My Assistant
![]() |
Logged in as: OPPZeroCool ( Log Out )
My Controls · View New Posts · My Assistant · 0 New Messages
|
![]() ![]() |
![]() |
djGrrr |
![]() Post #1
|
![]() Chicken Noodle Group: Spoons Posts: 1 Joined: 7-January 06 Member No.: 345,194 ![]() ![]() ![]() |
hey everyone, i've found a bug in
bittorrent.php, and nearly all TorrentBits based sites are vulnerable,
even with using the latest TBdev source the bug is still there ![]() look for: CODE
function validip($ip) the line below it is: CODE
if (!empty($ip) && ip2long($ip)!=-1) which must be replaced with: CODE
if (!empty($ip) && $ip ==
long2ip(ip2long($ip))) i have looked at this more, and it is not a tbsource bug for this ip2long thing, its actually more of a php bug in ip2long function, because it allows anything after a real ip and doesn't report an error (ie. "127.0.0.1 abcdefg" doesn't produce an error), so i have edited the lines above to get around that bug i won't tell how this can be exploited, but heres another little bug related to it that u might want to fix (even though after this fix its not vulnerable) look for: CODE
function userlogin() { then, within that function, the line: CODE
mysql_query("UPDATE
users SET last_access='" . get_date_time() . "', ip='$ip' WHERE id=" .
$row["id"]);// or die(mysql_error()); replace with: CODE
mysql_query("UPDATE
users SET last_access='" . get_date_time() . "', ip=".sqlesc($ip)." WHERE
id=" . $row["id"]);// or
die(mysql_error()); also, if your useing a getip() function similar to this one: CODE
function getip() { if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else { $ip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv('HTTP_X_FORWARDED_FOR')) { $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); } else { $ip = getenv('REMOTE_ADDR'); } } return $ip; } make sure its checking everything against the validip function or else you will have a security hole left there ![]() the above function should look like this: CODE
function getip() { if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && validip($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP']) && validip($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } else { $ip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv('HTTP_X_FORWARDED_FOR') && validip(getenv('HTTP_X_FORWARDED_FOR'))) { $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_CLIENT_IP') && validip(getenv('HTTP_CLIENT_IP'))) { $ip = getenv('HTTP_CLIENT_IP'); } else { $ip = getenv('REMOTE_ADDR'); } } return $ip; } |
beeman |
![]() Post #2
|
![]() ![]() kiss my stinger Group: Global Moderators Posts: 1,012 Joined: 13-January 04 Member No.: 60,171 ![]() ![]() ![]() |
i suspect this would also affect ALL
bytemonsoon baised trackers (ie bytemonsoon, phptracker, torrenttrader
(though not sure about the latest versions, as they have changed core),
ipbtt, vbtt
etc). -------------------- beeman ![]() need a tracker? visit the ALL NEW beehive v2 list of public trackers Got a tracker to add to the list? click HERE Pop along to thebeehive forums for a chat or just to help us improve the site. http://forums.thebeehive.info/ |
Jaggi |
![]() Post #3
|
![]() Spam Soup Group: BT Community Leaders Posts: 449 Joined: 11-August 04 Member No.: 170,409 ![]() ![]() ![]() ![]() |
no so sure with ipbtt cus it uses
ipb's ip functions which is more secure instead of this one, although the
backend might be at risk if u can spoof it from your client
somehow... -------------------- CODE9 ADMIN Check out Code9-Group.net for the best stuff around, NOW running my IPBTracker (only IPB forum with a passkey system), membership now open. IPBTracker currently in beta stage development. |
therehereyup |
![]() Post #4
|
![]() Tomato Group: Member Posts: 58 Joined: 25-June 04 Member No.: 134,173 ![]() |
Thanks for the tip and solution ![]() -------------------- Mac Discussion and Torrent
Site, BS. For more info: hxxp://s12.invisionfree.com/brokenstones/ |
![]() ![]() ![]() |
Lo-Fi Version | ![]() ![]() ![]() ![]() Time is now: 18th August 2006 - 11:55 PM |