Home  | FAQ  | Search  | Memberlist  | Usergroups  | Register  | Profile  | Log in  | Log in for your private messages
Critical Security Update - myBloggie 2.1.2 & 2.1.3 beta

 
Post new topic   Reply to topic    myWebland Forum Index -> Support
View previous topic :: View next topic  
Author Message
sean
Site Admin


Joined: 14 Jul 2004
Posts: 671

PostPosted: Sat Sep 03, 2005 1:58 pm    Post subject: Critical Security Update - myBloggie 2.1.2 & 2.1.3 beta Reply with quote

Recently , it was brought our attention that there is a security vulnerability in the myBloggie 2.1.3 beta & prior. To address that problem, you are strongly advise to update your code immediately as per below to address critical security issue.

Find these line in the login.php

[edit = Updated code to prevent exploit 06 Oct 2005]

Code:
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";


Add this below
Code:

// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);



Results after change

Code:
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";

// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);


or you can download here patch file

Instruction : Download login.zip , unzip it, upload it to myBloggie root directory to replace login.php


Last edited by sean on Thu Oct 06, 2005 3:39 pm; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail
Roy_Pope
Newbie


Joined: 06 Aug 2005
Posts: 14

PostPosted: Mon Sep 05, 2005 4:13 am    Post subject: Didn't work for me Reply with quote

I added the code to the login.php script exactly as it is given here. Now, all I get is a blank page instead of a login page.

Anyone know why this is?

Roy
Back to top
View user's profile Send private message
sean
Site Admin


Joined: 14 Jul 2004
Posts: 671

PostPosted: Mon Sep 05, 2005 8:42 am    Post subject: Reply with quote

Please advise the which version you are using...?

do you have any non alphanumeric characters in your username ?

Please PM me if you need to provide any confidential info for me to check it out
Back to top
View user's profile Send private message Send e-mail
sean
Site Admin


Joined: 14 Jul 2004
Posts: 671

PostPosted: Fri Sep 09, 2005 1:12 pm    Post subject: Reply with quote

if you would like your username to have space & other signs please use this solution instead

// security precaution - sean 09 sept 2005

Code:
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";

$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
Back to top
View user's profile Send private message Send e-mail
Roy_Pope
Newbie


Joined: 06 Aug 2005
Posts: 14

PostPosted: Sun Sep 11, 2005 11:26 pm    Post subject: Reply with quote

sean wrote:
Please advise the which version you are using...?

do you have any non alphanumeric characters in your username ?


Hi, Sean. Using 2.1.3b and my username contains only alphacharacters and the underscore "_".

I used the last code you gave in this thread and it worked just fine.

Thanx,
Roy
Back to top
View user's profile Send private message
Redrock
Newbie


Joined: 28 Sep 2005
Posts: 1

PostPosted: Wed Sep 28, 2005 5:54 am    Post subject: Reply with quote

Ok maybe im just tired or missing something LOL. I have 2.1.3 Beta and im trying to make so we can use names such as yourname(webmaster),yourname(owner) an so forth an I just dont seem to be able to get it to work. Here is my current code can you show me how to fix please
Code:
<?

// Blog Script - File Name : login.php
// Copyright (C) myBloggie Sean
// http://www.mywebland.com , http://mybloggie.mywebland.com

// You are requested to retain this copyright notice in order to use
// this software.

//This program is free software; you can redistribute it and/or
//modify it under the terms of the GNU General Public License
//as published by the Free Software Foundation; either version 2
//of the License, or (at your option) any later version.

//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//GNU General Public License for more details.

//You should have received a copy of the GNU General Public License
//along with this program; if not, write to the Free Software
//Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

define('IN_MYBLOGGIE', true);



$mybloggie_root_path = './';



include_once($mybloggie_root_path.'config.php');

include_once($mybloggie_root_path.'includes/db.php');

include_once($mybloggie_root_path.'includes/template.php');

include_once($mybloggie_root_path.'includes/function.php');

include_once($mybloggie_root_path.'language/lang_eng.php');



$tabcolor='#efefef';





if (isset($_GET['mode'])) {

$mode =  htmlspecialchars($_GET['mode']) ; }



if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";


$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
// Security precaution - sean 03 sep 2005

if(ereg('[^A-Za-z0-9_]', $username)){

//redirecting the user if the username no alphanumeric to prevent

echo "<meta http-equiv=\"Refresh\" content=\"1;url=".self_url()."/oops.php\" />";

exit();

}



if( isset( $mode ) )

{

  if( $mode == "login" )

   {

      $username = trim( $username );

      $passwd = md5(trim( $passwd ));



      if( $username == "" ) message( $lang['Error'] , $lang['Msg_enter_name'] );

      if( $passwd == "" ) message($lang['Error'], $lang['Msg_enter_pass'] );

        $result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user='$username'

                  AND password='$passwd'" ) or error( mysql_error() );

       if( mysql_num_rows( $result ) != 1 ) {

?>
<head>
<title>myBloggie - Adminstrator Log In</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF" topmargin="5" leftmargin="5" marginheight="5" marginwidth="5" ><center>
<!-- login.html ACTTIONFILE   -->
<style>
.tdloginheader { font-family: Verdana, Arial, Helvetica, sans-serif;
                  font-weight: bold;
                  font-size: 10pt;
                  letter-spacing: 0.09em;
                  color: #000000;
                  text-align: center;
                  line-height: 24px;
                  vertical-align: middle;
                  height: 20px;
}

.formfont {       font-family: Verdana, Arial, Helvetica, sans-serif;
                  font-weight: bold;
                  font-size: 11px;

}
input,textarea,select {
  font-size: 11px;
  font-family: Verdana;
  height: 22px;
  border-style: solid;
  border-width: 1px;
  border-color: #aaaaaa;
  background: #f0f0f0;
  border-width: 1px;
  margin: 2px;
}

</style>
<br /><br /><center>

<table id="Table_01" width="400"  border="0" cellpadding="0" cellspacing="0">
    <tr>
        <td>
            <img src="templates/<? echo $style ?>/images/login_01.gif" width="24" height="37" alt=""></td>
        <td>
            <img src="templates/<? echo $style ?>/images/login_02.gif" width="351" height="37" alt=""></td>
        <td>
            <img src="templates/<? echo $style ?>/images/login_03.gif" width="25" height="37" alt=""></td>
    </tr>
    <tr>
        <td background="templates/<? echo $style ?>/images/login_04.gif" width="24" height="300">
            </td>
        <td>
<center>
<table width="300" cellppacing="0" cellpadding="3" border="0">
        <tr><td colspan="2" class="tdloginheader">Log In</td></tr>
 <tr><td colspan=2></td></tr>
 <tr><td colspan=2></td></tr>
<form method="post" action="<? echo $_SERVER['PHP_SELF'] ?>?mode=login">
<tr>
<td width='100' height='25' class="formfont">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User Name</td>
<td height='25'><input type='text' name='username'  size='20' maxlength='50'></td>
</tr>
<tr>
<td width='100' height='25' class="formfont">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Password</td>
<td height='25'><input type='password' name='passwd' size='20' maxlength='32'></td>
</tr>
<tr>
<td width='100' height='25'></td>
<td height='25'><input type=submit value='Log In' name=submit></td>
</tr>
 <tr><td colspan=2></td></tr>
</form>
</table
</center>
</td>
        <td background="templates/<? echo $style ?>/images/login_06.gif" width="25" height="300">
            </td>
    </tr>
    <tr>
        <td>
            <img src="templates/<? echo $style ?>/images/login_07.gif" width="24" height="37" alt=""></td>
        <td>
            <a href="http://mywebland.com"><img src="templates/<? echo $style ?>/images/login_08.gif" width="351" height="37" alt="" border="0"></a></td>
        <td>
            <img src="templates/<? echo $style ?>/images/login_09.gif" width="25" height="37" alt=""></td>
    </tr>
</table>

</center></body></html>
<?
}
?>


Thanks in advance
Back to top
View user's profile Send private message
sean
Site Admin


Joined: 14 Jul 2004
Posts: 671

PostPosted: Thu Oct 06, 2005 3:33 pm    Post subject: Reply with quote

Latest changes, to prevent exploit...........( 06 Oct 2005 )

Please replace this

Code:
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";

// security precaution -  sean 03 sept 2005
if(ereg('[^A-Za-z0-9_]', $username)){
//redirecting the user if the username no alphanumeric to prevent
echo "<meta http-equiv=\"Refresh\" content=\"1;url=".self_url()."/oops.php\" />";
exit();
}


With this


Code:
if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";


if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else  $passwd = "";

$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
Back to top
View user's profile Send private message Send e-mail
my816797
Newbie


Joined: 26 Jul 2005
Posts: 45
Location: Amersfoort, Utrecht, Netherlands, Europe

PostPosted: Thu Oct 20, 2005 3:46 pm    Post subject: Reply with quote

Isn't the [Stripslashes] function more efficient?
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
lime_butterfly
Newbie


Joined: 12 Nov 2005
Posts: 1

PostPosted: Sat Nov 12, 2005 1:26 pm    Post subject: Reply with quote

My Blog was hacked and it all ended up in a mess, now I'm using Wordpress Sad Sad

The Problem obviously is SQL-Code-Injection. To prevent this, the common method is to use the PHP-Function mysql_real_escape_string(). So why so complicated, if there is a easy way:
Code:

 $result = mysql_query( "SELECT user FROM ".USER_TBL." WHERE user='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($passwd)."'" ) or error( mysql_error() );

It does it - I checked it! Everything else actually is a dirty method to fix the bug!
Isn't it known, that every SQL-Query has to be made Injection-Safe by using mysql_real_escape_string()? I have to admit, that I didn't check the Source of myBloggie before installing it - but now I'm disappointed, that the programmer didn't see this. So the next myBloggie-Update should escape every String given in a SQL-Query!

Unfortunately, I have costumized myBloggie quite a lot to make it "fit" into my Home-Page (http://jeremy.deuel.ch/). So It isn't so easy for me to just update - because many source-files that just get replaced had to be changed - for instance to make the date-format costumizable or to localize quite a lot of strings (Yes, there isn't only English on this world Wink ) Well anyway, myBloggie hasn't reached the Stable state yet, and there is a lot of work for you guys to be done! Thanks anyway for doing it, but you've lost me - I'm wordpress now Sad Sad
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    myWebland Forum Index -> Support All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
TNX?
Tnx.net