4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: Jan on September 15, 2006, 01:55:54 PM

Title: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Jan on September 15, 2006, 01:55:54 PM
This is an important security fix.

Replace the two lines in global.php (version 1.7.2 and 1.7.3) or search.php (all versions < 1.7.2):

Replace

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
with

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : trim($HTTP_GET_VARS['search_keywords']);
Replace

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
with

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : trim($HTTP_GET_VARS['search_user']);
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mawenzi on September 15, 2006, 02:22:53 PM
... thanks Jan ... and also thanks to Matt ...
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ivan on September 15, 2006, 03:29:28 PM
hallo jan,
leider ist es nicht genau beschrieben

ich habe den code in global sowie in der search.php.
benutze 1.7.1, müssen beide dateien mit den codes ersetzt werden??

bei deiner beschreibung steht
bei 1.7.1 steht nur OR / müsste doch AND heissen nicht :?:

vielen dank für deine hilfe!

gruss ivan
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Jan on September 15, 2006, 03:31:24 PM
Eigentlich stehts bei 1.7.1 nicht on der global.php. Wenns bei Dir doch so ist, dann ersetze es in beiden Dateien.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: securitydot on September 15, 2006, 03:46:23 PM
Thanks
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Fastian on September 15, 2006, 03:51:25 PM
Thanks for keeping us up-to-date.
:)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: brice626 on September 15, 2006, 04:04:20 PM
Thanks!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: cronk005 on September 15, 2006, 04:07:53 PM
Changing this information has dramatically changed the way the keyword search is done when using multiple languages.... now it just doesn't work at all... any thoughts?

Let me clarify... If I changed the language of my board, with appropriate Keyword language tags, it will only search for the first word in the language set and the rest of the keywords will yield strange results.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: amitpatel_3001 on September 15, 2006, 04:14:00 PM
Thanks a lot for notifying everyone :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: amitpatel_3001 on September 15, 2006, 04:17:37 PM
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));

cannot find this second line to replace :(
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Bugfixed on September 15, 2006, 04:21:23 PM
thanks jan.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: F1boat on September 15, 2006, 04:25:29 PM
Thanks a lot - Merci beaucoup
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: cajebo on September 15, 2006, 04:30:53 PM
Thanks a bunch for the update patch Matt & Jan.

Still one of the better stand-alone O/S Galleries


Warm regards from Downtown Miamisburg, Ohio

Michael
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Zhra on September 15, 2006, 04:36:42 PM
Thanks so much sir
for keeping us up-to-date
Best regards
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Laurina on September 15, 2006, 04:37:02 PM
Thank you very much.


Laurie
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Vincent on September 15, 2006, 05:00:39 PM
merci!

vincent
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ivan on September 15, 2006, 05:18:58 PM
hallo jan,
ich habe mir mal die global näher angesehen.
STIMMT, bei der original 1.7.1 ist dieser Teil nicht drin.

doch wenn das mitglied dieser patch installiert hat
http://www.4homepages.de/forum/index.php?topic=10921.0

dann muss auch die global updatet werden!

ich würde dies dementsprechung noch auf der frontseite vermerken....
damit jeder weiss, welche datei er abändern muss.

gruss ivan
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ocdotcom on September 15, 2006, 05:22:19 PM
Great thank you!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mstramm on September 15, 2006, 05:29:23 PM
Vielen Dank
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: barz on September 15, 2006, 05:51:02 PM
Habe das gerade gemacht. Ver. 1.7. Dann wird bei der Suchanfrage nach Nutzern nichts gefunden.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ladyoz on September 15, 2006, 06:04:29 PM
Many thanks for the update  :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: vchavez on September 15, 2006, 06:45:12 PM
Ok done !
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: webturtle on September 15, 2006, 06:50:51 PM
Auch von mir danke für die Arbeit und das Posten hier.
Und ein Danke an jene die die Runmail gesendet haben.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Hyperactiveman on September 15, 2006, 06:59:56 PM
THX!  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: colorssky on September 15, 2006, 07:44:06 PM
Thanks a lot - Merci beaucoup
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: CJ Finnegan on September 15, 2006, 08:00:44 PM
I'm sorry, I don't mean to nitpick, but I can't see the codes at all.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ManfredG on September 15, 2006, 08:37:53 PM
Ich habe in der Serverausweruing bei den 404s (NOT FOUND) URLs der Art "/4images/search.phpc1ec0e64" gefunden.
Sind das Angriffe auf diese Lücke?
Muß ich mir jetzt Sorgen machen was den Server betrifft? Wie würde sich ein erfolgreicher Angriff ggf. äußern?

Gruß
Manfred
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Stinus on September 15, 2006, 09:03:52 PM
Thanks so much sir for keeping us up-to-date  :wink:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: beach-baer on September 15, 2006, 09:23:10 PM
Von mir auch einen herzlichen Dank für den tollen Support, echt Spitze :thumbup:


Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Eng_Man on September 15, 2006, 10:42:56 PM
thank you
done
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: ahmad on September 16, 2006, 12:25:44 AM
ÔßÑÇ ááãÓÇÚÏÉ

Thanks for the update :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: yihfeng on September 16, 2006, 02:05:50 AM
Done! Thanks for it :D

phpBB has the same error some time back ;)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: devilsoulblack on September 16, 2006, 04:47:18 AM
thanks
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: mYrAn on September 16, 2006, 07:55:32 AM
I cant see what to replace, can you give me the code?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: schattenkaiser on September 16, 2006, 08:20:12 AM
 :thumbup: thanks for fixing the probs - I love that software
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: parafanaylya on September 16, 2006, 08:31:08 AM
Thanks - now to try get my avatars mod working!
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: dezina on September 16, 2006, 08:58:47 AM
Thanks for prompt notification/fix details
 :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Heinrich-Uwe on September 16, 2006, 09:24:12 AM
Danks für die Info Mail .....
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: JensF on September 16, 2006, 09:43:56 AM
Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));

Diese Zeile finde ich bei mir weder in der search.php noch in der global.php :(
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Knighthawk on September 16, 2006, 10:05:33 AM
THX
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: keksoid on September 16, 2006, 12:19:48 PM
Пасиб
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: RoadDogg on September 16, 2006, 02:43:21 PM
Danke für die Info und die Mailbenachrichtigung
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: JinYoshi on September 16, 2006, 03:05:36 PM
Danke schoen jan  :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: pdawg81 on September 16, 2006, 04:02:16 PM
thanks for the notification
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: e-trader_2002 on September 16, 2006, 04:29:57 PM
Hi Jan,

thank you. This is just in time, because today I will initially upload the 4images-modules of my new website to my providers host :!:

e-trader_2002
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: darkcurves on September 16, 2006, 04:51:06 PM
Thanks alot!  :mrgreen:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Darkness2001 on September 16, 2006, 07:28:37 PM
Thanks for te Add.  :lol:

Greez Darkness
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: medo007 on September 17, 2006, 03:38:44 PM
Thank you!  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: egyptsons on September 17, 2006, 11:44:12 PM
DONE
Thanks ;) 8)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: gw_ys on September 18, 2006, 04:27:42 AM
thanks    :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Syslord on September 21, 2006, 07:44:31 AM
Super danke macht weiter so :)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: MauiJim on September 23, 2006, 10:10:29 AM
thanks for the patch!
now working on 1.7.3  :D
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Scrambler on October 08, 2006, 10:45:48 PM
Thank you, files patched
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: haythamghareeb on October 22, 2006, 01:42:23 AM
thank you :lol:
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: theking6 on October 22, 2006, 06:08:21 PM
Thanks for the information, Jan. Just Receiving your mail toay cause of mail error.
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: Zhra on October 23, 2006, 02:29:35 AM
Thanks so much
have been Updated  8O
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: pchayat on January 06, 2007, 09:00:40 PM
Thanks...  :oops:




-------------------------------------------------
http://program-arsivi.pchayat.com (http://program-arsivi.pchayat.com)
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: djith on March 15, 2007, 11:06:23 PM
did the update in version 1.7.1 in global.php and it worked out.
while putting the message version 1.7.2 and 1.7.3 only ... and version <1.7.2 to change in search.php...??

Is the update correctly done in this case ?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: hyde101 on March 17, 2007, 10:07:55 PM
Is there any "bug checker" for 4homepages? Some of those serious bugs/vulnerabilities could be checked by running a script/etc?
Title: Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
Post by: KurtW on May 19, 2007, 07:48:27 PM
Hi,

Quote
"bug checker" for 4homepages

The scriptname is 4images  :wink:

cu
Kurt