Author Topic: [1.7 / 1.7.1] Security fix in search.php and register.php  (Read 157735 times)

0 Members and 2 Guests are viewing this topic.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
[1.7 / 1.7.1] Security fix in search.php and register.php
« on: December 27, 2005, 10:19:37 AM »
This is an important security fix.
Это очень важная заплатка для опасной дыры в скрипте

Step 1

In search.php any variables or other code that is located below copyright notice
В search.php всё что находится ниже копирайта (который заканьчиватся этой строкой):
Code: [Select]
*************************************************************************/ and above
и выше:
Code: [Select]
$main_template = 'search';

must be moved below
должно быть перенесено ниже:
Code: [Select]
include(ROOT_PATH.'global.php');
In default 4images, the block that must be moved is:
В свежей 4images кусок кода который должен быть перемещён выглядит так:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}
$org_search_keywords = $search_keywords;

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}
$org_search_user = $search_user;

if (isset($HTTP_POST_VARS['search_terms'])) {
  $search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 1 : 0;
}
else {
  $search_terms = 0;
}

if (isset($HTTP_POST_VARS['search_fields'])) {
  $search_fields = trim($HTTP_POST_VARS['search_fields']);
}
else {
  $search_fields = "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}



Step 2

In register.php find:
В register.php найдите:
Code: [Select]
      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }

Insert below:
Добавьте ниже:
Code: [Select]
      elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }


Then in lang/<your language>/main.php at the end, above closing ?> insert:
Затем в lang/<ваш языковой пакет>/main.php в самый конец файла, выше закрывающей ?> добавьте:
Code: [Select]
$lang['username_bad_characters'] = "Username contains not allowed character(s)";

Step 3

In global.php find:
В global.php найдите:
Code: [Select]
//-----------------------------------------------------
//--- Start DB ----------------------------------------
//-----------------------------------------------------

Insert above:
Добавьте выше:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}

If you wish, you can remove this block of code from search.php to increase perfomance (very insignificaly).
Если вы хотите, то можете удалить такой-же блок кода из search.php, но это не обязательно.



In the attachment below you can find already modifyed default search.php, register.php and global.php
Вы можете загрузить исправленные search.php, register.php и global.php из приложеного архива.
« Last Edit: April 04, 2006, 01:41:53 AM by V@no »
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline piet

  • Pre-Newbie
  • Posts: 3
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #1 on: December 27, 2005, 02:28:52 PM »
Thank you very much!

Offline TheOracle

  • Hero Member
  • *****
  • Posts: 875
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #2 on: December 27, 2005, 03:07:20 PM »
Actually, I don't get this ...

why would :

Quote

$main_template = 'search';


need to be moved below the global.php line ?

All 4images's PHP files (on the root path - even the index.php file) has the $main_template string on top of the GET_CACHES line ...

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #3 on: December 27, 2005, 03:14:42 PM »
That is why my earlier suggestion was "Re-read three times, reply ones" ;)

There is nothing says about moving that line...it says "the code above it"
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Eagle Eye

  • Full Member
  • ***
  • Posts: 191
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #4 on: December 27, 2005, 05:43:40 PM »
Thanks  :D

Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #5 on: December 27, 2005, 07:36:32 PM »
hallo zusammen,
leider ist es hier ein bisschen kompliziert geschrieben...

habe ich es richtig verstanden dass dies so kommt

vorher:
Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

nachher

Code: [Select]
<?php
/**************************************************************************
 *                                                                        *
 *    4images - A Web Based Image Gallery Management System               *
 *    ----------------------------------------------------------------    *
 *                                                                        *
 *             File: search.php                                           *
 *        Copyright: (C) 2002 Jan Sorgalla                                *
 *            Email: jan@4homepages.de                                    *
 *              Web: http://www.4homepages.de                             *
 *    Scriptversion: 1.7.1                                                *
 *                                                                        *
 *    Never released without support from: Nicky (http://www.nicky.net)   *
 *                                                                        *
 **************************************************************************
 *                                                                        *
 *    Dieses Script ist KEINE Freeware. Bitte lesen Sie die Lizenz-       *
 *    bedingungen (Lizenz.txt) für weitere Informationen.                 *
 *    ---------------------------------------------------------------     *
 *    This script is NOT freeware! Please read the Copyright Notice       *
 *    (Licence.txt) for further information.                              *
 *                                                                        *
 *************************************************************************/

$main_template 'search';

define('GET_CACHES'1);
define('ROOT_PATH''./');
include(
ROOT_PATH.'global.php');
require(
ROOT_PATH.'includes/sessions.php');
$user_access get_permission();
include(
ROOT_PATH.'includes/search_utils.php');

if (isset(
$HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  
$show_result 1;
}
else {
  
$show_result 0;
}

if (isset(
$HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if (
$search_keywords != "") {
    
$show_result 1;
  }
}
else {
  
$search_keywords "";
}
$org_search_keywords $search_keywords;

if (isset(
$HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if (
$search_user != "") {
    
$show_result 1;
  }
}
else {
  
$search_user "";
}
$org_search_user $search_user;

if (isset(
$HTTP_POST_VARS['search_terms'])) {
  
$search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 0;
}
else {
  
$search_terms 0;
}

if (isset(
$HTTP_POST_VARS['search_fields'])) {
  
$search_fields trim($HTTP_POST_VARS['search_fields']);
}
else {
  
$search_fields "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset(
$HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  
$search_new_images 1;
  
$show_result 1;
}
else {
  
$search_new_images 0;
}


hat jemand schon erfahrung mit der register.php, leider kann man danach immer noch mit #123 anmelden
gemäss vanos anweisungen müsste dies so klappen (bad_charactere)

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline Acidgod

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.420
  • It's me?
    • View Profile
    • Flash-Webdesign
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #6 on: December 27, 2005, 07:46:49 PM »
Also Du hast es richtig gemacht... Vielleicht hätte V@no es so schreiben sollen... (o:

move the code between

Code: [Select]
*************************************************************************/
and

Code: [Select]
$main_template = 'search';
below this Line:

Code: [Select]
include(ROOT_PATH.'global.php');

Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #7 on: December 27, 2005, 07:51:05 PM »
gut, ich habe schon gesehen dass dieser teil mitten im script war, dann war dies
der fehler oder die lücke  :lol:

habe die register.php bearbeitet aber so wie er schreibt sollte man danach z.b
#ivan nicht mehr nehmen können.

leider funktioniert dies bei mir nicht
wieso?

greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline torment

  • Pre-Newbie
  • Posts: 5
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #8 on: December 28, 2005, 09:26:34 AM »
das selbe problem habe ich auch...

nach diesem fix konnte man nicht als #username# registieren konnen. aber das funktioniert bei mir auch nicht.

Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #9 on: December 28, 2005, 11:02:17 AM »
hello vano,

Unfortunately, he functions did not step 2 with register.php (username special characters)
apparently with other user also not. use 4images 1.7.1

I can still provide following user:

#ivan
greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #10 on: December 28, 2005, 02:47:47 PM »
mmm...it was not ment restrict all "special" characters, but only < and >
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #11 on: December 28, 2005, 02:56:59 PM »
hello vano,


elseif (preg_match("#[<>]#", $user_name))

that is not the special characters (bold)??



greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Administrator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #12 on: December 28, 2005, 03:05:04 PM »
no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline ivan

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.279
    • View Profile
    • Bilder Gallery
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #13 on: December 28, 2005, 03:09:50 PM »
okay vano thanks..
greetings / grüsse
ivan

Facebook Fan Page | Follow Twitter

Blog: Reisen Blog
Bilder Gallery: Bilder Gallery

Offline RoadDogg

  • Sr. Member
  • ****
  • Posts: 488
    • View Profile
    • Düsipixel
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #14 on: December 29, 2005, 11:21:18 AM »
Thanks for the fix, V@no!
For support requests please don´t forget link to your Gallery/to phpinfo.php
Code: [Select]
<?
phpinfo()
?>
safe_mode must turned OFF
Please check Error Messages