Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Bug Fixes
Author Message
woodb01
New Member
New Member



Joined: Jan 21, 2005
Posts: 14

PostPosted: Fri Apr 14, 2006 7:53 pm Reply with quote

Thanks to omega13a @ nukefixes.com for this reference:
[ Only registered users can see links on this board! Get registered or login! ]

That gave me some of the coding I needed to get this to work!

I modified it a bit to fit my needs, and to bypass the "die" back to index.php

IF YOU USE THIS MODIFICATION, YOU DO SO AT YOUR OWN RISK!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mainfile.php modification to fix union injection by inserting an underscore in front of the word "union."

Whenever a post finds the word "union" it will be converted to "_union"


Code:


// Old Code that was Replaced near line 145
//   $postString = "";
//   foreach ($_POST as $postkey => $postvalue) {
//       if ($postString > "") {
//        $postString .= "&".$postkey."=".$postvalue;
//       } else {
//        $postString .= $postkey."=".$postvalue;
//       }
//   }
//   str_replace("%09", "%20", $postString);
//   $postString_64 = base64_decode($postString);
//   if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
//   header("Location: index.php");
//   die();
//   }
//   End of old code replacement


//  Start Fix Union Injection Posting Bug

function convert_injection($string)
{
   $string = str_replace("U", "_U", $string);
   $string = str_replace("u", "_u", $string);
      return $string;
}

$postString = "";
foreach ($_POST as $postkey => $postvalue) {
   if ($postString > "") {
      $postString .= "&".$postkey."=".$postvalue;
   } else {
      $postString .= $postkey."=".$postvalue;
   }
}
$postString = str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
   foreach($_POST as $postkey => $postvalue)
   {
   $newvalue = preg_replace('#(union)#ise', 'convert_injection("\\1")', $postvalue);
   $_POST[$postkey] = $newvalue;
   $HTTP_POST_VARS[$postkey] = $newvalue;
   $$postkey = $newvalue;
   }
}

// End Fix Union Injection Posting Bug


Hope this helps someone. There are other more elegant options I'm looking at, this one is a little crude but will work for now...

PLEASE NOTE that this solution will allow the word -union- to be inserted into the database. Also, if you do a preview first, and then a post of the message, it will add 2 underscores. Your input will look like this "__union"

When I get some more time I'll play with the offset so that it will only ever return one underscore. But for now, this allows me to post articles, content, and Forum posts with the word -union- and still prevents the injections.
 
View user's profile Send private message
montego
Site Admin



Joined: Aug 29, 2004
Posts: 9457
Location: Arizona

PostPosted: Sat Apr 15, 2006 4:03 pm Reply with quote

Hhhmmmm... not sure the implications of this. Will have to see...

_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... 
View user's profile Send private message Visit poster's website
woodb01







PostPosted: Sun Apr 16, 2006 10:53 pm Reply with quote

montego wrote:
Hhhmmmm... not sure the implications of this. Will have to see...


If the underscore can be bypassed, then what other special characters chould be used?

Also, I may get around to formatting the "_" insertion with CSS to match the background. That way the inserted text or character doesn't even "appear" when reading an article or content or forum post.

~~~~~~~~~~~~~~~~~~~

I'd certainly be interested in your feedback. I need a solution that allows me to post the word, but also secures the site from this vulnerability.
 
technocrat
Life Cycles Becoming CPU Cycles



Joined: Jul 07, 2005
Posts: 511

PostPosted: Mon Apr 17, 2006 8:02 am Reply with quote

How about you just change it going in or out of DB. Thats really the easiest way. Look for the word UNION and change the o to 0 going in and 0 to o going out.

_________________
Nuke-Evolution
phpBB-Evolution / phpBB-Evolution Blog 
View user's profile Send private message
woodb01







PostPosted: Fri Apr 21, 2006 7:24 am Reply with quote

Excellent Suggestion to replace the "O's" with zeroes...

Here's the modified code. And at some point in the future, again when I get more time, I may work on that write / read option. For now though replacing the O with a zero is a little better solution...

Below is a copy of the code with the zero substitution... I have tested it with my version 7.9.32 and it works fine. However, as always, use this change at your own risk and be SURE to test it before ever posting it to a production site.

Code:


// Old Code that was Replaced near line 145
//   $postString = "";
//   foreach ($_POST as $postkey => $postvalue) {
//       if ($postString > "") {
//        $postString .= "&".$postkey."=".$postvalue;
//       } else {
//        $postString .= $postkey."=".$postvalue;
//       }
//   }
//   str_replace("%09", "%20", $postString);
//   $postString_64 = base64_decode($postString);
//   if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
//   header("Location: index.php");
//   die();
//   }
//   End of old code replacement


//  Start Fix Union Injection Posting Bug

function convert_injection($string)
{
   $string = str_replace("O", "0", $string);
   $string = str_replace("o", "0", $string);
      return $string;
}

$postString = "";
foreach ($_POST as $postkey => $postvalue) {
   if ($postString > "") {
      $postString .= "&".$postkey."=".$postvalue;
   } else {
      $postString .= $postkey."=".$postvalue;
   }
}
$postString = str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
   foreach($_POST as $postkey => $postvalue)
   {
   $newvalue = preg_replace('#(union)#ise', 'convert_injection("\\1")', $postvalue);
   $_POST[$postkey] = $newvalue;
   $HTTP_POST_VARS[$postkey] = $newvalue;
   $$postkey = $newvalue;
   }
}

// End Fix Union Injection Posting Bug
 
danmih
New Member
New Member



Joined: Aug 02, 2006
Posts: 2

PostPosted: Sat Nov 24, 2007 12:10 am Reply with quote

Hi guys,
I haven't made the changes in the code, but I have added the word union in Word Censoring list and it is working fine.
Is there something wrong with my solution?
Thanks,
Daniel
 
View user's profile Send private message
Gremmie
Former Moderator in Good Standing



Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Nov 24, 2007 1:05 pm Reply with quote

This is a pretty old thread. What version/flavor of nuke are you running? For the best protection against this kind of thing, you need Nuke Sentinel.

The word censor list is only applied to things like news articles, comments, etc.

_________________
GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module 
View user's profile Send private message
fkelly
Former Moderator in Good Standing



Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sat Nov 24, 2007 2:49 pm Reply with quote

Like Gremmie said, this is old. In my area our local newspaper is named the Time Union. I was always running into users getting blocked for referencing it. That is stupid. Eventually that poststring was taken out of mainfile and concentrated in Sentinel, where it belongs. Union is a perfectly legitimate word except in a hacker's SQL string and our systems should allow it.
 
View user's profile Send private message Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Bug Fixes

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©