• are
  • DeltaScripts Developer
  • Offline
  • From: Norway
  • Registered: 2001-02-10
  • Posts: 7,399

Topic: Security Issue Solution v7.5

The v7.5 is now updated (10.11.2008). The zip file that is fixed has the file "includes_patch1.txt" inside the zip. Only admin/login.php is updated/changed, just replace it with your old admin/login.php.

The hack is working because a typo in the code. All input is normally validated, but since the variable is typed with one large letter wrong, the validation routine is bypassed.

Quick fix for the most urgent one is this:

In admin/login.php, line 41:

Change from:

$lUserName=strToDb($lUsername);

to:

$lUsername=strToDb($lUsername);

NOTE: There is also a bug in links.php, the new .zip will contain this fix.

Change line 24, from this:

$order = getParam("order",""); // Guest chooseable sort order

To this:

$order = cleanInput(getParam("order","")); // Guest chooseable sort order

If you have been backed..
Check your classifieds directory. If you have the "admin" username unchanged, "hackers" are able to login to admin area. There, they will most likely change one template or language file. Check for changed template files in template editor, an * will mark a changed template.

The reason why many sites gets hacked now is due to a description to do this is posted to bugtraq lists.

I would also suggest to password protect your admin area using .htaccess (control panel protection that cPanel, Plesk, Webmin etc. can do for you).

Regards,
Are

http://www.deltascripts.com

are's Website

+ -

  • aries
  • Been around
  • Offline
  • Registered: 2006-11-20
  • Posts: 104

Re: Security Issue Solution v7.5

Are, please check this item, post by istreen: (Multiple vulnerabilities)
http://www.deltascripts.com/board/topic … abilities/

+ -

  • Registered: 2008-10-14
  • Posts: 25

Re: Security Issue Solution v7.5

you can see attack xss
http://www.event-city.fr:80/choose_cat.php/>"><ScRiPt>alert(437875964861)</ScRiPt> working with ie7

you solution in admin/login.php, line 41:

Don't resolved, you could be use http://fr.php.net/manual/en/function.htmlentities.php or http://fr.php.net/manual/en/function.ht … lchars.php

+ -

  • Registered: 2002-10-24
  • Posts: 114

Re: Security Issue Solution v7.5

In the zip the file: includes_patch1.txt is named as: includes_patch1.txt.txt and is empty.

NewOpps.com - New Business Opportunities

+ -

  • aries
  • Been around
  • Offline
  • Registered: 2006-11-20
  • Posts: 104

Re: Security Issue Solution v7.5

This file (includes_patch1.txt) is only signal that already have patch applied.

+ -

  • aries
  • Been around
  • Offline
  • Registered: 2006-11-20
  • Posts: 104

Re: Security Issue Solution v7.5

istreen wrote:

you can see attack xss
http://www.event-city.fr:80/choose_cat.php/>"><ScRiPt>alert(437875964861)</ScRiPt> working with ie7

For the XSS is need sanitize $_SERVER["PHP_SELF"].
In header_inc.php found

include_once("includes/common_public_inc.php");

Add next this line

$_SERVER["PHP_SELF"] = htmlspecialchars(cleanInput( $_SERVER["PHP_SELF"]));

+ -

  • Registered: 2007-09-06
  • Posts: 24

Re: Security Issue Solution v7.5

There is a bug i just discovered, try this:
while posting ( or editing an ad) in the description of your ad, put this 2 character line
<>
and your server gets crazy!
it says:
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 63327343 bytes) in /home/content/..../html/includes/inputfilter.php on line 98

why?

+ -

  • Registered: 2007-05-25
  • Posts: 194

Re: Security Issue Solution v7.5

the bug in inputfilter.php can be fixed as follows.
Original post on www.phpclasses.org by user Nashar on the 2007-12-31 08:19:07

If you process an empty tag followed by anything, like '<>foo', the script gets stuck in a infinite loop until you get a lovely message like:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 29360137 bytes) in \includes\class.inputfilter.php on line 134

The fix is to change line 114 from:

if (!$tagOpen_end) {

to

if ($tagOpen_end === false) {

Cheers!

regards

stubyh

The greatest mistake you can make in life is to be continually fearing you will make one.

+ -

  • From: Linksprocket
  • Registered: 2004-11-15
  • Posts: 849

Re: Security Issue Solution v7.5

works a treat thanks

Ciao
Free Dates http://www.confessionwall.com

swapshop's Website

+ -

  • Registered: 2007-09-06
  • Posts: 24

Re: Security Issue Solution v7.5

stubyh wrote:

the bug in inputfilter.php can be fixed as follows.
Original post on www.phpclasses.org by user Nashar on the 2007-12-31 08:19:07

If you process an empty tag followed by anything, like '<>foo', the script gets stuck in a infinite loop until you get a lovely message like:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 29360137 bytes) in \includes\class.inputfilter.php on line 134

The fix is to change line 114 from:

if (!$tagOpen_end) {

to

if ($tagOpen_end === false) {

Cheers!

regards

stubyh

Thanks alot Stubyh for the solution, but doesn't it degrade the security of the website?

+ -

  • Registered: 2007-05-25
  • Posts: 194

Re: Security Issue Solution v7.5

ar_et

    Unfortunately all programming has some vulnerability. You only have to look at Microsoft and see the number of patches they produce on the 2nd Tuesday of every month and they have thousands of employees.

    The good part of open source programming is that when a problem is found either the code owner in this case 'ARE' or a member of the forum will hopefully find out the answer and post it. The inputfilter.php was written sometime back and not by the code of this programme (I assume). it is always best to check your code for this type of open source coding and checkout the coders web site or forum for any updates and implement them, due to the size and complexity of programs this can take a while so we all rely on the users as testers I'm afraid.

regards

Stubyh

The greatest mistake you can make in life is to be continually fearing you will make one.

+ -