My Assistant
|
Loading. Please
Wait...
Chat Details Not Available
-
Please Remember To Support Filesoup -
Have
YOU supported Filesoup TODAY?
Filesoup
strives to offer a free service to all our users.
It has stood firmly at the fore-front of the BitTorrent scene for several years and wishes to continue providing diverse and busy community forums and torrents in the future.
By supporting this site, through donations or visiting our sponsers, you can help us to achieve this goal and in turn support the entire BitTorrent community
Thankyou!
It has stood firmly at the fore-front of the BitTorrent scene for several years and wishes to continue providing diverse and busy community forums and torrents in the future.
By supporting this site, through donations or visiting our sponsers, you can help us to achieve this goal and in turn support the entire BitTorrent community
Thankyou!
Logged in as: OPPZeroCool ( Log Out )
My Controls · View New Posts · My Assistant · 0 New Messages
|
|
  |
 SQL injection bug, in TBsource and TBdev based
sites |
| djGrrr |
 Jan 7
2006, 12:36 AM Post #1
|
 Chicken Noodle Group: Spoons Posts: 1 Joined: 7-January 06 Member No.: 345,194    |
hey everyone, i've found a bug in
bittorrent.php, and nearly all TorrentBits based sites are vulnerable,
even with using the latest TBdev source the bug is still there  .look for: CODE
function validip($ip) the line below it is: CODE
if (!empty($ip) && ip2long($ip)!=-1) which must be replaced with: CODE
if (!empty($ip) && $ip ==
long2ip(ip2long($ip))) i have looked at this more, and it is not a tbsource bug for this ip2long thing, its actually more of a php bug in ip2long function, because it allows anything after a real ip and doesn't report an error (ie. "127.0.0.1 abcdefg" doesn't produce an error), so i have edited the lines above to get around that bug i won't tell how this can be exploited, but heres another little bug related to it that u might want to fix (even though after this fix its not vulnerable) look for: CODE
function userlogin() { then, within that function, the line: CODE
mysql_query("UPDATE
users SET last_access='" . get_date_time() . "', ip='$ip' WHERE id=" .
$row["id"]);// or die(mysql_error()); replace with: CODE
mysql_query("UPDATE
users SET last_access='" . get_date_time() . "', ip=".sqlesc($ip)." WHERE
id=" . $row["id"]);// or
die(mysql_error()); also, if your useing a getip() function similar to this one: CODE
function getip() { if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else { $ip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv('HTTP_X_FORWARDED_FOR')) { $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); } else { $ip = getenv('REMOTE_ADDR'); } } return $ip; } make sure its checking everything against the validip function or else you will have a security hole left there  the above function should look like this: CODE
function getip() { if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && validip($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP']) && validip($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else { $ip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv('HTTP_X_FORWARDED_FOR') && validip(getenv('HTTP_X_FORWARDED_FOR'))) { $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP') && validip(getenv('HTTP_CLIENT_IP'))) { $ip = getenv('HTTP_CLIENT_IP'); } else { $ip = getenv('REMOTE_ADDR'); } } return $ip; } |
   |
    |
| beeman |
Jan 7
2006, 03:34 AM Post #2
|
  kiss my stinger Group: Global Moderators Posts: 1,012 Joined: 13-January 04 Member No.: 60,171  |
i suspect this would also affect ALL
bytemonsoon baised trackers (ie bytemonsoon, phptracker, torrenttrader
(though not sure about the latest versions, as they have changed core),
ipbtt, vbtt
etc). -------------------- beeman  need a tracker? visit the ALL NEW beehive v2 list of public trackers Got a tracker to add to the list? click HERE Pop along to thebeehive forums for a chat or just to help us improve the site. http://forums.thebeehive.info/ |
|
|
|
| Jaggi |
Jan 7
2006, 08:58 PM Post #3
|
 Spam Soup Group: BT Community Leaders Posts: 449 Joined: 11-August 04 Member No.: 170,409 .gif){kind=spacer}
.gif){kind=spacer}
.gif){kind=spacer}
|
no so sure with ipbtt cus it uses
ipb's ip functions which is more secure instead of this one, although the
backend might be at risk if u can spoof it from your client
somehow... -------------------- CODE9 ADMIN Check out Code9-Group.net for the best stuff around, NOW running my IPBTracker (only IPB forum with a passkey system), membership now open. IPBTracker currently in beta stage development. |
|
|
|
| therehereyup |
Mar 5
2006, 01:32 AM Post #4
|
 Tomato Group: Member Posts: 58 Joined: 25-June 04 Member No.: 134,173 |
Thanks for the tip and solution  -------------------- Mac Discussion and Torrent
Site, BS. For more info: hxxp://s12.invisionfree.com/brokenstones/ |
|
|
|
 |
1
User(s) are reading this topic (0 Guests and 0 Anonymous Users)
1
Members: OPPZeroCool
| Lo-Fi Version |  0.1262
sec  --
 14 queries
 GZIP
Enabled Time is now: 18th August 2006 - 11:55 PM |
Invision Power Board
v2.1.7 © 2006 IPS, Inc.
Licensed to: Filesoup