4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: Jan on Eylül 15, 2006, 01:55:54 ÖS

Title: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Jan on Eylül 15, 2006, 01:55:54 ÖS
This is an important security fix.

Replace the two lines in global.php (version 1.7.2 and 1.7.3) or search.php (all versions < 1.7.2):
Replace

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
with

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : trim($HTTP_GET_VARS['search_keywords']);
Replace

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
with

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : trim($HTTP_GET_VARS['search_user']);
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mawenzi on Eylül 15, 2006, 02:22:53 ÖS
... thanks Jan ... and also thanks to Matt ...
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Jan on Eylül 15, 2006, 03:31:24 ÖS
Eigentlich stehts bei 1.7.1 nicht on der global.php. Wenns bei Dir doch so ist, dann ersetze es in beiden Dateien.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: securitydot on Eylül 15, 2006, 03:46:23 ÖS
Thanks
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Fastian on Eylül 15, 2006, 03:51:25 ÖS
Thanks for keeping us up-to-date.
:)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: brice626 on Eylül 15, 2006, 04:04:20 ÖS
Thanks!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: cronk005 on Eylül 15, 2006, 04:07:53 ÖS
Changing this information has dramatically changed the way the keyword search is done when using multiple languages.... now it just doesn't work at all... any thoughts?

Let me clarify... If I changed the language of my board, with appropriate Keyword language tags, it will only search for the first word in the language set and the rest of the keywords will yield strange results.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: amitpatel_3001 on Eylül 15, 2006, 04:14:00 ÖS
Thanks a lot for notifying everyone :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: amitpatel_3001 on Eylül 15, 2006, 04:17:37 ÖS
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));

cannot find this second line to replace :(
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Murat on Eylül 15, 2006, 04:21:23 ÖS
thanks jan.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: F1boat on Eylül 15, 2006, 04:25:29 ÖS
Thanks a lot - Merci beaucoup
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: cajebo on Eylül 15, 2006, 04:30:53 ÖS
Thanks a bunch for the update patch Matt & Jan.

Still one of the better stand-alone O/S Galleries


Warm regards from Downtown Miamisburg, Ohio

Michael
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Zhra on Eylül 15, 2006, 04:36:42 ÖS
Thanks so much sir
for keeping us up-to-date
Best regards
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Laurina on Eylül 15, 2006, 04:37:02 ÖS
Thank you very much.


Laurie
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Vincent on Eylül 15, 2006, 05:00:39 ÖS
merci!

vincent
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ocdotcom on Eylül 15, 2006, 05:22:19 ÖS
Great thank you!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mstramm on Eylül 15, 2006, 05:29:23 ÖS
Vielen Dank
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: barz on Eylül 15, 2006, 05:51:02 ÖS
Habe das gerade gemacht. Ver. 1.7. Dann wird bei der Suchanfrage nach Nutzern nichts gefunden.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ladyoz on Eylül 15, 2006, 06:04:29 ÖS
Many thanks for the update  :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: vchavez on Eylül 15, 2006, 06:45:12 ÖS
Ok done !
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: webturtle on Eylül 15, 2006, 06:50:51 ÖS
Auch von mir danke für die Arbeit und das Posten hier.
Und ein Danke an jene die die Runmail gesendet haben.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Hyperactiveman on Eylül 15, 2006, 06:59:56 ÖS
THX!  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: colorssky on Eylül 15, 2006, 07:44:06 ÖS
Quote from: F1boat on Eylül 15, 2006, 04:25:29 ÖS
Thanks a lot - Merci beaucoup
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: CJ Finnegan on Eylül 15, 2006, 08:00:44 ÖS
I'm sorry, I don't mean to nitpick, but I can't see the codes at all.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ManfredG on Eylül 15, 2006, 08:37:53 ÖS
Ich habe in der Serverausweruing bei den 404s (NOT FOUND) URLs der Art "/4images/search.phpc1ec0e64" gefunden.
Sind das Angriffe auf diese Lücke?
Muß ich mir jetzt Sorgen machen was den Server betrifft? Wie würde sich ein erfolgreicher Angriff ggf. äußern?

Gruß
Manfred
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Stinus on Eylül 15, 2006, 09:03:52 ÖS
Thanks so much sir for keeping us up-to-date  :wink:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: beach-baer on Eylül 15, 2006, 09:23:10 ÖS
Von mir auch einen herzlichen Dank für den tollen Support, echt Spitze :thumbup:


Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Eng_Man on Eylül 15, 2006, 10:42:56 ÖS
thank you
done
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ahmad on Eylül 16, 2006, 12:25:44 ÖÖ
ŌßŃĒ įįćÓĒŚĻÉ

Thanks for the update :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: yihfeng on Eylül 16, 2006, 02:05:50 ÖÖ
Done! Thanks for it :D

phpBB has the same error some time back ;)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: devilsoulblack on Eylül 16, 2006, 04:47:18 ÖÖ
thanks
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mYrAn on Eylül 16, 2006, 07:55:32 ÖÖ
I cant see what to replace, can you give me the code?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: schattenkaiser on Eylül 16, 2006, 08:20:12 ÖÖ
 :thumbup: thanks for fixing the probs - I love that software
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: parafanaylya on Eylül 16, 2006, 08:31:08 ÖÖ
Thanks - now to try get my avatars mod working!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: dezina on Eylül 16, 2006, 08:58:47 ÖÖ
Thanks for prompt notification/fix details
 :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Heinrich-Uwe on Eylül 16, 2006, 09:24:12 ÖÖ
Danks für die Info Mail .....
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: JensF on Eylül 16, 2006, 09:43:56 ÖÖ
Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));

Diese Zeile finde ich bei mir weder in der search.php noch in der global.php :(
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Knighthawk on Eylül 16, 2006, 10:05:33 ÖÖ
THX
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: keksoid on Eylül 16, 2006, 12:19:48 ÖS
Пасиб
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: RoadDogg on Eylül 16, 2006, 02:43:21 ÖS
Danke für die Info und die Mailbenachrichtigung
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: JinYoshi on Eylül 16, 2006, 03:05:36 ÖS
Danke schoen jan  :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: pdawg81 on Eylül 16, 2006, 04:02:16 ÖS
thanks for the notification
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: e-trader_2002 on Eylül 16, 2006, 04:29:57 ÖS
Hi Jan,

thank you. This is just in time, because today I will initially upload the 4images-modules of my new website to my providers host :!:

e-trader_2002
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: darkcurves on Eylül 16, 2006, 04:51:06 ÖS
Thanks alot!  :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Darkness2001 on Eylül 16, 2006, 07:28:37 ÖS
Thanks for te Add.  :lol:

Greez Darkness
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: medo007 on Eylül 17, 2006, 03:38:44 ÖS
Thank you!  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: egyptsons on Eylül 17, 2006, 11:44:12 ÖS
DONE
Thanks ;) 8)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: gw_ys on Eylül 18, 2006, 04:27:42 ÖÖ
thanks    :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Syslord on Eylül 21, 2006, 07:44:31 ÖÖ
Super danke macht weiter so :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: MauiJim on Eylül 23, 2006, 10:10:29 ÖÖ
thanks for the patch!
now working on 1.7.3  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Scrambler on Ekim 08, 2006, 10:45:48 ÖS
Thank you, files patched
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: haythamghareeb on Ekim 22, 2006, 01:42:23 ÖÖ
thank you :lol:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: theking6 on Ekim 22, 2006, 06:08:21 ÖS
Thanks for the information, Jan. Just Receiving your mail toay cause of mail error.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Zhra on Ekim 23, 2006, 02:29:35 ÖÖ
Thanks so much
have been Updated  8O
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: pchayat on Ocak 06, 2007, 09:00:40 ÖS
Thanks...  :oops:




-------------------------------------------------
http://program-arsivi.pchayat.com (http://program-arsivi.pchayat.com)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: djith on Mart 15, 2007, 11:06:23 ÖS
did the update in version 1.7.1 in global.php and it worked out.
while putting the message version 1.7.2 and 1.7.3 only ... and version <1.7.2 to change in search.php...??

Is the update correctly done in this case ?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: hyde101 on Mart 17, 2007, 10:07:55 ÖS
Is there any "bug checker" for 4homepages? Some of those serious bugs/vulnerabilities could be checked by running a script/etc?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: KurtW on Mayżs 19, 2007, 07:48:27 ÖS
Hi,

Quote
"bug checker" for 4homepages

The scriptname is 4images  :wink:

cu
Kurt