Topic: Security Issue Solution v7.5

The v7.5 is now updated (10.11.2008). The zip file that is fixed has the file "includes_patch1.txt" inside the zip. Only admin/login.php is updated/changed, just replace it with your old admin/login.php.

The hack is working because a typo in the code. All input is normally validated, but since the variable is typed with one large letter wrong, the validation routine is bypassed.

Quick fix for the most urgent one is this:

In admin/login.php, line 41:

Change from:

$lUserName=strToDb($lUsername);

to:

$lUsername=strToDb($lUsername);

NOTE: There is also a bug in links.php, the new .zip will contain this fix.

Change line 24, from this:

$order = getParam("order",""); // Guest chooseable sort order

To this:

$order = cleanInput(getParam("order","")); // Guest chooseable sort order

If you have been backed..
Check your classifieds directory. If you have the "admin" username unchanged, "hackers" are able to login to admin area. There, they will most likely change one template or language file. Check for changed template files in template editor, an * will mark a changed template.

The reason why many sites gets hacked now is due to a description to do this is posted to bugtraq lists.

I would also suggest to password protect your admin area using .htaccess (control panel protection that cPanel, Plesk, Webmin etc. can do for you).

Re: Security Issue Solution v7.5

Are, please check this item, post by istreen: (Multiple vulnerabilities)
http://www.deltascripts.com/board/topic … abilities/

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

you can see attack xss
http://www.event-city.fr:80/choose_cat.php/>"><ScRiPt>alert(437875964861)</ScRiPt> working with ie7

you solution in admin/login.php, line 41:

Don't resolved, you could be use http://fr.php.net/manual/en/function.htmlentities.php or http://fr.php.net/manual/en/function.ht … lchars.php

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

In the zip the file: includes_patch1.txt is named as: includes_patch1.txt.txt and is empty.

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

This file (includes_patch1.txt) is only signal that already have patch applied.

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

istreen wrote:

you can see attack xss
http://www.event-city.fr:80/choose_cat.php/>"><ScRiPt>alert(437875964861)</ScRiPt> working with ie7

For the XSS is need sanitize $_SERVER["PHP_SELF"].
In header_inc.php found

include_once("includes/common_public_inc.php");

Add next this line

$_SERVER["PHP_SELF"] = htmlspecialchars(cleanInput( $_SERVER["PHP_SELF"]));

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

There is a bug i just discovered, try this:
while posting ( or editing an ad) in the description of your ad, put this 2 character line
<>
and your server gets crazy!
it says:
Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 63327343 bytes) in /home/content/..../html/includes/inputfilter.php on line 98

why?

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

the bug in inputfilter.php can be fixed as follows.
Original post on www.phpclasses.org by user Nashar on the 2007-12-31 08:19:07

If you process an empty tag followed by anything, like '<>foo', the script gets stuck in a infinite loop until you get a lovely message like:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 29360137 bytes) in \includes\class.inputfilter.php on line 134

The fix is to change line 114 from:

if (!$tagOpen_end) {

to

if ($tagOpen_end === false) {

Cheers!

regards

stubyh

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

works a treat thanks

Re: Security Issue Solution v7.5

stubyh wrote:

the bug in inputfilter.php can be fixed as follows.
Original post on www.phpclasses.org by user Nashar on the 2007-12-31 08:19:07

If you process an empty tag followed by anything, like '<>foo', the script gets stuck in a infinite loop until you get a lovely message like:
Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 29360137 bytes) in \includes\class.inputfilter.php on line 134

The fix is to change line 114 from:

if (!$tagOpen_end) {

to

if ($tagOpen_end === false) {

Cheers!

regards

stubyh

Thanks alot Stubyh for the solution, but doesn't it degrade the security of the website?

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

ar_et

    Unfortunately all programming has some vulnerability. You only have to look at Microsoft and see the number of patches they produce on the 2nd Tuesday of every month and they have thousands of employees.

    The good part of open source programming is that when a problem is found either the code owner in this case 'ARE' or a member of the forum will hopefully find out the answer and post it. The inputfilter.php was written sometime back and not by the code of this programme (I assume). it is always best to check your code for this type of open source coding and checkout the coders web site or forum for any updates and implement them, due to the size and complexity of programs this can take a while so we all rely on the users as testers I'm afraid.

regards

Stubyh

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

Are, PHPC v7.5 and earlier, keep some security vulnerabilities that have already been overcome in v7.6. Do you have planned to release a patch or tool for migration to the new version?.

Regards.

Thumbs up Thumbs down

Re: Security Issue Solution v7.5

I got rid of some china spammers really easy. In the header i banned their ips.

for the admin area, I plan to ad a security by checking for ip.

Basically if the ip is not the my ip, the script will redirect the user to a page that says: Warning your ip has been logged into our system. If you return to this page one more time, you will be banned forever.

ehhehe

I'm working on a script to log every ip that hits the my site. specially in the admin area.

all I have to do is ban anyone who has enter the admin page.

Thumbs up Thumbs down

14 (edited by moein 2010-11-03 20:37:41)

Re: Security Issue Solution v7.5

danielle_2008 wrote:

I got rid of some china spammers really easy. In the header i banned their ips.

for the admin area, I plan to ad a security by checking for ip.

Basically if the ip is not the my ip, the script will redirect the user to a page that says: Warning your ip has been logged into our system. If you return to this page one more time, you will be banned forever.

ehhehe

I'm working on a script to log every ip that hits the my site. specially in the admin area.

all I have to do is ban anyone who has enter the admin page.

denielle make sure that you've got a static ip
or else you might get yourself banned big_smile

Thumbs up Thumbs down