Security issue for Socialengine and img tag

**subzero** · 10.10.09, 15:26

awsome now i can use this idea lmao

**CreativityKills** · 10.10.09, 21:24

Read my CSRF thread. I cud actually do more.

**Anshul** · 10.10.09, 22:47

Originally posted by subzero View Post

awsome now i can use this idea lmao

lmao

**GumSlone** · 12.10.09, 16:03

ok, here is a solution, using regex failed for me, so i have added bbcodes.

into include/class_comment.php
before:

PHP Code:


}



?>

add this:

PHP Code:


function bbcode_format ($str) {  

    #$str = htmlentities($str);  

  

    $simple_search = array(  

                //added line break  

                '/\[br\]/is',  

                '/\[b\](.*?)\[\/b\]/is',  

                '/\[i\](.*?)\[\/i\]/is',  

                '/\[u\](.*?)\[\/u\]/is',  

                #'/\[url\=(.*?)\](.*?)\[\/url\]/is',  

                '/\[url\](.*?)\[\/url\]/is',  

                '/\[align\=(left|center|right)\](.*?)\[\/align\]/is',  

                '/\[img\](.*?)\[\/img\]/is',  

                '/\[mail\=(.*?)\](.*?)\[\/mail\]/is',  

                '/\[mail\](.*?)\[\/mail\]/is',  

                '/\[font\=(.*?)\](.*?)\[\/font\]/is',  

                '/\[size\=(.*?)\](.*?)\[\/size\]/is',  

                '/\[color\=(.*?)\](.*?)\[\/color\]/is',  

                  //added textarea for code presentation  

               '/\[codearea\](.*?)\[\/codearea\]/is',  

                 //added pre class for code presentation  

              '/\[code\](.*?)\[\/code\]/is',  

                //added paragraph  

              '/\[p\](.*?)\[\/p\]/is',  

                );  

  

    $simple_replace = array(  

                //added line break  

               '<br />',  

                '<strong>$1</strong>',  

                '<em>$1</em>',  

                '<u>$1</u>',  

                // added nofollow to prevent spam  

                #'<a href="$1" rel="nofollow" title="$2 - $1">$2</a>',  

                '<a href="$1" rel="nofollow" title="$1">$1</a>',  

                '<div style="text-align: $1;">$2</div>',  

                //added alt attribute for validation  

                '<img src="image_check.php?src=$1" alt="" />',  

                '<a href="mailto:$1">$2</a>',  

                '<a href="mailto:$1">$1</a>',  

                '<span style="font-family: $1;">$2</span>',  

                '<span style="font-size: $1;">$2</span>',  

                '<span style="color: $1;">$2</span>',  

                //added textarea for code presentation  

                '<textarea class="code_container" rows="30" cols="70">$1</textarea>',  

                //added pre class for code presentation  

                '<pre class="code">$1</pre>',  

                //added paragraph  

                '<p>$1</p>',  

                );  

  

    // Do simple BBCode's  

    $str = preg_replace ($simple_search, $simple_replace, $str);  

  

    // Do <blockquote> BBCode  

    $str = $this->bbcode_quote ($str);  

  

    return $str;  

}  

  

  

  

function bbcode_quote ($str) {  

    //added div and class for quotes  

    $open = '<blockquote><div class="quote">';  

    $close = '</div></blockquote>';  

  

    // How often is the open tag?  

    preg_match_all ('/\[quote\]/i', $str, $matches);  

    $opentags = count($matches['0']);  

  

    // How often is the close tag?  

    preg_match_all ('/\[\/quote\]/i', $str, $matches);  

    $closetags = count($matches['0']);  

  

    // Check how many tags have been unclosed  

    // And add the unclosing tag at the end of the message  

    $unclosed = $opentags - $closetags;  

    for ($i = 0; $i < $unclosed; $i++) {  

        $str .= '</div></blockquote>';  

    }  

  

    // Do replacement  

    $str = str_replace ('[' . 'quote]', $open, $str);  

    $str = str_replace ('[/' . 'quote]', $close, $str);  

  

    return $str;  

}

now find function comment_list($start, $limit)

and find inside it this line:

PHP Code:


'comment_body' => $comment_info[$this->comment_type.'comment_body'],

replace the line width:

PHP Code:


'comment_body' => $this->bbcode_format($comment_info[$this->comment_type.'comment_body']),

next step create in the main directory of your site a file image_check.php
and paste into the file this code:

PHP Code:


<?



$image_info = getimagesize($_GET['src']);

if($image_info['mime'] == 'image/gif'||$image_info['mime'] == 'image/jpeg'||$image_info['mime']=='image/png')

{

  header ('HTTP/1.1 301 Moved Permanently');

  header ('Location: '.$_GET['src']);

}

else 

{

  header ('HTTP/1.1 301 Moved Permanently');

  header ('Location: ./wattermark.png');

}

?>

last step:
create a png image with your site logo, rename it to wattermark.png and upload it into the main directory of your SE site.

Done, now you can use image bbcodes without problems

**man101** · 15.05.10, 06:05

thanks man that looked good .
i m going to try and let u know if any more problems are there
thanks

**GumSlone** · 15.05.10, 23:42

Originally posted by man101 View Post

thanks man that looked good .
i m going to try and let u know if any more problems are there
thanks

it has been fixed in the latest versions of SE

Security issue for Socialengine and img tag

Security issue for Socialengine and img tag

Comment

Comment

Comment

Comment

Comment

Comment