vb.org Archive
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   ibProArcade Archive (https://vborg.vbsupport.ru/forumdisplay.php?f=174)
-   -   Alternate fix to injection code in comments (https://vborg.vbsupport.ru/showthread.php?t=279305)

rpgamersnet 02-28-2012 10:07 PM
Alternate fix to injection code in comments
 
So, in another thread it was mentioned that the current fix may get the job done, its also filtering out good data. There must be some proper solution to handle incoming comment data securely. I thought I would start a discussion in regards to finding an alternate fix to the problem then the one currently available.

The problem: Users input data into comments that is executed and causes trouble.

Solution ideas: Escape incoming data so that it cannot execute? Allow only alphanumeric comment data and write the SQL statements so that they cannot be broken out?

I will be the first to admit I am not a professional coder, although I do write a lot of code myself. I haven't taken a long look at how the comments are currently handled, but plan to. Lets pool some ideas and help MrZeroPage come up with a more solid fix!

Sarteck 02-29-2012 07:15 AM
I do a few things.


First off, I almost ALWAYS use sprintf(). It's pretty awesome.

PHP Code:
sprintf("SELECT * FROM %suser WHERE userid=%d",TABLE_PREFIX,$userid); 
Bam, you'll always get an integer. Also, query looks hella prettier. :3

Two, why not use vBulletin's built-in cleaning functions on data? That would solve a lot of it, wouldn't it?

Mind you, I'm a complete newbie to the scripting of this modification in particular, but I have successfully programmed a bunch of homebrewed mods for my own. I just want a disclaimer here that I could be completely off-base. X3

stangger5 02-29-2012 08:00 AM
Starting with 2.7.1+

To fix that exploit was to edit one line..

PHP Code:
$ibforums->input['s_id'] = ibp_cleansql($ibforums->input['s_id']); 
change to
PHP Code:
$ibforums->input['s_id'] = intval($ibforums->input['s_id']); 
Quote:
Originally Posted by BirdOPrey5
Comment should be OK because of they way strings are put in the database. The problem was s_id was allowed to be a string when it was supposed to be an int, that is what allowed the exploit.

The ibp_cleansql function needs to be changed to accept a second argument that says what type of data it is (string or int) and clean it differently depending on what it is supposed to be.

vBulletin has built in cleaning functions too that can/should be used.

Sarteck 02-29-2012 09:13 AM
See? Perfect example of where sprintf() would be put to awesome use. :D Just use %d in your query and you're good to go.

rpgamersnet 02-29-2012 02:24 PM
Wait, so it wasn't the comments that were causing the problem, but the S_ID? My board personally was not hit by this exploit, so I did not have the details. :)

Mark.B 02-29-2012 07:11 PM
Quote:
Originally Posted by rpgamersnet (Post 2304659)
Wait, so it wasn't the comments that were causing the problem, but the S_ID? My board personally was not hit by this exploit, so I did not have the details. :)
I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.

stangger5 02-29-2012 08:18 PM
Quote:
Originally Posted by Mark.B (Post 2304775)
I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.
I didnt know anything about a exploit with 2.7.2..

Mark.B 02-29-2012 08:36 PM
Quote:
Originally Posted by stangger5 (Post 2304817)
I didnt know anything about a exploit with 2.7.2..
No I meant FIXED in 2.7.2.

Hippy 02-29-2012 08:47 PM
the only thing needed is what stangger posted above..

--------------- Added [DATE]1330552106[/DATE] at [TIME]1330552106[/TIME] ---------------

Quote:
Originally Posted by Mark.B (Post 2304775)
I have a feeling that the code Stangger has posted was the fix for the exploit that was fixed in 2.7.1, rather than 2.7.2.
I didnt know anything about a exploit with 2.7.2.. either :eek:

stangger5 02-29-2012 08:51 PM
Quote:
Originally Posted by Mark.B (Post 2304822)
No I meant FIXED in 2.7.2.
Had me going ...lol...


All times are GMT. The time now is 10:40 PM.
Page 1 of 3 1 23
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01196 seconds
  • Memory Usage 1,747KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_php_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete