Author Topic: [1.7 - 1.7.3] Security fix for SQL injection in global.php  (Read 235005 times)

0 Members and 1 Guest are viewing this topic.

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
[1.7 - 1.7.3] Security fix for SQL injection in global.php
« on: September 15, 2006, 01:55:54 PM »
This is an important security fix.

Replace the two lines in global.php (version 1.7.2 and 1.7.3) or search.php (all versions < 1.7.2):

Replace

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
with

Code: [Select]
$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : trim($HTTP_GET_VARS['search_keywords']);
Replace

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
with

Code: [Select]
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : trim($HTTP_GET_VARS['search_user']);
« Last Edit: April 03, 2009, 03:51:34 PM by V@no »
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline mawenzi

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.500
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #1 on: September 15, 2006, 02:22:53 PM »
... thanks Jan ... and also thanks to Matt ...
Your first three "must do" before you ask a question ! ( © by V@no )
- please read the Forum Rules ...
- please study the FAQ ...
- please try to Search for your answer ...

You are on search for top 4images MOD's ?
- then please search here ... Mawenzi's Top 100+ MOD List (unsorted sorted) ...

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #2 on: September 15, 2006, 03:31:24 PM »
Eigentlich stehts bei 1.7.1 nicht on der global.php. Wenns bei Dir doch so ist, dann ersetze es in beiden Dateien.
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline securitydot

  • Pre-Newbie
  • Posts: 7
    • View Profile
    • SecurityDot - your online security center
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #3 on: September 15, 2006, 03:46:23 PM »
Thanks

Offline Fastian

  • Full Member
  • ***
  • Posts: 199
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #4 on: September 15, 2006, 03:51:25 PM »
Thanks for keeping us up-to-date.
:)
I m not a  Programmer.
          But
I m a Good Learner.

Offline brice626

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #5 on: September 15, 2006, 04:04:20 PM »
Thanks!

Offline cronk005

  • Newbie
  • *
  • Posts: 44
    • View Profile
    • Travelingtheworldaround
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #6 on: September 15, 2006, 04:07:53 PM »
Changing this information has dramatically changed the way the keyword search is done when using multiple languages.... now it just doesn't work at all... any thoughts?

Let me clarify... If I changed the language of my board, with appropriate Keyword language tags, it will only search for the first word in the language set and the rest of the keywords will yield strange results.

Offline amitpatel_3001

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #7 on: September 15, 2006, 04:14:00 PM »
Thanks a lot for notifying everyone :)

Offline amitpatel_3001

  • Newbie
  • *
  • Posts: 13
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #8 on: September 15, 2006, 04:17:37 PM »
$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));

cannot find this second line to replace :(

Offline Murat

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
    • Lavinya
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #9 on: September 15, 2006, 04:21:23 PM »
thanks jan.
<?php echo 'Hello, World!'; ?>

Offline F1boat

  • Pre-Newbie
  • Posts: 6
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #10 on: September 15, 2006, 04:25:29 PM »
Thanks a lot - Merci beaucoup

Offline cajebo

  • Pre-Newbie
  • Posts: 1
    • View Profile
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #11 on: September 15, 2006, 04:30:53 PM »
Thanks a bunch for the update patch Matt & Jan.

Still one of the better stand-alone O/S Galleries


Warm regards from Downtown Miamisburg, Ohio

Michael

Offline Zhra

  • Newbie
  • *
  • Posts: 13
    • View Profile
    • Zhra Net
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #12 on: September 15, 2006, 04:36:42 PM »
Thanks so much sir
for keeping us up-to-date
Best regards

Offline Laurina

  • Newbie
  • *
  • Posts: 21
    • View Profile
    • Darren Hayes Interactive
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #13 on: September 15, 2006, 04:37:02 PM »
Thank you very much.


Laurie


Offline Vincent

  • 4images Moderator
  • Addicted member
  • *****
  • Posts: 1.195
    • View Profile
    • www.foto-kocher.com
Re: [1.7 - 1.7.3] Security fix for SQL injection in global.php
« Reply #14 on: September 15, 2006, 05:00:39 PM »
merci!

vincent
Beati pauperi spiritus

4images 1.7 // My Installed Mods