4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: V@no on April 26, 2006, 12:25:45 AM

Title: [1.7.2] Security fix for global.php
Post by: V@no on April 26, 2006, 12:25:45 AM
If you downloaded 4images v1.7.2 before 25-04-2006 you should apply this fix!
If you downloaded it after that date, then you should not worry about it, the download package already conteins this fix.

Step 1

In global.php
find:
Code: [Select]
/*
$val = str_replace("\r\n", "\n", $val);
$val = str_replace("\r",   "\n", $val);
$val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
*/

/*
do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);
*/

Replace with:
Code: [Select]
      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D

      do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);

Or you can download 4images package from this (http://www.4homepages.de/4images/download.php) page and replace global.php from that package.

Step 2

And in case someone already used this hole on your site, you should find and delete any user who has < and > tags in their name (well, atleast these who has <script or other HTML tags) (personaly I would not feel bad even perm ban for that)
For that go to ACP (Admin Control Panel) -> Edit users -> in the "Userame conteins" field enter: < and click "Find"
Repeat search for >

[EDIT]
For these who cant find the code above, you probably have something like this instead:
Code: [Select]
      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
(note, there is no /* and */ around that block of code!
So, replace this block with the code above.
Title: Re: [1.7.2] Security hole in register.php
Post by: qwertz on April 26, 2006, 01:24:15 AM
thank you, for your update-info!  :)

andreas
Title: Re: [1.7.2] Security hole in register.php
Post by: devilsoulblack on April 26, 2006, 01:38:26 AM
thanks
Title: Re: [1.7.2] Security hole in register.php
Post by: koikonut on April 26, 2006, 01:55:03 AM
This passage is not in my global.php!

In my global.php only I can find this:

Code: [Select]
  $search2 =
      "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";
  $replace2 = //str_repeat("\r", strlen($search2));
      "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";

  foreach ($array as $key => $val) {
    if (is_array($val)) {
      $val = clean_array($val);
    } else {
      $val = preg_replace($search, $replace, $val);

      $val = str_replace("\r\n", "\n", $val);
      $val = str_replace("\r",   "\n", $val);
      $val = strtr($val, $search2, $replace2);
      $val = str_replace("\r", '', $val);  // \r === \x0D
    }

    $array[$key] = $val;
  }

  return $array;

What do I have to do,
Thanks and bye
Title: Re: [1.7.2] Security hole in register.php
Post by: egyptsons on April 26, 2006, 02:15:21 AM
8)
Done
Thanks V@no :wink:
Title: Re: [1.7.2] Security hole in register.php
Post by: mentally on April 26, 2006, 02:19:02 AM
i also cant find this in global.php

Title: Re: [1.7.2] Security hole in register.php
Post by: izzy on April 26, 2006, 02:24:24 AM
This passage is not in my global.php!

In my global.php only I can find this:
Just to confirm I have the same global.php as konradin. The file is dated 08/03/06 6:19pm.

The thread heading is related to register.php which I take as being an error.
Title: Re: [1.7.2] Security hole in register.php
Post by: boywonder on April 26, 2006, 03:28:09 AM
I think the post title needs to be changed as its confusing. It should be global.php that needs changing not register.php.

I have the same problem as the message by "konradin" above.

Thanks.
Title: Re: [1.7.2] Security hole in register.php
Post by: NCochise on April 26, 2006, 04:24:31 AM
I've searched my global.php also and cannot find the code string shown above.

Does this mean those of us who cannot find it do not have the security breech?

Or is this just another one of those fixes that might be a fix until somebody finds out it didn't really fix what it was intended to fix, but instead was really an unfix for something else already fixed, but not fixed any more, because this fix is not really a fix at all, but a fixation of the mind?

When you get this figured out, gimme a call cuz I'm fixin' to logout of this security fix topic and fixin' to get somethin' to eat... if wife was kind enough to fix din din already.


Fix ya later!
Title: Re: [1.7.2] Security hole in register.php
Post by: caballonegro on April 26, 2006, 08:20:11 AM
Ist eine Änderung denn auch notwendig wenn 4images bei registrierungen auf die Userdatenbank von phpbb zugreift?

danke u. gruß
Title: Re: [1.7.2] Security hole in register.php
Post by: Optimum on April 26, 2006, 08:20:48 AM
Same here, can't find either piece (the old and the new) of the code in global or register.
Guess it doesn't need fixing then..

Thx,
Mat
Title: Re: [1.7.2] Security hole in register.php
Post by: Michael on April 26, 2006, 09:28:13 AM
Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??
Title: Re: [1.7.2] Security hole in register.php
Post by: Fat Bastard on April 26, 2006, 09:34:25 AM
I would like to know too!
Title: Re: [1.7.2] Security hole in register.php
Post by: Jan on April 26, 2006, 09:34:33 AM
This passage is not in my global.php!

In my global.php only I can find this:

Code: [Select]
$search2 =
 "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F";
 $replace2 = //str_repeat("\r", strlen($search2));
 "\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D\x0D";

 foreach ($array as $key => $val) {
 if (is_array($val)) {
 $val = clean_array($val);
 } else {
 $val = preg_replace($search, $replace, $val);

 $val = str_replace("\r\n", "\n", $val);
 $val = str_replace("\r", "\n", $val);
 $val = strtr($val, $search2, $replace2);
 $val = str_replace("\r", '', $val); // \r === \x0D
 }

 $array[$key] = $val;
 }

 return $array;

What do I have to do,
Thanks and bye

Add:

Code: [Select]
      do {
        $oldval = $val;
        $val = preg_replace('#</*(applet|meta|xml|blink|link|style|script|embed|object|iframe|frame|frameset|ilayer|layer|bgsound|title|base)[^>]*>#i', "", $val);
      } while ($oldval != $val);

after

Code: [Select]
      $val = str_replace("\r", '', $val); // \r === \x0D
Title: Re: [1.7.2] Security hole in register.php
Post by: mawenzi on April 26, 2006, 10:11:01 AM
Hallo, was ist mit den älteren versionen 1.7 / 1.7.1  ??

Eine 4images-Installation Version 1.7 mit allen "Security Fixes" enthält nicht dieses "Security Hole" !

An 4images installation version 1.7 with all "security fixes" does not contain this "security hole"!
Title: Re: [1.7.2] Security fix for global.php
Post by: Bugfixed on April 26, 2006, 10:13:22 AM
Hımmm..

thanks V@no .
Title: Re: [1.7.2] Security fix for global.php
Post by: V@no on April 26, 2006, 10:23:27 AM
I've updated the original post with some more instructions (see step 2)
Title: Re: [1.7.2] Security fix for global.php
Post by: BartAfterDark on April 26, 2006, 11:43:40 AM
so the only thing that needs to get replaced is
Code: [Select]
/* and */ ?

If you want to read about this bug: http://secunia.com/advisories/19745/
Title: Re: [1.7.2] Security fix for global.php
Post by: quartz on April 26, 2006, 02:11:38 PM
thanks for that update
Title: Re: [1.7.2] Security fix for global.php
Post by: hyde101 on April 26, 2006, 04:30:32 PM
Thank you for the update, I have several sites running 1.7.2 but others were 1.7.
Would this be OK if I applied it on 1.7 ?

Thank You.
Title: Re: [1.7.2] Security fix for global.php
Post by: mawenzi on April 26, 2006, 04:43:12 PM
@ ufkydpnr,

An 4images installation version 1.7 with all "security fixes" does not contain this "security hole"!
Title: Re: [1.7.2] Security fix for global.php
Post by: hyde101 on April 26, 2006, 05:14:33 PM
Dear Mawenzi,
Thanks for your reply, I guess you replied the same thing in German before, but thanks again since I don't speak German.

:)
Title: Re: [1.7.2] Security fix for global.php
Post by: Ston4Img on April 26, 2006, 11:03:43 PM
Hi.

What is with the Bug from here? http://www.4homepages.de/forum/index.php?topic=10921.0 is it in 1.7.2 included ? I can register with "<" oder ">" in the Name....???

Hallo.
Was ist mit diesem Fehler: http://www.4homepages.de/forum/index.php?topic=10921.0. Ist das in der Verision 1.7.2 integriert? Ich kann wieder Benutzer registrieren mit > oder < im Namen ???
... macht das nicht eigentlich fast das gleiche?

Edit 1:
Code: [Select]
if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }
    }
    else {
      $msg .= (($msg != "") ? "<br />" : "").$field_error = preg_replace("/".$site_template->start."field_name".$site_template->end."/siU", str_replace(":", "", $lang['user_name']), $lang['field_required']);
      $error = 1;

Can´t find this ...

Finde diesen Bereich nicht mehr

Code: [Select]
elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }
Title: Re: [1.7.2] Security fix for global.php
Post by: V@no on April 26, 2006, 11:37:30 PM
What is with the Bug from here? http://www.4homepages.de/forum/index.php?topic=10921.0 is it in 1.7.2 included ? I can register with "<" oder ">" in the Name....???
Please pay attention to the version number of the security fix.
If its says v1.7 / v1.7.1 it means only v1.7 and v1.7.1 affected, v1.7.2 is already fixed. If it says v1.7.2 that means only v1.7.2 has the bug all previous version dont have it.
Now, if you are having problem installing the fix for v1.7 or v1.7.1, then why would reply to this topic?
Title: Re: [1.7.2] Security fix for global.php
Post by: linux_rh on April 28, 2006, 10:44:18 AM
 :D :D :D

hi  all  thank you for the bug sulation that was found in  version 1.7.2   in the  global.php

i replace   that old file with new file   and we try  to register  but  we can n't 

it means  that  the problem is solved   

thank youuuuuuuuuuuuuuuuuuuuuuu

Title: Re: [1.7.2] Security fix for global.php
Post by: V@no on April 28, 2006, 03:08:28 PM
Just a note:
With this fix you can not post any <script> <iframe> etc HTML code anywhere from regular members pages (profile, descriptions, comments, etc)
If you, as admin, wish to add such code, you'll have to do it via ACP
Title: Re: [1.7.2] Security fix for global.php
Post by: brice626 on April 30, 2006, 01:52:17 AM
Just a note:
With this fix you can not post any <script> <iframe> etc HTML code anywhere from regular members pages (profile, descriptions, comments, etc)
If you, as admin, wish to add such code, you'll have to do it via ACP

Question: I just posted this topic: http://www.4homepages.de/forum/index.php?topic=12761.new#new

Is the reason the issue you mention above? If by ACP you mean "Admin Control Panel" (I'm just guessing) that didn't seem to be the case for me. After the upgrade, all my existing HTML in the description fields stopping working and even when entered from the Admin Control Panel it will not work.
Title: Re: [1.7.2] Security fix for global.php
Post by: caballonegro on May 10, 2006, 12:01:46 PM
 :twisted: :twisted:
Ist eine Änderung denn auch notwendig wenn 4images bei registrierungen auf die Userdatenbank von phpbb zugreift? :?: :?: :?:


danke u. gruß
 
Title: Re: [1.7.2] Security fix for global.php
Post by: milius.net on May 31, 2006, 02:47:41 PM
auf die userdatenbank von phpbb?
bin neu hier aber ich an deiner stelle würde die änderungen einfügen ...
Title: Re: [1.7.2] Security fix for global.php
Post by: FransisDastinut on December 13, 2008, 12:57:50 PM
thanks a lot for [1.7.2] Security fix  8)
Title: Re: [1.7.2] Security fix for global.php
Post by: chithanh119 on February 08, 2009, 04:54:44 AM
Thanks for sharing