Author Topic: [1.7.2] Security fix for global.php  (Read 118286 times)

0 Members and 1 Guest are viewing this topic.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
[1.7.2] Security fix for global.php
« on: April 26, 2006, 12:25:45 AM »
If you downloaded 4images v1.7.2 before 25-04-2006 you should apply this fix!
If you downloaded it after that date, then you should not worry about it, the download package already conteins this fix.

Step 1

In global.php
find:
Code: [Select]
/*
$val = str_replace("\r\n", "\n", $val);
$val = str_replace("\r",   "\n", $val);
$val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
*/

/*
do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);
*/

Replace with:
Code: [Select]
      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D

      do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);

Or you can download 4images package from this page and replace global.php from that package.

Step 2

And in case someone already used this hole on your site, you should find and delete any user who has < and > tags in their name (well, atleast these who has <script or other HTML tags) (personaly I would not feel bad even perm ban for that)
For that go to ACP (Admin Control Panel) -> Edit users -> in the "Userame conteins" field enter: < and click "Find"
Repeat search for >

[EDIT]
For these who cant find the code above, you probably have something like this instead:
Code: [Select]
      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
(note, there is no /* and */ around that block of code!
So, replace this block with the code above.
« Last Edit: April 03, 2009, 03:51:16 PM by V@no »
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline qwertz

  • Pre-Newbie
  • Posts: 6
    • View Profile
    • haaseart
Re: [1.7.2] Security hole in register.php
« Reply #1 on: April 26, 2006, 01:24:15 AM »
thank you, for your update-info!  :)

andreas
« Last Edit: April 26, 2006, 10:58:35 AM by qwertz »

Offline devilsoulblack

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #2 on: April 26, 2006, 01:38:26 AM »
thanks

Offline koikonut

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
    • http://www.konradin.net
Re: [1.7.2] Security hole in register.php
« Reply #3 on: April 26, 2006, 01:55:03 AM »
This passage is not in my global.php!

In my global.php only I can find this:

Code: [Select]
  $search2 =
      "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";
  $replace2 = //str_repeat("\r", strlen($search2));
      "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";

  foreach ($array as $key => $val) {
    if (is_array($val)) {
      $val = clean_array($val);
    } else {
      $val = preg_replace($search, $replace, $val);

      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
    }

    $array[$key] = $val;
  }

  return $array;

What do I have to do,
Thanks and bye

Offline egyptsons

  • Newbie
  • *
  • Posts: 47
    • View Profile
    • Egypt Sons
Re: [1.7.2] Security hole in register.php
« Reply #4 on: April 26, 2006, 02:15:21 AM »
8)
Done
Thanks V@no :wink:
Thanx God

Offline mentally

  • Newbie
  • *
  • Posts: 24
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #5 on: April 26, 2006, 02:19:02 AM »
i also cant find this in global.php


izzy

  • Guest
Re: [1.7.2] Security hole in register.php
« Reply #6 on: April 26, 2006, 02:24:24 AM »
This passage is not in my global.php!

In my global.php only I can find this:
Just to confirm I have the same global.php as konradin. The file is dated 08/03/06 6:19pm.

The thread heading is related to register.php which I take as being an error.

Offline boywonder

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #7 on: April 26, 2006, 03:28:09 AM »
I think the post title needs to be changed as its confusing. It should be global.php that needs changing not register.php.

I have the same problem as the message by "konradin" above.

Thanks.

Offline NCochise

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #8 on: April 26, 2006, 04:24:31 AM »
I've searched my global.php also and cannot find the code string shown above.

Does this mean those of us who cannot find it do not have the security breech?

Or is this just another one of those fixes that might be a fix until somebody finds out it didn't really fix what it was intended to fix, but instead was really an unfix for something else already fixed, but not fixed any more, because this fix is not really a fix at all, but a fixation of the mind?

When you get this figured out, gimme a call cuz I'm fixin' to logout of this security fix topic and fixin' to get somethin' to eat... if wife was kind enough to fix din din already.


Fix ya later!

Offline caballonegro

  • Newbie
  • *
  • Posts: 34
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #9 on: April 26, 2006, 08:20:11 AM »
Ist eine Änderung denn auch notwendig wenn 4images bei registrierungen auf die Userdatenbank von phpbb zugreift?

danke u. gruß
gruß
caballonegro

Offline Optimum

  • Newbie
  • *
  • Posts: 26
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #10 on: April 26, 2006, 08:20:48 AM »
Same here, can't find either piece (the old and the new) of the code in global or register.
Guess it doesn't need fixing then..

Thx,
Mat

Michael

  • Guest
Re: [1.7.2] Security hole in register.php
« Reply #11 on: April 26, 2006, 09:28:13 AM »
Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??

Offline Fat Bastard

  • Newbie
  • *
  • Posts: 20
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #12 on: April 26, 2006, 09:34:25 AM »
I would like to know too!

... I like BABIES...

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7.2] Security hole in register.php
« Reply #13 on: April 26, 2006, 09:34:33 AM »
This passage is not in my global.php!

In my global.php only I can find this:

Code: [Select]
$search2 =
 "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";
 $replace2 = //str_repeat("\r", strlen($search2));
 "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";

 foreach ($array as $key => $val) {
 if (is_array($val)) {
 $val = clean_array($val);
 } else {
 $val = preg_replace($search, $replace, $val);

 $val = str_replace("\r\n", "\n", $val);
 $val = str_replace("\r", "\n", $val);
 $val = strtr($val, $search2, $replace2);
 $val = str_replace("\r", '', $val); // \r === \x0D
 }

 $array[$key] = $val;
 }

 return $array;

What do I have to do,
Thanks and bye

Add:

Code: [Select]
      do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);

after

Code: [Select]
      $val = str_replace("\r", '', $val); // \r === \x0D
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline mawenzi

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.500
    • View Profile
Re: [1.7.2] Security hole in register.php
« Reply #14 on: April 26, 2006, 10:11:01 AM »
Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??

Eine 4images-Installation Version 1.7 mit allen "Security Fixes" enthält nicht dieses "Security Hole" !

An 4images installation version 1.7 with all "security fixes" does not contain this "security hole"!
« Last Edit: April 26, 2006, 04:42:21 PM by mawenzi »
Your first three "must do" before you ask a question ! ( © by V@no )
- please read the Forum Rules ...
- please study the FAQ ...
- please try to Search for your answer ...

You are on search for top 4images MOD's ?
- then please search here ... Mawenzi's Top 100+ MOD List (unsorted sorted) ...