vb.org Archive - View Single Post

Turbosport · #68 01-27-2006, 02:16 PM

Quote:

Originally Posted by andrefedalto

this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?

As a fellow coder I am not knocking the hack, in fact I really like it and it was exactly what I was looking for!

But its important that we as a community look out for and fix any security flaw we find, no matter how insignificant.

My admins are fully trusted, I run hourly snapshots of my database, so I like you probably have nothing to worry about, however there are others out there who are less fortunate. Maybe they have opened it up to thier Moderators and on a busy site this could end up being a few people.

The other worry is that someone will come along and reuse the code somewhere less secure not fully understanding the security issues.

An Admin on my site caused an SQL error by placing an apostrophy in the description field i.e. Dave's picture.

On examination it was a classic SQL injection hole.

I did a quick fix to stop this happening, but I intend to rewrite it to use one of the core VB functions for coverting strings to SQL safe, that way when VB find any other injection type issues and fix them the fix will be reflected in this hack.

Anyway if your interested here is my quick fix:

Code:

	$factv = addslashes(htmlspecialchars($_POST["bact"], ENT_QUOTES));
	$fdesc = addslashes(htmlspecialchars($_POST["balt"], ENT_QUOTES));

then the query:

Code:

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");

I changed the other query further down using the same method.

I also added a little check before the query, for the odd occasion that theres an error in uploading the file:

Code:

	move_uploaded_file($ftemp, $dir.$fname);


if (file_exists($_SERVER['DOCUMENT_ROOT']."C:/SITES/TSWEB/BBS/images/banners/"."$fname")){

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
	print_cp_message($vbphrase['brotator_add_success'], "banner_rotator.php?do=add", "1");
}
else {	print_stop_message('brotator_uploaderror');}
endif;

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01165 seconds Memory Usage 1,770KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (3)bbcode_code (1)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: