The Arcive of Official vBulletin Modifications Site.

Alternate fix to injection code in comments · **Released**: 02-28-2012

So, in another thread it was mentioned that the current fix may get the job done, its also filtering out good data. There must be some proper solution to handle incoming comment data securely. I thought I would start a discussion in regards to finding an alternate fix to the problem then the one currently available.

The problem: Users input data into comments that is executed and causes trouble.

Solution ideas: Escape incoming data so that it cannot execute? Allow only alphanumeric comment data and write the SQL statements so that they cannot be broken out?

I will be the first to admit I am not a professional coder, although I do write a lot of code myself. I haven't taken a long look at how the comments are currently handled, but plan to. Lets pool some ideas and help MrZeroPage come up with a more solid fix!

g7jgq · #22 03-08-2012, 07:40 PM

Quote:

Originally Posted by rpgamersnet

If you refer to this post: https://vborg.vbsupport.ru/showpost....91&postcount=5

The code I am asking about is the loop that removes all the SQL keywords from the comments. Most I'm sure won't come across in normal comments, but filtering out parts like "or" and "and" are going to catch and mess up standard comments, as given in the example on that post.

"I got the high score!" becomes "I got the high sce!"

"Got a great hand on the last round!" -> "Got a great h on the last round"

Some basic words will get filtered as well, not just the bad SQL data, which is why I suggested that maybe this fix is not the best solution. Code I am questioning is quoted here:

PHP Code:


			
function recursive_str_ireplace($replacethis,$withthis,$inthis)
{
    while (1==1)
    {
        $inthis = str_ireplace($replacethis,$withthis,$inthis);
        if(stristr($inthis, $replacethis) === FALSE)
        {
            RETURN $inthis;
        }
    }
    RETURN $inthis;
}

PHP Code:


			
 // remove any SQL-commands
    $sqlcomm[] = 'create';
    $sqlcomm[] = 'database';
    $sqlcomm[] = 'table';
    $sqlcomm[] = 'insert';
    $sqlcomm[] = 'update';
    $sqlcomm[] = 'rename';
    $sqlcomm[] = 'replace';
    $sqlcomm[] = 'select';
    $sqlcomm[] = 'handler';
    $sqlcomm[] = 'delete';
    $sqlcomm[] = 'truncate';
    $sqlcomm[] = 'drop';
    $sqlcomm[] = 'where';
    $sqlcomm[] = 'or';
    $sqlcomm[] = 'and';
    $sqlcomm[] = 'values';
    $sqlcomm[] = 'set';
    $sqlcomm[] = 'password';
    $sqlcomm[] = 'salt';
    $sqlcomm[] = 'concat';
    $sqlcomm[] = 'schema';
    $value = recursive_str_ireplace($sqlcomm, '', $value);

Some recent threads have started to appear complaining of errors appearing, this new code is also the source of those new problems; the new recursive_str_ireplace loop to replace these parts of the comment field.... and any other field being filtered by the ibp_cleansql function.

As I posted in another thread, before searching !!!!!!!!!! its also stripping the words out of game names which I suspect will break a lot of games.

When it gets the game name from the posted data

PHP Code:


			
$game_name = ibp_cleansql($_POST['gname']);

A game such as wordrace will end up as wdrace

For now I have just modified the replacement list as follows, its NOT a good fix but at least all of the games will submit scores now :-)

PHP Code:


			
    $sqlcomm[] = 'create ';
    $sqlcomm[] = 'database';
    $sqlcomm[] = 'table';
    $sqlcomm[] = 'insert';
    $sqlcomm[] = 'update ';
    $sqlcomm[] = 'rename';
    $sqlcomm[] = 'replace ';
    $sqlcomm[] = 'select ';
    $sqlcomm[] = 'handler';
    $sqlcomm[] = 'delete ';
    $sqlcomm[] = 'truncate ';
    $sqlcomm[] = 'drop ';
    $sqlcomm[] = ' where ';
    $sqlcomm[] = ' or ';
    $sqlcomm[] = ' and ';
    $sqlcomm[] = 'values';
    $sqlcomm[] = ' set ';
    $sqlcomm[] = 'password';
    $sqlcomm[] = 'salt';
    $sqlcomm[] = 'concat';
    $sqlcomm[] = 'schema';

I know that won't solve the problem in comments but we don't really use comments. I am going to look at an alternative fix for this over the weekend

Cheers

Alex

stangger5 · #23 03-09-2012, 01:13 AM

Quote:

Originally Posted by g7jgq

I know that won't solve the problem in comments but we don't really use comments. I am going to look at an alternative fix for this over the weekend

Cheers

Alex

Give this a try : https://vborg.vbsupport.ru/showpost....04&postcount=6

g7jgq · #24 03-09-2012, 12:04 PM

Quote:

Originally Posted by stangger5

Give this a try : https://vborg.vbsupport.ru/showpost....04&postcount=6

Thanks for that.

Looking at that code it will do the same thing, the problem is you cannot get rid of SQL command by simply doing replaces in the posted data.

Cheers

Alex

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.06512 seconds Memory Usage 2,267KB Queries Executed 20 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (4)bbcode_php (3)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (4)post_thanks_box (4)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (4)post_thanks_postbit_info (3)postbit (4)postbit_onlinestatus (4)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!