But I can't find something to disable that[/EDIT]

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #22 on: June 04, 2006, 10:48:48 AM »
its under category permissions in ACP (Admin Control Panel)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #23 on: June 07, 2006, 08:48:35 AM »
Hmm, I have guest posting disabled everywhere and still got spammed again yesterday for the first time after applying this patch.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #24 on: June 07, 2006, 03:10:16 PM »
and the spammer is not a registered member? please show it.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #25 on: June 07, 2006, 06:22:16 PM »
Nope, that's what surprised me as well. After this patch I've had 0 problems with comment spam, until yesterday when some 'Kavin' had left a bunch of comments. So I deleted them and then went on to delete the user, except there was no registered user.
I don't know exactly what you mean with 'show it'. Show what?

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #26 on: June 08, 2006, 02:44:53 AM »
A link to the site please.

"Kavin" was he as a guest or as a none existing member? (did the comment he left had user_id? - check with phpmyadmin or something.)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline XIII

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #27 on: June 08, 2006, 09:27:57 PM »
Just checked seeing as there were a a few new ones.
Aside from a few more bots registering there were a few new comments left by a 'Kavin' who turned out to point to the userid I'd made using the instructions from this thread.
Which I don't get because I used a non-obvious username for that id and ofcourse a different password than listed there, plus I've set the account to be non-visible so noone else can see the id name when a spider is crawling the gallery.
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #28 on: June 09, 2006, 12:39:34 AM »
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
That is the most probably.
So, if that is the case, then perhaps you'll need either try to trace the "kavin" bot in access logs and get its identification string and ban it, or discontinue using that mod.
Anyways, since this issue has nothing to do with the security fix from this topic, please continue discussion under the "threat bots as members" mod, because it seems to have problems...
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline 8o8o8.com

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
« Reply #29 on: June 20, 2006, 09:53:10 AM »
thankx

 

Post your comments here