Author Topic: [1.7 / 1.7.1] Security fix in search.php and register.php  (Read 187408 times)

0 Members and 1 Guest are viewing this topic.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
[1.7 / 1.7.1] Security fix in search.php and register.php
« on: December 27, 2005, 10:19:37 AM »
This is an important security fix.
Это очень важная заплатка для опасной дыры в скрипте

Step 1

In search.php any variables or other code that is located below copyright notice
В search.php всё что находится ниже копирайта (который заканьчиватся этой строкой):
Code: [Select]
*************************************************************************/ and above
и выше:
Code: [Select]
$main_template = 'search';

must be moved below
должно быть перенесено ниже:
Code: [Select]
include(ROOT_PATH.'global.php');
In default 4images, the block that must be moved is:
В свежей 4images кусок кода который должен быть перемещён выглядит так:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}
$org_search_keywords = $search_keywords;

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}
$org_search_user = $search_user;

if (isset($HTTP_POST_VARS['search_terms'])) {
  $search_terms = (trim($HTTP_POST_VARS['search_terms']) == "all") ? 1 : 0;
}
else {
  $search_terms = 0;
}

if (isset($HTTP_POST_VARS['search_fields'])) {
  $search_fields = trim($HTTP_POST_VARS['search_fields']);
}
else {
  $search_fields = "all";
}

$search_cat = (isset($HTTP_POST_VARS['cat_id']) ) ? intval($HTTP_POST_VARS['cat_id']) : 0;

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}



Step 2

In register.php find:
В register.php найдите:
Code: [Select]
      if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }

Insert below:
Добавьте ниже:
Code: [Select]
      elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }


Then in lang/<your language>/main.php at the end, above closing ?> insert:
Затем в lang/<ваш языковой пакет>/main.php в самый конец файла, выше закрывающей ?> добавьте:
Code: [Select]
$lang['username_bad_characters'] = "Username contains not allowed character(s)";

Step 3

In global.php find:
В global.php найдите:
Code: [Select]
//-----------------------------------------------------
//--- Start DB ----------------------------------------
//-----------------------------------------------------

Insert above:
Добавьте выше:
Code: [Select]
if (isset($HTTP_POST_VARS['show_result']) || isset($HTTP_GET_VARS['show_result'])) {
  $show_result = 1;
}
else {
  $show_result = 0;
}

if (isset($HTTP_POST_VARS['search_keywords']) || isset($HTTP_GET_VARS['search_keywords'])) {
  $search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
  if ($search_keywords != "") {
    $show_result = 1;
  }
}
else {
  $search_keywords = "";
}

if (isset($HTTP_POST_VARS['search_user']) || isset($HTTP_GET_VARS['search_user'])) {
  $search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
  if ($search_user != "") {
    $show_result = 1;
  }
}
else {
  $search_user = "";
}

if (isset($HTTP_POST_VARS['search_new_images']) || isset($HTTP_GET_VARS['search_new_images'])) {
  $search_new_images = 1;
  $show_result = 1;
}
else {
  $search_new_images = 0;
}

If you wish, you can remove this block of code from search.php to increase perfomance (very insignificaly).
Если вы хотите, то можете удалить такой-же блок кода из search.php, но это не обязательно.



In the attachment below you can find already modifyed default search.php, register.php and global.php
Вы можете загрузить исправленные search.php, register.php и global.php из приложеного архива.
« Last Edit: April 04, 2006, 01:41:53 AM by V@no »
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline piet

  • Pre-Newbie
  • Posts: 3
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #1 on: December 27, 2005, 02:28:52 PM »
Thank you very much!

Offline TheOracle

  • Hero Member
  • *****
  • Posts: 875
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #2 on: December 27, 2005, 03:07:20 PM »
Actually, I don't get this ...

why would :

Quote

$main_template = 'search';


need to be moved below the global.php line ?

All 4images's PHP files (on the root path - even the index.php file) has the $main_template string on top of the GET_CACHES line ...

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #3 on: December 27, 2005, 03:14:42 PM »
That is why my earlier suggestion was "Re-read three times, reply ones" ;)

There is nothing says about moving that line...it says "the code above it"
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Eagle Eye

  • Full Member
  • ***
  • Posts: 191
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #4 on: December 27, 2005, 05:43:40 PM »
Thanks  :D

Offline Acidgod

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 2.421
  • It's me?
    • View Profile
    • Flash-Webdesign
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #5 on: December 27, 2005, 07:46:49 PM »
Also Du hast es richtig gemacht... Vielleicht hätte V@no es so schreiben sollen... (o:

move the code between

Code: [Select]
*************************************************************************/
and

Code: [Select]
$main_template = 'search';
below this Line:

Code: [Select]
include(ROOT_PATH.'global.php');

Offline torment

  • Pre-Newbie
  • Posts: 5
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #6 on: December 28, 2005, 09:26:34 AM »
das selbe problem habe ich auch...

nach diesem fix konnte man nicht als #username# registieren konnen. aber das funktioniert bei mir auch nicht.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #7 on: December 28, 2005, 02:47:47 PM »
mmm...it was not ment restrict all "special" characters, but only < and >
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #8 on: December 28, 2005, 03:05:04 PM »
no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline RoadDogg

  • Sr. Member
  • ****
  • Posts: 488
    • View Profile
    • Düsipixel
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #9 on: December 29, 2005, 11:21:18 AM »
Thanks for the fix, V@no!
For support requests please don´t forget link to your Gallery/to phpinfo.php
Code: [Select]
<?
phpinfo()
?>
safe_mode must turned OFF
Please check Error Messages

Offline brakstar

  • Pre-Newbie
  • Posts: 4
  • The famous french webmaster ^^0^^
    • View Profile
    • Référencement - Webmaster - Création de site
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #10 on: December 30, 2005, 12:55:24 AM »
Hi all, What they can do without this fix ?  :?:

I have a 1.1 beta 3 p version of smf ....
Brain-Master the Best webmaster !

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #11 on: December 30, 2005, 01:06:35 AM »
hmmm....huh?
what SMF has anything to do with 4images? this is 4images support forum not SMF ;)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline Ston4Img

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #12 on: January 01, 2006, 06:32:46 PM »
no, it calls "Regular expression" (aka REGEX) http://php.net/manual/function.preg-match.php
The pattern search only < and > in the name, nothing else.

Mhh. I can register a User with < and >  after the Update !!! :?:



Edit:
My register.php:
/** START **********************************************
ADD ab elseif
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/

      
if ($site_db->not_empty($sql)) {
        
$msg .= (($msg != "") ? "<br />" "").$lang['username_exists'];
        
$error 1;
      }
    }
    elseif (
preg_match("#[<>]#"$user_name))
      {
        
$msg .= (($msg != "") ? "<br />" "").$lang['username_bad_characters'];
        
$error 1;
      }

/** ENDE **********************************************
ADD
Sercurity Update 27.12.2005
http://www.4homepages.de/forum/index.php?topic=10921.0
*******************************************************/

Offline fotograf74

  • Newbie
  • *
  • Posts: 29
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #13 on: January 08, 2006, 02:27:49 PM »
Hmm,

I fixed my code, but now I can´t use the search function. I get no result.
I think that was not your idea with the sexurity fix.

What´s the problem. I use now the old code again.


Offline Ston4Img

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: [1.7 / 1.7.1] Security fix in search.php and register.php
« Reply #14 on: January 08, 2006, 03:11:54 PM »
Servus Fotograf74.
Irgendwelche Modifikationen bereits eingebaut? Wenn nicht lade dir 4Images erneut runter und tausche die Dateien aus.

Have you some modification in your 4images? Download 4images again and insert the orginal files.