Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions

Reply
 
Thread Tools Display Modes
  #11  
Old 01-29-2008, 11:21 PM
Tyran1 Tyran1 is offline
 
Join Date: Jan 2007
Location: Deutsches Reich
Posts: 297
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Roflstilzchen View Post
to make a long story short: the original hack was a sports betting addon for world soccer championship in 2006 and the original coder (TheSisko) doesnt support it anymore and the old download thread doesn?t exist too. Tyran1 changed the code into an addon for european championship 2008 but unfortunately the original code has a security leak (i guess sql-injections) which tyran is not able to fix by himself.

@tyran: maybe you should provide the hack to the users here, because without it no one will be able to help you just like lynne allready said.

Thank you.

Ok the Addon in the appendix
Reply With Quote
  #12  
Old 01-30-2008, 03:34 AM
cheesegrits's Avatar
cheesegrits cheesegrits is offline
 
Join Date: May 2006
Posts: 500
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

If it's an SQL injection problem, then it's probably these lines in EM2008.php:

Code:
				$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor) 
									VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")";
... where none of those variables being inserted have been cleaned properly.

At the very least, I'd do ...

Code:
$game = $db->escape_string($game);
$result['bet_result'] = $db->escape_string($result['bet_result']);
$result['home'] = $db->escape_string($result['home']);
$result['visitor'] = $db->escape_string($result['visitor']);
... before that query.

-- hugh
Reply With Quote
  #13  
Old 01-30-2008, 05:24 AM
Tyran1 Tyran1 is offline
 
Join Date: Jan 2007
Location: Deutsches Reich
Posts: 297
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by cheesegrits View Post
If it's an SQL injection problem, then it's probably these lines in EM2008.php:

Code:
				$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor) 
									VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")";
... where none of those variables being inserted have been cleaned properly.

At the very least, I'd do ...

Code:
$game = $db->escape_string($game);
$result['bet_result'] = $db->escape_string($result['bet_result']);
$result['home'] = $db->escape_string($result['home']);
$result['visitor'] = $db->escape_string($result['visitor']);
... before that query.

-- hugh
Many thank you!!!!! Sorry which I ask however was that everything?

--------------- Added [DATE]1201713109[/DATE] at [TIME]1201713109[/TIME] ---------------

One has me further to place called these obviously also a problem to explain...

Quote:
$vbulletin->input->clean_array_gpc('p', array(
'betgame' => TYPE_ARRAY,

[...]
$userbetcheck = $db->query_first("SELECT count(*) as anzahl FROM " . TABLE_PREFIX . "rth_em08_bets
WHERE user_id = ".$vbulletin->userinfo['userid']."
AND em_game_number = ".$game."");
and

Quote:
//phase?
$default_phase = ($em_now < $phase2_timestamp) ? 1 : 2;
$_GET['phase'] = (!empty($_GET['phase'])) ? $_GET['phase'] : $default_phase;
$show['phase'] = $_GET['phase'];
$phase_name = $vbphrase['EM2008_phase'.$_GET['phase']];
$_GET['phase'] = $phase_array[$_GET['phase']];
--------------- Added [DATE]1201713261[/DATE] at [TIME]1201713261[/TIME] ---------------

One wrote me: "Das are not no stringers, and/or should be. = > intval() or other method over to guarantee that it more integer sind"
Reply With Quote
  #14  
Old 01-30-2008, 03:20 PM
cheesegrits's Avatar
cheesegrits cheesegrits is offline
 
Join Date: May 2006
Posts: 500
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, I just pointed out the obvious one. There is other work needs doing to proeprly sanitize your inputs.

Basically any user input you use in a query should be cleaned properly - that is, make sure it's been through the vbulletin GPC cleaner, and unless you have specific reasons not to, use escape_string.

And of course NEVER use $_GET, $_POST or $_REQUEST directly. Always run all input through the vbulletin GPC cleaner.

Suggest you read this excellent article:

https://vborg.vbsupport.ru/showthread.php?t=154411

-- hugh
Reply With Quote
  #15  
Old 02-02-2008, 04:36 PM
Tyran1 Tyran1 is offline
 
Join Date: Jan 2007
Location: Deutsches Reich
Posts: 297
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you @all.

The Thread can Closed!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:04 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05059 seconds
  • Memory Usage 2,205KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (5)post_thanks_box
  • (5)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (5)post_thanks_postbit_info
  • (5)postbit
  • (5)postbit_onlinestatus
  • (5)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete