View Full Version : Major Security Alert Via PHPizabi . NET
blackbook
05-30-2007, 02:35 PM
Critical Security Update / HFP3
Security Response,
Posted by Reality, 125 words
May. 2007 30th
A hack attempt against the PHPizabi demo website revealed a serious security issue in some of the PHPizabi upload handlers. All site administrators running PHPizabi 8th Generation (any version) are STRONGLY suggested to install the security update AS SOON AS POSSIBLE.
Please download the PHPizabi HFP3 package from PHPizabi . NET
blackbook
05-30-2007, 02:37 PM
This is NOT the fix for the other MAJOR SECURITY ALERT posted
MacNTrix
05-30-2007, 03:12 PM
Thanks for the heads up! Dloaded and installed.
Though, this is a little silly... To include a .htaccess with 3 IP denials:
deny from 194.169
deny from 88.198.14
deny from 64.34.177
Most likely, the attacker used a proxy server (which are a dime a dozen)
You could actually be blocking legit clientèle by adding these octets.
Bear in mind I didn't do a reverse DNS or anything to see who they belonged too, but I wouldn't think this to be part of the solution to the problem.
Trail_Monsters
05-30-2007, 03:24 PM
If you've modded your site, here are the line by line changes to the affected files:
In index.php
Look for:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP2";
Replace with:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP3";
Save and upload back to server.
In Modules>Events>create.php
Look for:
if (is_uploaded_file($_FILES["file"]["tmp_name"])) {
Replace with:
if (
is_uploaded_file($_FILES["file"]["tmp_name"])
and preg_match('/\\.jpg$|\\.jpeg$|\\.gif$|\\.png$/i', basename($_FILES["file"]["name"]))
) {
Save and upload back to server.
In Modules>Pictures>upload.php
Look for:
if (is_uploaded_file($_FILES["file"]["tmp_name"])) {
Replace with:
if (
is_uploaded_file($_FILES["file"]["tmp_name"])
and preg_match('/\\.jpg$|\\.jpeg$|\\.gif$|\\.png$/i', basename($_FILES["file"]["name"]))
) {
Save and upload back to server.
In Modules>Interact>file.php
Look for:
if (is_uploaded_file($_FILES["file"]["tmp_name"])) {
Replace with:
if (
is_uploaded_file($_FILES["file"]["tmp_name"])
and preg_match('/\\.jpg$|\\.jpeg$|\\.gif$|\\.png$|\\.zip$|\\.tar$/i', basename($_FILES["file"]["name"]))
) {
Save and upload back to server.
Damn Paterfamilias
05-30-2007, 03:25 PM
Great. Thanks TrailFinder! :D :D
MacNTrix
05-30-2007, 03:26 PM
Hehe.. looks like Trail_Monsters is all over it. ;)
Claude's a fag. It appears that one of the IP pools that is blocked in that .htaccess belongs to the IP pool I'm using. I've been banned from the izabi sites for awhile now. :)
Trail_Monsters
05-30-2007, 03:41 PM
nevermind. Thanks TrailFinder! :D :D
BB has his "come up with a logo for .com" going.
I have a "how many different names can I be called by" going.
Good one Cuddy! lol ;)
Damn Paterfamilias
05-30-2007, 03:51 PM
BB has his "come up with a logo for .com" going.
I have a "how many different names can I be called by" going.
Good one Cuddy! lol ;)
Lol it will be made a point from here Trail_Roaster!
Damn Paterfamilias
05-30-2007, 05:04 PM
One step further for the fix
In your INDEX.PHP Find...
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
Replace everything up to
// SELF USER DATA PREPARATION CALL ////////////////////////////////////////////////////
with this....
$entities = array(";"=>";", "\""=>""", "'"=>"'", "<"=>"<", ">"=>">", "\\"=>"\", "^"=>"^");
if (isset($_POST)) foreach($_POST as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_POST[$var] = trim(strtr(stripslashes($val), $entities));
if (isset($_GET)) foreach($_GET as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_GET[$var] = trim(strtr(stripslashes($val), $entities));
unset ($var, $val, $entities);
so it should look like this when your done...
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
$entities = array(";"=>";", "\""=>""", "'"=>"'", "<"=>"<", ">"=>">", "\\"=>"\", "^"=>"^");
if (isset($_POST)) foreach($_POST as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_POST[$var] = trim(strtr(stripslashes($val), $entities));
if (isset($_GET)) foreach($_GET as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_GET[$var] = trim(strtr(stripslashes($val), $entities));
unset ($var, $val, $entities);
// SELF USER DATA PREPARATION CALL ////////////////////////////////////////////////////
a lil extra.
blue2007
05-30-2007, 05:19 PM
thanks, but I can't find this code:
Look for:
$val2 = $_POST[$var];
$_POST[$var] = preg_replace('/\\b'.file_get_contents("badwords.txt").'\\b/i', '-beep-', $val2);
}
}
}
and also this code was already replaced in mine index.php
if (isset($_POST)) foreach($_POST as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
problem:
Parse error: syntax error, unexpected T_STRING, expecting ')' in /home/XXX/domains/XXX.XXX/public_html/index.php on line 289
MacNTrix
05-30-2007, 05:36 PM
yeah.. same parse error for me as well. trying to determine what it is..
Be careful when copy pasting:
$entities = array(";"=>";", "\""=>""", "'"=>"'", "<"=>"<", ">"=>">", "\\"=>"\"[\b], "^"=>[b]"^");
Should be converted to their entities:
$entities = array(";"=>"& #059;", "\""=>"& quot;", "'"=>"& #039;", "<"=>"& lt;", ">"=>"& gt;", "\\"=>"& #092;", "^"=>"& #094;");
Without the spaces after the & sign... ;)
PS: that's also the problem: "\\"=>"\", double quote gets escaped
i didnt really understand what i need to use (the first one dosnt work it says the same error as befor but the unexpacted thing is "]" or "[" i changed it quick)
Trail_Monsters
05-30-2007, 05:47 PM
thanks, but I can't find this code:
Look for:
$val2 = $_POST[$var];
$_POST[$var] = preg_replace('/\\b'.file_get_contents("badwords.txt").'\\b/i', '-beep-', $val2);
}
}
}
Disregard all changes to index.php except for:
Look for:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP2";
Replace with:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP3";
The other changes were part of my profanity filter.
Sorry.
Angel4Yeshua
05-30-2007, 06:18 PM
I need to do this with mine as well since I just downloaded the core file.
blue2007
05-30-2007, 06:21 PM
Disregard all changes to index.php except for:
Look for:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP2";
Replace with:
$GLOBALS["SYSTEM_VERSION"] = "PHPizabi v0.848b C1 HFP3";
The other changes were part of my profanity filter.
Sorry.
thanks again
Damn Paterfamilias
05-30-2007, 08:46 PM
I took it right out of my working file so sorry if its not working for anyone else, thats strange, as I had this security added when i first opened the site. But You should make these changes to your index.php. The HPF3 was not the only thing updated there, and if you dont have a profanity filter, skip that step.
Angel4Yeshua
05-30-2007, 11:41 PM
I need to do this with mine as well since I just downloaded the core file.
What I meant to say was Do I need to do this too.
Damn Paterfamilias
05-30-2007, 11:44 PM
Yes, I don't think any of the core files have either hpf2 or hpf3 but i may be wrong.
Angel4Yeshua
05-31-2007, 12:12 AM
My site has not been built yet with any mods or anything but I did the download to be safe.
Do I need to add all those things into my files or no.
Damn Paterfamilias
05-31-2007, 12:41 AM
Right if you downloaded only the core and fresh installed it, you should also download the hotfixes hpf2 and hpf3 and patch these in also. Then You do not need to do these changes as here as you will have it all current with the hotfix patches. These intstructions are for people with pre modded php files.
Sorry for the confusion.
rogerbr9999
05-31-2007, 08:20 AM
.................. edit
rogerbr9999
05-31-2007, 08:23 AM
I´m lost ...
I need to do this change in index.php ?
$entities = array(";"=>"& #059;", "\""=>"& quot;", "'"=>"& #039;", "<"=>"& lt;", ">"=>"& gt;", "\\"=>"& #092;", "^"=>"& #094;");
Trail_Monsters
05-31-2007, 09:04 AM
I´m lost ...
I need to do this change in index.php ?
$entities = array(";"=>"& #059;", "\""=>"& quot;", "'"=>"& #039;", "<"=>"& lt;", ">"=>"& gt;", "\\"=>"& #092;", "^"=>"& #094;");
In index.php, look for:
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
and replace everything, including:
// SELF USER DATA PREPARATION CALL ////////////////////////////////////////////////////
with the following:
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
$entities = array(";"=>"& #059;", "\""=>"& quot;", "'"=>"& #039;", "<"=>"& lt;", ">"=>"& gt;", "\\"=>"& #092;", "^"=>"& #094;");
if (isset($_POST)) foreach($_POST as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_POST[$var] = trim(strtr(stripslashes($val), $entities));
if (isset($_GET)) foreach($_GET as $var => $val)
if (!is_array($val) and substr($var, 0, 1) != "_")
$_GET[$var] = trim(strtr(stripslashes($val), $entities));
unset ($var, $val, $entities);
// SELF USER DATA PREPARATION CALL ////////////////////////////////////////////////////
Angel4Yeshua
05-31-2007, 01:11 PM
Right if you downloaded only the core and fresh installed it, you should also download the hotfixes hpf2 and hpf3 and patch these in also. Then You do not need to do these changes as here as you will have it all current with the hotfix patches. These intstructions are for people with pre modded php files.
Sorry for the confusion.
No problem at all. I did add the hpf3 fix. But I did not see the hpf2 fix on there at all.
majors
06-08-2007, 01:23 AM
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
are you sure this is in index.php ? Its not here in my index.php
Trail_Monsters
06-08-2007, 05:51 AM
// SQL INJECTIONS / XSS HACKS PROTECTION //////////////////////////////////////////////
are you sure this is in index.php ? Its not here in my index.php
Make sure you're looking at the index.php in your root and that you've previously installed HPF1, HPF2, and HPF3 (in order).
vBulletin® v3.6.5, Copyright ©2000-2012, Jelsoft Enterprises Ltd.