Lavalair patchwork

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lavalair patchwork

    Here we will try to mention post by post what to change in your Lavalair script. I think it would be best to post only works with explanation to keep the topic cleaner as possible.

    Remove all globals which are used more than three times and add it to core.php with per case checking.
    Heres are a few:

    PHP Code:
    $action = empty($_GET['action']) ? null htmlentities($_GET['action'], ENT_QUOTES'UTF-8');

    $sid = !empty($_GET['sid']) ? ((bool) preg_match('/^[a-z0-9]{32}$/iD'$_GET['sid']) !== false $_GET['sid'] : null) : null;

    $page = empty($_GET['page']) ? null : (int) $_GET['page'];

    $who = empty($_GET['who']) ? null : (int) $_GET['who'];

    $fid = empty($_GET['fid']) ? null : (int) $_GET['fid'];

    $tid = empty($_GET['tid']) ? null : (int) $_GET['tid'];

    $pid = empty($_GET['pid']) ? null : (int) $_GET['pid']; 
    Connecting to database:

    PHP Code:
    function connectdb() {

        global 
    $dbname$dbuser$dbhost$dbpass;
        
        if (
    $dbcon === null)

            
    $dbcon mysql_connect($dbhost$dbuser$dbpass) or exit;

        if (
    $dbsel === null && $dbcon !== null)

            
    $dbsel mysql_select_db($dbname$dbcon) or exit;

        if (
    $dbcon !== null && $dbsel !== null)

            return 
    true;

        return 
    false;


    Last edited by arnage; 08.03.13, 11:55.

  • #2
    MAKE SURE YOUR USERS BROWSER DETAILS AND IP ADDRESS AND ANY OTHER VARIABLE TAKEN FROM USER IS PASSED THROUGH mysql_real_escape_string()

    Yes it is possible to spoof your ip address into sql injection
    Last edited by something else; 08.03.13, 12:08.

    Comment


    • #3
      this works well also for dereg globals

      Code:
      deregister_globals();
      
      if(isset($_GET)){foreach($_GET as $key=>$value){$_GET[$key]=clean($value);
       }
      }
      if(isset($_POST)){foreach($_POST as $key=>$value){$_POST[$key]=clean($value);
       }
      }
      if(isset($_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=clean($value);
       }
      }
      if(isset($_COOKIE)){foreach($_COOKIE as $key=>$value){$_COOKIE[$key]=clean($value);
       }
      }
      
      function deregister_globals()
      {
      	$not_unset = array(
      		'GLOBALS'	=> true,
      		'_GET'		=> true,
      		'_POST'		=> true,
      		'_COOKIE'	=> true,
      		'_REQUEST'	=> true,
      		'_SERVER'	=> true,
      		'_SESSION'	=> true,
      		'_ENV'		=> true,
      		'_FILES'	=> true,
      		'phpEx'		=> true,
      		'phpbb_root_path'	=> true
      	);
      
      	if (!isset($_SESSION) || !is_array($_SESSION))
      	{
      		$_SESSION = array();
      	}
      
      	$input = array_merge(
      		array_keys($_GET),
      		array_keys($_POST),
      		array_keys($_COOKIE),
      		array_keys($_SERVER),
      		array_keys($_SESSION),
      		array_keys($_ENV),
      		array_keys($_FILES)
      	);
      
      	foreach ($input as $varname)
      	{
      		if (isset($not_unset[$varname]))
      		{
      			if ($varname !== 'GLOBALS' || isset($_GET['GLOBALS']) || isset($_POST['GLOBALS']) || isset($_SERVER['GLOBALS']) || isset($_SESSION['GLOBALS']) || isset($_ENV['GLOBALS']) || isset($_FILES['GLOBALS']))
      			{
      				exit;
      			}
      			else
      			{
      				$cookie = &$_COOKIE;
      				while (isset($cookie['GLOBALS']))
      				{
      					foreach ($cookie['GLOBALS'] as $registered_var => $value)
      					{
      						if (!isset($not_unset[$registered_var]))
      						{
      							unset($GLOBALS[$registered_var]);
      						}
      					}
      					$cookie = &$cookie['GLOBALS'];
      				}
      			}
      		}
      
      		unset($GLOBALS[$varname]);
      	}
      
      	unset($input);
      }
      
      if (version_compare(PHP_VERSION, '6.0.0-dev', '>='))
      {
      	define('STRIP', false);
      }
      else
      {
      	@set_magic_quotes_runtime(0);
      	define('STRIP', (get_magic_quotes_gpc()) ? true : false);
      }
      if(!get_magic_quotes_gpc())
      {
      $_GET = array_map('trim', $_GET);
      $_POST = array_map('trim', $_POST);
      $_COOKIE = array_map('trim', $_COOKIE);
      
      $_GET = array_map('addslashes', $_GET);
      $_POST = array_map('addslashes', $_POST);
      $_COOKIE = array_map('addslashes', $_COOKIE);
      }
      function clean($str)
      {
      $str = @trim($str);
      if(get_magic_quotes_gpc()) {
      $str = stripslashes($str);
      $str = str_replace("<",'',$str);
      $str = str_replace(">",'',$str);
      }
      return mysql_real_escape_string($str);
      }

      Comment


      • #4
        Ban System

        BAN SYSTEM
        The original ban system on Lava is really bad and only stops users getting on index.php - this means that users can still post or do what ever they like even when banned.
        You need to copy the ban system set up onto every page or better still use a different page eg: head.php and copy the top part of the index.php and include that on every page.
        Last edited by something else; 08.03.13, 12:48.

        Comment


        • #5
          Don't know about lava, but wanna help, add this on the top of each page and use $clean instead of $_POST and all $_POST values will automatically be escaped

          PHP Code:
          foreach(array_keys($_POST) as $key)
          {
            
          $clean[$key] = stripslashes(mysql_real_escape_string($_POST[$key]));

          Comment


          • #6
            Session ID

            The original session id is passed through a url eg: h++p://yoursite.con/index.php?action=main&sid=123456789abcdefg

            This causes a lot of problems with sessions being stolen by referrer or by putting a php image onto your site.

            Updating your site to use $_SESSION[] will stop people stealing your session id how ever it does open a lot of new ways to hack your site.
            Check http://coding-talk.com/f14/lavalair-mods-2253/ to see how to update to $_SESSION

            Once updated to $_SESSION[] people can now put bad links in your forum eg:

            h++p://yoursite.con/index.php?action=logout

            the above example will log someone out.
            The same can be done via the avatar url (someone putting same url in for avatar pic)

            if you have updated to uploader's for avatar people can still upload a file eg:
            something.gif
            and the contents of the file being:
            PHP Code:
            GIF89a; <iframe scr="h++p://yoursite.con/index.php?action=logout"></iframe
            and your browser will parse it as normal including the iframe.

            So it is far better off using GD Library for all your users pic including gifs as they can contain malicious code.



            To stop the malicious links being posted etc.. you will need to make sure all important links have a security key with them which is given to them on the page before eg:
            h++p://yoursite.con/index.php?action=logout&securityKey=123456 at same time use $_SESSION['securityKey'] = 123456;
            Then if they dont match up then dont log person out etc.

            Also make sure Forms are covered in the same way, adding "Are you sure you wish to do this" links helps change the links from the original making the hack know less

            Comment


            • #7
              Originally posted by arnage View Post
              Here we will try to mention post by post what to change in your Lavalair script. I think it would be best to post only works with explanation to keep the topic cleaner as possible.

              Remove all globals which are used more than three times and add it to core.php with per case checking.
              Heres are a few:

              PHP Code:
              $action = empty($_GET['action']) ? null htmlentities($_GET['action'], ENT_QUOTES'UTF-8');

              $sid = !empty($_GET['sid']) ? ((bool) preg_match('/^[a-z0-9]{32}$/iD'$_GET['sid']) !== false $_GET['sid'] : null) : null;

              $page = empty($_GET['page']) ? null : (int) $_GET['page'];

              $who = empty($_GET['who']) ? null : (int) $_GET['who'];

              $fid = empty($_GET['fid']) ? null : (int) $_GET['fid'];

              $tid = empty($_GET['tid']) ? null : (int) $_GET['tid'];

              $pid = empty($_GET['pid']) ? null : (int) $_GET['pid']; 

              Is this need changes only in index.php or all php bro????

              Comment


              • #8
                You can disable php, eg. in an upload directory using .htaccess like this
                PHP Code:
                php_flag engine off 

                Comment


                • #9
                  lists.php

                  There is many places on lists.php where you can crash sql to reveal table names and rows by putting an incorrect value on one of the variables.
                  most of them can be sorted out by making sure it is an integer variable eg:
                  PHP Code:
                  $id = (int)$_GET['id']; 
                  However negative values can be processed through this way to crash the sql in the same way.
                  so to fix use something like:
                  PHP Code:
                  if($id<0)$id 1
                  I am sure there is lots more places in the script with the same problem but there is a lot in lists.php

                  Comment


                  • #10
                    Originally posted by bigboss View Post
                    Is this need changes only in index.php or all php bro????
                    everywhere in the script needs the $_GET and $_POST changing.

                    wapdesire v2: The version i read which was an early release was relying on globals to collect variables, these all need changing to $_GET and $_POST

                    Also the add smilies page does not have admin/mod rights on it - any one can add smilies which can cause your whole site to stop working.

                    This is very important on lava also that add smilies is safely protected - as hackers can close your whole site if they gain access to this and also a very large headache trying to work out what is wrong with your site.
                    Last edited by something else; 08.03.13, 22:07.

                    Comment


                    • #11
                      Originally posted by something else View Post
                      BAN SYSTEM
                      The original ban system on Lava is really bad and only stops users getting on index.php - this means that users can still post or do what ever they like even when banned.
                      You need to copy the ban system set up onto every page or better still use a different page eg: head.php and copy the top part of the index.php and include that on every page.
                      why to do that? just check if user isnt allowed to create session in login checking.

                      Comment


                      • #12
                        all you need is "check session" and "is session ok" and include banned table for is session ok and make sure every page checks this

                        plus on my site once someone is banned the session is terminated so its just extra level of security

                        Comment


                        • #13
                          why all pages? they dont create sessions, login page does, at least how i remember from lavalair script. that is useless.

                          Comment


                          • #14
                            its just more secure your not trying to create sessions on every page its just checking the session and if banned

                            Comment


                            • #15
                              I want to learn coding but i don't even know where to start. Am confuse here

                              Comment

                              Working...
                              X