| View previous topic :: View next topic |
| Author |
Message |
sean
Site Admin
Joined: 14 Jul 2004
Posts: 917
|
 Posted: Sat Sep 03, 2005 1:58 pm Post subject: Critical Security Update - myBloggie 2.1.2 & 2.1.3 beta |
 |
|
Recently , it was brought our attention that there is a security vulnerability in the myBloggie 2.1.3 beta & prior. To address that problem, you are strongly advise to update your code immediately as per below to address critical security issue.
Find these line in the login.php
[edit = Updated code to prevent exploit 06 Oct 2005]
| Code: | if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = ""; |
Add this below
| Code: |
// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username); |
Results after change
| Code: | if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username); |
or you can download here patch file
Instruction : Download login.zip , unzip it, upload it to myBloggie root directory to replace login.php
Last edited by sean on Sat Jan 13, 2007 3:29 am; edited 3 times in total |
|
| Back to top |
|
 |
Roy_Pope
Newbie
Joined: 06 Aug 2005
Posts: 14
|
| Posted: Mon Sep 05, 2005 4:13 am Post subject: Didn't work for me |
|
|
I added the code to the login.php script exactly as it is given here. Now, all I get is a blank page instead of a login page.
Anyone know why this is?
Roy |
|
| Back to top |
|
|
sean
Site Admin
Joined: 14 Jul 2004
Posts: 917
|
| Posted: Mon Sep 05, 2005 8:42 am Post subject: |
|
|
Please advise the which version you are using...?
do you have any non alphanumeric characters in your username ?
Please PM me if you need to provide any confidential info for me to check it out |
|
| Back to top |
|
|
sean
Site Admin
Joined: 14 Jul 2004
Posts: 917
|
| Posted: Fri Sep 09, 2005 1:12 pm Post subject: |
|
|
if you would like your username to have space & other signs please use this solution instead
// security precaution - sean 09 sept 2005
| Code: | if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username); |
|
|
| Back to top |
|
|
Roy_Pope
Newbie
Joined: 06 Aug 2005
Posts: 14
|
| Posted: Sun Sep 11, 2005 11:26 pm Post subject: |
|
|
| sean wrote: | Please advise the which version you are using...?
do you have any non alphanumeric characters in your username ? |
Hi, Sean. Using 2.1.3b and my username contains only alphacharacters and the underscore "_".
I used the last code you gave in this thread and it worked just fine.
Thanx,
Roy |
|
| Back to top |
|
|
Redrock
Newbie
Joined: 28 Sep 2005
Posts: 1
|
| Posted: Wed Sep 28, 2005 5:54 am Post subject: |
|
|
Ok maybe im just tired or missing something LOL. I have 2.1.3 Beta and im trying to make so we can use names such as yourname(webmaster),yourname(owner) an so forth an I just dont seem to be able to get it to work. Here is my current code can you show me how to fix please
| Code: | <?
// Blog Script - File Name : login.php
// Copyright (C) myBloggie Sean
// http://www.mywebland.com , http://mybloggie.mywebland.com
// You are requested to retain this copyright notice in order to use
// this software.
//This program is free software; you can redistribute it and/or
//modify it under the terms of the GNU General Public License
//as published by the Free Software Foundation; either version 2
//of the License, or (at your option) any later version.
//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
//GNU General Public License for more details.
//You should have received a copy of the GNU General Public License
//along with this program; if not, write to the Free Software
//Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
define('IN_MYBLOGGIE', true);
$mybloggie_root_path = './';
include_once($mybloggie_root_path.'config.php');
include_once($mybloggie_root_path.'includes/db.php');
include_once($mybloggie_root_path.'includes/template.php');
include_once($mybloggie_root_path.'includes/function.php');
include_once($mybloggie_root_path.'language/lang_eng.php');
$tabcolor='#efefef';
if (isset($_GET['mode'])) {
$mode = htmlspecialchars($_GET['mode']) ; }
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
// Security precaution - sean 03 sep 2005
if(ereg('[^A-Za-z0-9_]', $username)){
//redirecting the user if the username no alphanumeric to prevent
echo "<meta http-equiv=\"Refresh\" content=\"1;url=".self_url()."/oops.php\" />";
exit();
}
if( isset( $mode ) )
{
if( $mode == "login" )
{
$username = trim( $username );
$passwd = md5(trim( $passwd ));
if( $username == "" ) message( $lang['Error'] , $lang['Msg_enter_name'] );
if( $passwd == "" ) message($lang['Error'], $lang['Msg_enter_pass'] );
$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user='$username'
AND password='$passwd'" ) or error( mysql_error() );
if( mysql_num_rows( $result ) != 1 ) {
?>
<head>
<title>myBloggie - Adminstrator Log In</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" topmargin="5" leftmargin="5" marginheight="5" marginwidth="5" ><center>
<!-- login.html ACTTIONFILE -->
<style>
.tdloginheader { font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
font-size: 10pt;
letter-spacing: 0.09em;
color: #000000;
text-align: center;
line-height: 24px;
vertical-align: middle;
height: 20px;
}
.formfont { font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
font-size: 11px;
}
input,textarea,select {
font-size: 11px;
font-family: Verdana;
height: 22px;
border-style: solid;
border-width: 1px;
border-color: #aaaaaa;
background: #f0f0f0;
border-width: 1px;
margin: 2px;
}
</style>
<br /><br /><center>
<table id="Table_01" width="400" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<img src="templates/<? echo $style ?>/images/login_01.gif" width="24" height="37" alt=""></td>
<td>
<img src="templates/<? echo $style ?>/images/login_02.gif" width="351" height="37" alt=""></td>
<td>
<img src="templates/<? echo $style ?>/images/login_03.gif" width="25" height="37" alt=""></td>
</tr>
<tr>
<td background="templates/<? echo $style ?>/images/login_04.gif" width="24" height="300">
</td>
<td>
<center>
<table width="300" cellppacing="0" cellpadding="3" border="0">
<tr><td colspan="2" class="tdloginheader">Log In</td></tr>
<tr><td colspan=2></td></tr>
<tr><td colspan=2></td></tr>
<form method="post" action="<? echo $_SERVER['PHP_SELF'] ?>?mode=login">
<tr>
<td width='100' height='25' class="formfont"> User Name</td>
<td height='25'><input type='text' name='username' size='20' maxlength='50'></td>
</tr>
<tr>
<td width='100' height='25' class="formfont"> Password</td>
<td height='25'><input type='password' name='passwd' size='20' maxlength='32'></td>
</tr>
<tr>
<td width='100' height='25'></td>
<td height='25'><input type=submit value='Log In' name=submit></td>
</tr>
<tr><td colspan=2></td></tr>
</form>
</table
</center>
</td>
<td background="templates/<? echo $style ?>/images/login_06.gif" width="25" height="300">
</td>
</tr>
<tr>
<td>
<img src="templates/<? echo $style ?>/images/login_07.gif" width="24" height="37" alt=""></td>
<td>
<a href="http://mywebland.com"><img src="templates/<? echo $style ?>/images/login_08.gif" width="351" height="37" alt="" border="0"></a></td>
<td>
<img src="templates/<? echo $style ?>/images/login_09.gif" width="25" height="37" alt=""></td>
</tr>
</table>
</center></body></html>
<?
}
?> |
Thanks in advance |
|
| Back to top |
|
|
sean
Site Admin
Joined: 14 Jul 2004
Posts: 917
|
| Posted: Thu Oct 06, 2005 3:33 pm Post subject: |
|
|
Latest changes, to prevent exploit...........( 06 Oct 2005 )
Please replace this
| Code: | if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
// security precaution - sean 03 sept 2005
if(ereg('[^A-Za-z0-9_]', $username)){
//redirecting the user if the username no alphanumeric to prevent
echo "<meta http-equiv=\"Refresh\" content=\"1;url=".self_url()."/oops.php\" />";
exit();
} |
With this
| Code: | if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username); |
|
|
| Back to top |
|
|
my816797
Newbie
Joined: 26 Jul 2005
Posts: 45
Location: Amersfoort, Utrecht, Netherlands, Europe
|
| Posted: Thu Oct 20, 2005 3:46 pm Post subject: |
|
|
| Isn't the [Stripslashes] function more efficient? |
|
| Back to top |
|
|
lime_butterfly
Newbie
Joined: 12 Nov 2005
Posts: 1
|
| Posted: Sat Nov 12, 2005 1:26 pm Post subject: |
|
|
My Blog was hacked and it all ended up in a mess, now I'm using Wordpress 
The Problem obviously is SQL-Code-Injection. To prevent this, the common method is to use the PHP-Function mysql_real_escape_string(). So why so complicated, if there is a easy way:
| Code: |
$result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($passwd)."'" ) or error( mysql_error() );
|
It does it - I checked it! Everything else actually is a dirty method to fix the bug!
Isn't it known, that every SQL-Query has to be made Injection-Safe by using mysql_real_escape_string()? I have to admit, that I didn't check the Source of myBloggie before installing it - but now I'm disappointed, that the programmer didn't see this. So the next myBloggie-Update should escape every String given in a SQL-Query!
Unfortunately, I have costumized myBloggie quite a lot to make it "fit" into my Home-Page (http://jeremy.deuel.ch/). So It isn't so easy for me to just update - because many source-files that just get replaced had to be changed - for instance to make the date-format costumizable or to localize quite a lot of strings (Yes, there isn't only English on this world  ) Well anyway, myBloggie hasn't reached the Stable state yet, and there is a lot of work for you guys to be done! Thanks anyway for doing it, but you've lost me - I'm wordpress now |
|
| Back to top |
|
|
SarahWayne
Newbie
Joined: 28 May 2009
Posts: 1
|
| Posted: Thu May 28, 2009 1:28 pm Post subject: |
|
|
Sorry for pulling up an old thread.
I just posted because I want everybody to know about MYSQL injection.
If you are using a wordpress blog and it was hacked, the caused of that is that your mysql database was injected with an anonymous code. Just a piece of advise. You should always use the new version.
Simulation pret |
|
| Back to top |
|
|
truecolor
Newbie
Joined: 06 Jun 2009
Posts: 1
|
|
| Back to top |
|
|
vanesssa99
Newbie
Joined: 10 Jun 2009
Posts: 1
|
| Posted: Wed Jun 10, 2009 6:45 am Post subject: |
|
|
Thanks for your idea 
simulationcredit |
|
| Back to top |
|
|
manola
Newbie
Joined: 01 Jul 2009
Posts: 1
|
| Posted: Wed Jul 01, 2009 7:53 am Post subject: |
|
|
To address that problem, you are strongly advise to update your code immediately as per below to address critical security issue.
sonnerie portable gratuite |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
TNX?
|
