4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: Jan on May 03, 2006, 10:15:56 AM

Title: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: Jan on May 03, 2006, 10:15:56 AM
This is an important security fix.

Open includes/sessions.php and find the following line:

Code: [Select]
$this->session_id = session_id();
replace this line with the following code:

Code: [Select]
$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());
Title: Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
Post by: mawenzi on May 03, 2006, 11:47:13 AM
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: DBCapricorn on May 04, 2006, 02:43:24 AM
Always on it. Thanks for looking out for us. :)
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on May 05, 2006, 02:29:21 PM
the first one is enough ;)
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on May 08, 2006, 02:13:30 AM
Betrifft das auch die User, die die vBulletin-Integration verwenden? Ich kann in der ganzen Datei $this->session_id = session_id(); nirgends finden...

--

Are users of the vBulletin gallery integration also affected? I can't find these lines or $this->session_id = session_id(); at all...
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: Bugfixed on May 10, 2006, 04:38:57 PM
I'm using phpbb+4images integration system. in /galeri/includes/sesion.php "$this->session_id = session_id();" not line. please help.
Title: Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
Post by: JensF on May 11, 2006, 12:22:06 AM
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?

Ich denke nicht, oder?? Ich jedenfalls kann den Teil nicht in meiner sessions.php finden...
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: flo31083 on May 18, 2006, 01:46:54 PM
I have the newest version only 1 week ago ago down-loaded participates that fixed there already? or do I have to change that again now? thus was the down load updated?


sorry for ma english


in german

ich hab die neuste version erst vor 1 woche runtergeladen ist der fix da schon dabei ? oder muss ich das jetzt nochmal selbst ändern ? also würde der download aktualisiert ?
Title: Re: [1.7.1, 1.7.2] Security fix for SQL injection in session.php
Post by: kai on May 18, 2006, 10:52:26 PM
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?

Exactly, this fix is only for 1.7.1 and 1.7.2, not for 1.7
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: kai on May 18, 2006, 11:01:10 PM
I have the newest version only 1 week ago ago down-loaded participates that fixed there already? or do I have to change that again now? thus was the down load updated?

Yes, the fix is included in the current download (since 3rd of may 2006).
If you're not sure, search in includes/sessions.php for code Jan posted in the first post.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on May 26, 2006, 05:23:31 PM
I don't know why, even if I don't know if it was this bug I had spam bots in my gallery yesterday whose used a sql injection bug on my gallery to spam user comments with advertisement for porno links and so on...

As I've already said above I'm using the vBulletin integration and I can't find the line mentioned above...

what can I do?
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on May 26, 2006, 11:40:56 PM
I don't know why, even if I don't know if it was this bug I had spam bots in my gallery yesterday whose used a sql injection bug on my gallery to spam user comments with advertisement for porno links and so on...
and how did you get to this conclusion? do you have proof they used a hole in 4images? (not that I'm judging you ;))
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on May 27, 2006, 04:29:39 AM
I'm sure since they were not registered and if you're not registered you're unable to post comments, I've tested that.

Also as I've viewed the comments in my admin cp to delete them, some fields seemed to be empty or so, the comment overview of the picture where they had spammed looked really strange especially for these comments only, so I don't think these comments were made through the 4images gallery itself.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on May 27, 2006, 07:48:07 PM
Ok, please attach your sessions.php, I'll take a look at it.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on May 27, 2006, 09:54:24 PM
Since I don't know how to attach a file in here, I've put in the whole code of my sessions.php and replaced my vb-license number with XXXXXXXX for my own privacy.

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: sessions.php                                         *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die("Security violation");
}

//-----------------------------------------------------
//--- Start Configuration -----------------------------
//-----------------------------------------------------
define('USER_INTEGRATION''VBULLETIN');
define('VBLICENCE_NUMBER''XXXXXXXX'); //REPLACE XXXXXXXX with your Licence Number, usually on top of your vB files

// Set here the URL to your vBulletin forum. WITH trailing slash!
$url_app           "http://www.gerritsforum.de/";

define('SESSION_NAME''s'); // Default of vBulletin is "s".
define('COOKIE_PREFIX''bb'); //Default of vBulletin is "bb".
define('COOKIE_TIMEOUT','600'); //Set the same with your vB timeout, in second
define('ALBUM_FOLDER','/gallery/'); //Your Album Folder WITH trailing slash

// Define here the name of the template database table.
define('VB_TEMPLATE_TABLE'VB_TABLE_PREFIX.'template');

// Set her the corresponding database fields of the user table.
// If there is no corresponding field in the new user table, 
// leave the value blank. Normally no need to change.
$user_table_fields = array(
  "user_id" => "userid",
  "user_level" => "usergroupid",
  "user_name" => "username",
  "user_password" => "password",
  "user_email" => "email",
  "user_showemail" => "",
  "user_allowemails" => "",
  "user_invisible" => "",
  "user_joindate" => "joindate",
  "user_activationkey" => "",
  "user_lastaction" => "lastactivity",
  "user_location" => "",
  "user_lastvisit" => "lastvisit",
  "user_comments" => "user_album_comments",
  "user_homepage" => "homepage",
  "user_icq" => "icq"
);


// Set here different URL's to your vBulletin forum.
// Normally no need to change.
$url_register      $url_app."register.php?do=signup";
$url_lost_password $url_app."login.php?do=lostpw";
$url_control_panel $url_app."usercp.php";
$url_mailform      $url_app."sendmessage.php?do=mailmember&u={user_id}"
$url_show_profile  $url_app."member.php?u={user_id}";
$url_login         $url_app."login.php";
//$url_logout        = $url_app."login.php?do=logout&logouthash=".$user_info['logouthash'];
$clientscript_md5  $url_app."clientscript/vbulletin_md5.js";

//-----------------------------------------------------
//--- End Configuration -------------------------------
//-----------------------------------------------------

function get_user_table_field($add$user_field) {
  global $user_table_fields;
  return (!empty($user_table_fields[$user_field])) ? $add.$user_table_fields[$user_field] : "";
}

class 
Session {

  var $session_id;
  var $user_ip;
  var $user_location;
  var $current_time;
  var $session_timeout;
  var $mode "get";
  var $session_info = array();
  var $user_info = array();

  function Session() {
    global $cookietimeout;
    $this->session_timeout $cookietimeout;
    $this->user_ip $this->get_user_ip();
    $this->user_location ALBUM_FOLDER.''.$this->get_user_location();
    $this->current_time time();
    $this->demand_session();
  }

  function set_cookie_data($name$value$permanent 1) {
    $cookie_expire = ($permanent) ? $this->current_time 60 60 24 365 0;
    setcookie($name$value$cookie_expireCOOKIE_PATHCOOKIE_DOMAINCOOKIE_SECURE);
  }

  function read_cookie_data($name) {
    global $HTTP_COOKIE_VARS;
    return (isset($HTTP_COOKIE_VARS[$name])) ? $HTTP_COOKIE_VARS[$name] : 0;
  }

  function get_session_id() {
    global $HTTP_GET_VARS$HTTP_POST_VARS;
    if ($this->session_id $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id false;
      }
    }
  }

  function demand_session() {
    $this->get_session_id();
    if (!$this->load_session_info()) {
      $this->delete_old_sessions();
      $user_id = ($this->read_cookie_data(COOKIE_PREFIX."userid")) ? intval($this->read_cookie_data(COOKIE_PREFIX."userid")) : GUEST;
// $user_id = ($this->read_cookie_data("userid")) ? $this->read_cookie_data("userid") : GUEST; 
     $this->start_session($user_id);
    }
    else {
      $this->user_info $this->load_user_info($this->session_info['userid']);
      $update_cutoff = ($this->user_info['user_id'] != GUEST) ? $this->current_time $this->user_info['user_lastaction'] : $this->current_time $this->session_info['lastactivity'];
      if ($update_cutoff 60) {
        $this->update_session();
        $this->delete_old_sessions();
      }
    }
  }

  function start_session($user_id GUEST$login_process 0) {
    global $site_db;
    
    $this
->user_info $this->load_user_info($user_id);
    if ($this->user_info['user_id'] != GUEST && !$login_process) {
      if ($this->read_cookie_data(COOKIE_PREFIX."password") === md5($this->user_info['user_password'].''.VBLICENCE_NUMBER)  && $this->user_info['user_level'] != USER_AWAITING) {
        $this->set_cookie_data(COOKIE_PREFIX."password"$this->user_info['user_password']);
      }
      else {
        $this->set_cookie_data(COOKIE_PREFIX."password"""0);
        $this->user_info $this->load_user_info(GUEST);
      }
    }
    $this->session_id $this->generate_session_id();
    $sql "INSERT INTO ".SESSIONS_TABLE.
            (sessionhash, userid, host, useragent, lastactivity, location, styleid) 
            VALUES 
            ('
$this->session_id', ".$this->user_info['user_id'].", '$this->user_ip', '".$_SERVER['HTTP_USER_AGENT']."', $this->current_time, '$this->user_location', '".$this->read_cookie_data(COOKIE_PREFIX."styleid")."')";
    $site_db->query($sql);
    $this->session_info['session_user_id'] = $this->user_info['user_id'];
    $this->session_info['session_lastaction'] = $this->current_time;
    $this->session_info['session_location'] = $this->user_location;
    $this->session_info['session_ip'] = $this->user_ip;

    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    $this->set_cookie_data(COOKIE_PREFIX."sessionhash"$this->session_id0);
    $this->set_cookie_data(COOKIE_PREFIX."lastvisit"$this->current_time);
    $this->set_cookie_data(COOKIE_PREFIX."userid"$this->user_info['user_id']);
    return true;
  }

  function login($user_name ""$user_password ""$auto_login 0$set_auto_login 1) {
    global $url_login;
    header("Location: $url_login");
  }

  function logout($user_id GUEST) {
    global $url_logout;
    header("Location: $url_logout");
  }

  function delete_old_sessions() {
    global $site_db;
    $expiry_time $this->current_time $this->session_timeout;
    $sql "DELETE FROM ".SESSIONS_TABLE.
            WHERE lastactivity < 
$expiry_time";
// BM: temporary take this out, assume Forum always has someone browsing 
//    $site_db->query($sql);

    $sql "SELECT sessionhash 
            FROM "
.SESSIONS_TABLE;
    $result $site_db->query($sql);
    if ($result) {
      $session_ids_sql "";
      while ($row $site_db->fetch_array($result)) {
        $session_ids_sql .= (($session_ids_sql != "") ? ", " "") . "'".$row['sessionhash']."'";
      }
    }
    if (!empty($session_ids_sql)) {
      $sql "DELETE FROM ".SESSIONVARS_TABLE.
              WHERE session_id NOT IN (
$session_ids_sql)";
      $site_db->query($sql);
    }
    return true;
  }

  function update_session() {
    global $site_db;

$sql "REPLACE INTO ".SESSIONS_TABLE."
           (sessionhash, userid, lastactivity, location, host)
           VALUES
           ('
$this->session_id', ".$this->user_info['user_id'].", $this->current_time, '$this->user_location', '$this->user_ip')";

    $site_db->query($sql);
    if ($this->user_info['user_id'] != GUEST) {
      $sql "UPDATE ".USERS_TABLE.
              SET "
.get_user_table_field("""user_lastaction")." = $this->current_time 
              WHERE "
.get_user_table_field("""user_id")." = ".$this->user_info['user_id'];
      $site_db->query($sql);
    }
    return;
  }

  function generate_session_id() {
    global $site_db;
    $sid md5(uniqid(microtime()));
    $i 0;
    while ($i == 0) {
      $sql "SELECT sessionhash 
              FROM "
.SESSIONS_TABLE.
              WHERE sessionhash = '
$sid'";
      if ($site_db->is_empty($sql)) {
        $i 1;
      }
      else {
        $i 0;
        $sid md5(uniqid(microtime()));
      }
    }
    return $sid;
  }

  function return_session_info() {
    return $this->session_info;
  }

  function return_user_info() {
    return $this->user_info;
  }
  
  
function freeze() {
    return;
  }

  function load_session_info() {
    global $site_db;
    if (!$this->session_id) {
      return false;
    }
    $this->session_info = array();
    $sql "SELECT sessionhash, lastactivity, host, userid 
            FROM "
.SESSIONS_TABLE.
            WHERE sessionhash = '
$this->session_id
            AND host = '
$this->user_ip'";
    $this->session_info $site_db->query_firstrow($sql);
    if (!isset($this->session_info['userid'])) {
      return false;
    }
    else {
      $sql "SELECT sessionvars_name, sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE session_id = '
$this->session_id'";
      $result $site_db->query($sql);
      while ($row $site_db->fetch_array($result)) {
        $this->session_info[$row['sessionvars_name']] = $row['sessionvars_value'];
      }
      return $this->session_info;
    }
  }

  function load_user_info($user_id GUEST) {
    global $site_db$user_table_fields;

    if ($user_id != GUEST) {
      $sql "SELECT u.*, l.*
              FROM "
.USERS_TABLE." u, ".LIGHTBOXES_TABLE." l 
              WHERE "
.get_user_table_field("u.""user_id")." = $user_id AND l.user_id = ".get_user_table_field("u.""user_id");
      $user_info $site_db->query_firstrow($sql);
     if (!$user_info) {
        $sql "SELECT *
                FROM "
.USERS_TABLE."
                WHERE "
.get_user_table_field("""user_id")." = $user_id";
        $user_info $site_db->query_firstrow($sql);
  
      
if ($user_info) {
         $lightbox_id get_random_key(LIGHTBOXES_TABLE"lightbox_id");
          $sql "INSERT INTO ".LIGHTBOXES_TABLE.
                  (lightbox_id, user_id, lightbox_lastaction, lightbox_image_ids) 
                  VALUES 
                  ('
$lightbox_id', ".$user_info[$user_table_fields['user_id']].", $this->current_time, '')";
          $site_db->query($sql);
          $user_info['lightbox_lastaction'] = $this->current_time;
          $user_info['lightbox_image_ids'] = "";
        }
      }
    }
    if (empty($user_info[$user_table_fields['user_id']])) {
      $user_info = array();
      $user_info['user_id'] = GUEST;
      $user_info['user_level'] = GUEST;
      $user_info['user_lastaction'] = $this->current_time;
      $user_info['user_lastvisit'] = ($this->read_cookie_data(COOKIE_PREFIX."lastvisit")) ? $this->read_cookie_data(COOKIE_PREFIX."lastvisit") : $this->current_time;
    }
    foreach ($user_table_fields as $key => $val) {
      if (isset($user_info[$val])) {
        $user_info[$key] = $user_info[$val];
      }
      elseif (!isset($user_info[$key])) {
        $user_info[$key] = "";
      }
    }
      $user_info['logouthash'] = md5($user_info['user_id'] . $user_info['salt'] . VBLICENCE_NUMBER);
    return $user_info;
  }

  function set_session_var($var_name$value) {
    global $site_db;
    $sql "SELECT session_id 
            FROM "
.SESSIONVARS_TABLE.
            WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
    if ($site_db->is_empty($sql)) {
      $sql "INSERT INTO ".SESSIONVARS_TABLE.
              (session_id, sessionvars_name, sessionvars_value) 
              VALUES 
              ('
$this->session_id', '$var_name', '$value')";
      $site_db->query($sql);
    }
    else {
      $sql "UPDATE ".SESSIONVARS_TABLE.
              SET sessionvars_value = '
$value
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $site_db->query($sql);
    }
    $this->session_info[$var_name] = $value;
    return true;
  }

  function get_session_var($var_name) {
    global $site_db;
    if (isset($this->session_info[$var_name])) {
      return $this->session_info[$var_name];
    }
    else {
      $sql "SELECT sessionvars_value 
              FROM "
.SESSIONVARS_TABLE.
              WHERE sessionvars_name = '
$var_name' AND session_id = '$this->session_id'";
      $value $site_db->query_firstrow($sql);
      if ($value) {
        $this->session_info[$var_name] = $value['sessionvars_value'];
        return $value['sessionvars_value'];
      }
      else {
        return "";
      }
    }
  }

  function drop_session_var($var_name) {
    unset($this->session_info[$var_name]);
/*    global $site_db;
    $sql = "DELETE FROM ".SESSIONVARS_TABLE." 
            WHERE sessionvars_name = '$var_name' AND session_id = '$this->session_id'";
    return ($site_db->query($sql)) ? 1 : 0;
*/
  }

  function get_user_ip() {
    global $HTTP_SERVER_VARS$HTTP_ENV_VARS;
    $ip = (!empty($HTTP_SERVER_VARS['REMOTE_ADDR'])) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ((!empty($HTTP_ENV_VARS['REMOTE_ADDR'])) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : getenv("REMOTE_ADDR"));
    //$ip = preg_replace("/[^\.0-9]+/", "", $ip);
    return substr($ip050);
  }

  function get_user_location() {
    global $self_url;
    return (defined("IN_CP")) ? "Control Panel" preg_replace(array("/([?|&])action=[^?|&]*/""/([?|&])mode=[^?|&]*/""/([?|&])phpinfo=[^?|&]*/""/([?|&])printstats=[^?|&]*/""/[?|&]".URL_ID."=[^?|&]*/""/[?|&]l=[^?|&]*/""/[&?]+$/"), array(""""""""""""""), addslashes($self_url));
  }

  function url($url$amp "&amp;") {
    global $l;
    $dummy_array explode("#"$url);
    $url $dummy_array[0];

    if ($this->mode == "get" && strpos($url$this->session_id) === false) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= SESSION_NAME."=".$this->session_id;
    }

    if (!empty($l)) {
      $url .= strpos($url'?') !== false $amp "?";
      $url .= "l=".$l;
    }

    $url .= (isset($dummy_array[1])) ? "#".$dummy_array[1] : "";
    return $url;
  }
//end of class

//-----------------------------------------------------
//--- Start Session -----------------------------------
//-----------------------------------------------------
$optionstemp $site_db->query_firstrow("SELECT template FROM ".VB_TEMPLATE_TABLE." WHERE title='options'");
eval(
$optionstemp['template']);

define('COOKIE_NAME''');
define('COOKIE_PATH'$cookiedomain);
define('COOKIE_DOMAIN'$cookiepath);
$secure = (isset($SERVER_PORT) && $SERVER_PORT == "443") ? 0;
define('COOKIE_SECURE'$secure);

//Start Session
$site_sess = new Session();

// Get Userinfo
$session_info $site_sess->return_session_info();
$user_info $site_sess->return_user_info();

// Set USERGROUP levels
if (in_array($user_info[user_level], $admingroups)) 
{
define('ADMIN'$user_info[user_level]);
}
else 
define('ADMIN',ADMIN_DEFAULT);

if (
in_array($user_info[user_level], $usergroups)) 
{
define('USER'$user_info[user_level]);

else 
define('USER',USER_DEFAULT);

if (
in_array($user_info[user_level], $waitinggroups)) 
{
define('USER_AWAITING'$user_info[user_level]);
}
else 
define('USER_AWAITING',USER_AWAITING_DEFAULT);

//-----------------------------------------------------
//--- Get User Caches ---------------------------------
//-----------------------------------------------------
$num_total_online 0;
$num_visible_online 0;
$num_invisible_online 0;
$num_registered_online 0;
$num_guests_online 0;
$user_online_list "";
$prev_user_ids = array();
$prev_session_ips = array();

if (
defined("GET_USER_ONLINE") && ($config['display_whosonline'] == || $user_info['user_level'] == ADMIN)) {
  if (!isset($cookietimeout)) {
    $cookietimeout COOKIE_TIMEOUT;
  }
  $time_out time() - $cookietimeout;
  $sql "SELECT s.userid, s.lastactivity, s.host".get_user_table_field(", u.""user_id").get_user_table_field(", u.""user_level").get_user_table_field(", u.""user_name").get_user_table_field(", u.""user_invisible").
  FROM "
.SESSIONS_TABLE." s 
  LEFT JOIN "
.USERS_TABLE." u ON (".get_user_table_field("u.""user_id")." = s.userid) 
  WHERE s.lastactivity >= 
$time_out 
  ORDER BY "
.get_user_table_field("u.""user_id")." ASC, s.host ASC";
  $result $site_db->query($sql);
  while ($row $site_db->fetch_array($result)) {
    if ($row['userid'] != GUEST && isset($row[$user_table_fields['user_name']])) {
      if (!isset($prev_user_ids[$row['userid']])) {
        $is_invisible = (isset($row[$user_table_fields['user_invisible']]) && $row[$user_table_fields['user_invisible']] == 1) ? 0;
        $invisibleuser = ($is_invisible) ? "*" "";
        $username = (isset($row[$user_table_fields['user_level']]) && $row[$user_table_fields['user_level']] == ADMIN && $config['highlight_admin'] == 1) ? sprintf("<b>%s</b>"$row[$user_table_fields['user_name']]) : $row[$user_table_fields['user_name']];
        if (!$is_invisible || $user_info['user_level'] == ADMIN) {
          $user_online_list .= ($user_online_list != "") ? ", " "";
          $user_profile_link = (!empty($url_show_profile)) ? preg_replace("/{user_id}/"$row['userid'], $url_show_profile) : ROOT_PATH."member.php?action=showprofile&amp;".URL_USER_ID."=".$row['userid'];
          $user_online_list .= "<a href=\"".$site_sess->url($user_profile_link)."\">".$username."</a>".$invisibleuser;
        }
        (!$is_invisible) ? $num_visible_online++ : $num_invisible_online++;
        $num_registered_online++;
      }
      $prev_user_ids[$row['userid']] = 1;
    }
    else {
      if (!isset($prev_session_ips[$row['host']])) {
        $num_guests_online++;
      }
    }
    $prev_session_ips[$row['host']] = 1;
  }
  $num_total_online $num_registered_online $num_guests_online;

  $site_template->register_vars(array(
    "num_total_online" => $num_total_online,
    "num_invisible_online" => $num_invisible_online,
    "num_registered_online" => $num_registered_online,
    "num_guests_online" => $num_guests_online,
    "user_online_list" => $user_online_list,
    "lang_user_online" => str_replace('{num_total_online}'$num_total_online$lang['user_online']),
    "lang_user_online_detail" => str_replace(array('{num_registered_online}','{num_invisible_online}','{num_guests_online}'), array($num_registered_online,$num_invisible_online,$num_guests_online), $lang['user_online_detail']),
  ));
  $whos_online $site_template->parse_template("whos_online");
  $site_template->register_vars("whos_online"$whos_online);
  unset($whos_online);
  unset($prev_user_ids);
  unset($prev_session_ips);
}
?>

I'm also using a changed version of constants.php, I've also attached it, maybe you need it:

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: constants.php                                        *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.2                                                *
 *    Integration to work with vBulletin 2.x by Jan                       *
 *    Modified to work with vBulletin 3.0.x by mtha                       *
 *    Modified to work with vBulletin 3.5.x by mtha                       *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/
if (!defined('ROOT_PATH')) {
  die(
"Security violation");
}
// If 4images has problems to find out the right URL, define it here.
define('SCRIPT_URL''http://www.gerritsforum.de/gallery'); //no trailing slash
define('VB_TABLE_PREFIX',''); // your vb tableprefix. vB default is blank

// Table names
define('CATEGORIES_TABLE'$table_prefix.'categories');
define('COMMENTS_TABLE'$table_prefix.'comments');
define('GROUP_ACCESS_TABLE'$table_prefix.'groupaccess');
define('GROUP_MATCH_TABLE'$table_prefix.'groupmatch');
define('GROUPS_TABLE'$table_prefix.'groups');
define('IMAGES_TABLE'$table_prefix.'images');
define('IMAGES_TEMP_TABLE'$table_prefix.'images_temp');
define('LIGHTBOXES_TABLE'$table_prefix.'lightboxes');
define('POSTCARDS_TABLE'$table_prefix.'postcards');
define('SESSIONS_TABLE'VB_TABLE_PREFIX.'session'); 
define('SESSIONVARS_TABLE'$table_prefix.'sessionvars');
define('SETTINGS_TABLE'$table_prefix.'settings');
define('USERS_TABLE'VB_TABLE_PREFIX.'user');
define('WORDLIST_TABLE'$table_prefix.'wordlist');
define('WORDMATCH_TABLE'$table_prefix.'wordmatch');


// URL Parameters
define('URL_IMAGE_ID''image_id');
define('URL_CAT_ID''cat_id');
define('URL_USER_ID''user_id');
define('URL_POSTCARD_ID''postcard_id');
define('URL_COMMENT_ID''comment_id');
define('URL_PAGE''page');
define('URL_ID''id');


// User default levels
define('GUEST'0);  // GUEST group or ID
define('USER_AWAITING_DEFAULT'3);
define('USER_DEFAULT'2);
define('ADMIN_DEFAULT'6);

// User groups level
$waitinggroups = array(134131421); // vB Group should be waiting for moderate. seperate each group by comma
$usergroups = array(2578915192023); // Groups that are USERS in album. seperate each group by comma
$admingroups = array(6); // vB groups that are ADMINS in album. seperate each group by comma

// Permission levels
define('AUTH_ALL'0);
define('AUTH_USER'2);
define('AUTH_ACL'3);
define('AUTH_ADMIN'9);


// Group types
define('GROUPTYPE_GROUP'1);
define('GROUPTYPE_SINGLE'2);


// Chmod for files and directories created by 4images
define('CHMOD_FILES'0666);
define('CHMOD_DIRS'0777);


// Will be used to replace the {xxx} tage if the value is empty.
// Netscape Browser sometimes need this to display table cell background colors.
define('REPLACE_EMPTY''&nbsp;');


// Max rating value
define('MAX_RATING'5);


// Days postcards will be held in the database
define('POSTCARD_EXPIRY'10);


// Time offset for your website. Sometimes usefull if your server is located
// in other timezones.
define('TIME_OFFSET'0);


// All words <= MIN_SEARCH_KEYWORD_LENGTH and >= MAX_SEARCH_KEYWORD_LENGTH
// are not added to the search index
define('MIN_SEARCH_KEYWORD_LENGTH'3);
define('MAX_SEARCH_KEYWORD_LENGTH'25);

// If you set this to 1, admins will authenticated additionally with cookies.
// If you use "User Integration", you should set this to 0.
define('ADMIN_SAFE_LOGIN'0);


// If you use GD higher 2.0.1 and PHP higher 4.0.6 set this to 1.
// Your thumbnails will be created with better quality
define('CONVERT_IS_GD2'0);


// If you have a lot of images in your database,
// the random image function could make your programm slow.
// Try first to set "SHOW_RANDOM_CAT_IMAGE" to 0.
define('SHOW_RANDOM_IMAGE'1);
define('SHOW_RANDOM_CAT_IMAGE'1);


// Check existence of remote image files.
// If you choose 1, you could get sometimes timeout errors
define('CHECK_REMOTE_FILES'0);


// Allow execution of PHP code in templates
define('EXEC_PHP_CODE'1);

// Data paths
define('MEDIA_DIR''data/media');
define('THUMB_DIR''data/thumbnails');
define('MEDIA_TEMP_DIR''data/tmp_media');
define('THUMB_TEMP_DIR''data/tmp_thumbnails');
define('DATABASE_DIR''data/database');
define('TEMPLATE_DIR''templates');

// Script version
define('SCRIPT_VERSION''1.7.2');
// Debug contants
// define("PRINT_STATS", 1);
// define("PRINT_QUERIES", 1);
// define('PRINT_CACHE_MESSAGES', 1);
?>
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on May 28, 2006, 11:18:42 AM
in sessoins.php replace
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
  }
with:
Code: [Select]
  function get_session_id() {
    global $HTTP_GET_VARS, $HTTP_POST_VARS;
    if ($this->session_id = $this->read_cookie_data(COOKIE_PREFIX."sessionhash")) {
      $this->mode = "cookie";
    }
    else {
      if (isset($HTTP_GET_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_GET_VARS[SESSION_NAME];
      }
      elseif (isset($HTTP_POST_VARS[SESSION_NAME])) {
        $this->session_id = $HTTP_POST_VARS[SESSION_NAME];
      }
      else {
        $this->session_id = false;
      }
    }
    $this->session_id = preg_replace('/[^a-z0-9]+/i', '', $this->session_id);
  }
It should do the trick.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on May 28, 2006, 09:46:08 PM
Thanks a lot, I hope it will help :)

May I post this on the original vB.org thread for the vBulletin addon to help out others also having problems with this issue? I'm sure most users are never taking a look into this thread/board.

Of course I would tell them that you've made it and that it's not my work.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on May 28, 2006, 11:46:19 PM
sure you can, but please provide a link to this topic ;)
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on June 04, 2006, 03:57:11 AM
I'm still affected with this bug, some images got spammed again with those links from users never registered (these were the first ones I saw after I've checked this), maybe it's not a sql injection bug but a bug in the comments system or in the sessions handling, is there any method available to enable a debug logging or something to see where the hole is located? I need help with this since the amount of these spam bots is growing :(
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 04, 2006, 04:15:39 AM
some images got spammed again with those links from users never registered

disable permission for guests posting comments or install image validation mod for comments. nothing to do with this or other security holes.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: vBFreak on June 04, 2006, 04:34:38 AM
If I visit my gallery as a guest I don't have anything to enter a comment. I'm just wondering how this can be enabled then, where can I disable this?

[EDIT]hrm, you're absolutely right, but it seems not to be enabled in every location, strange...
But I can't find something to disable that[/EDIT]
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 04, 2006, 10:48:48 AM
its under category permissions in ACP (Admin Control Panel)
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: XIII on June 07, 2006, 08:48:35 AM
Hmm, I have guest posting disabled everywhere and still got spammed again yesterday for the first time after applying this patch.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 07, 2006, 03:10:16 PM
and the spammer is not a registered member? please show it.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: XIII on June 07, 2006, 06:22:16 PM
Nope, that's what surprised me as well. After this patch I've had 0 problems with comment spam, until yesterday when some 'Kavin' had left a bunch of comments. So I deleted them and then went on to delete the user, except there was no registered user.
I don't know exactly what you mean with 'show it'. Show what?
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 08, 2006, 02:44:53 AM
A link to the site please.

"Kavin" was he as a guest or as a none existing member? (did the comment he left had user_id? - check with phpmyadmin or something.)
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: XIII on June 08, 2006, 09:27:57 PM
Just checked seeing as there were a a few new ones.
Aside from a few more bots registering there were a few new comments left by a 'Kavin' who turned out to point to the userid I'd made using the instructions from this (http://www.4homepages.de/forum/index.php?topic=6729.msg59251#msg59251) thread.
Which I don't get because I used a non-obvious username for that id and ofcourse a different password than listed there, plus I've set the account to be non-visible so noone else can see the id name when a spider is crawling the gallery.
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 09, 2006, 12:39:34 AM
Maybe someone's made a bot that uses one of these identifiers? Just guessing ofcourse.
That is the most probably.
So, if that is the case, then perhaps you'll need either try to trace the "kavin" bot in access logs and get its identification string and ban it, or discontinue using that mod.
Anyways, since this issue has nothing to do with the security fix from this topic, please continue discussion under the "threat bots as members" mod, because it seems to have problems...
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: 8o8o8.com on June 20, 2006, 09:53:10 AM
thankx
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: amodpg on June 26, 2006, 11:20:25 PM
sir,
    i just downloaded new version but seems the text required to change in the first post of this thread is not yet implemented, i can find the
"$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());" in the session file included in the zip file i just downloaded.

one of my firends gallery hosted by me has 1000's of xxx comments for his personal photo graphs.

any suggestions to fix it.

regards,
amod
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on June 27, 2006, 12:19:01 AM
i can find the
"$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());" in the session file included in the zip file i just downloaded.
Its because that is the line you supposed to replace it with, not to find it....

as of comments spam, we have two mods image validation for comments, consider to use one of them.
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: sajwal on July 25, 2006, 11:26:21 PM
I found that in ver 1.7.3
 the line $this->session_id = session_id();
 is not edited??? 8O

Should i make the changes in 1.7.3 also, as security reason?
Title: Re: [1.7.1 / 1.7.2] Security fix for SQL injection in session.php
Post by: V@no on July 26, 2006, 12:22:00 AM
No, v1.7.3 has different approach.