SQL Injection vulnerability in eFiction - eFiction Software News

RE: SQL Injection vulnerability in eFiction

cristodulo — Wed, 09 Jun 2021 10:18:48 +0000

nice pice of history

Re: SQL Injection vulnerability in eFiction

Sheepcontrol — Sun, 25 Jan 2015 09:39:09 +0000

Changes haven been included in the latest release, 3.5.5
Topic locked.

Re: SQL Injection vulnerability in eFiction

jacci — Sat, 15 Nov 2014 21:32:23 +0000

I am very willing too to help with beta testing, anything you need

Re: SQL Injection vulnerability in eFiction

jetblack — Sat, 15 Nov 2014 12:27:29 +0000

It seems to be. Once I backed out the config.php changes, all of the weird extra characters disappeared when I did the hand-edits to the HTML input editor.

-- jb

Re: SQL Injection vulnerability in eFiction

Sheepcontrol — Sat, 15 Nov 2014 09:17:05 +0000

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind. I found it and edited it out.

So it'd good now?

Re: SQL Injection vulnerability in eFiction

HPFanFicArchive.Com — Sat, 15 Nov 2014 05:11:54 +0000

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP :(

Hey I'm ready to beta test v5 whenever you are ready. :agree:

I'd also be up for doing any beta testing when you are ready.

Re: SQL Injection vulnerability in eFiction

jetblack — Fri, 14 Nov 2014 22:52:53 +0000

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind. I found it and edited it out.

Re: SQL Injection vulnerability in eFiction

jetblack — Fri, 14 Nov 2014 22:51:09 +0000

I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix. Here's an example:

http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37

No matter what I do on the HTML editor side, I cannot remove those characters. They persist over and over.

-- jb

Re: SQL Injection vulnerability in eFiction

babaca — Fri, 14 Nov 2014 20:13:27 +0000

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP :(

Hey I'm ready to beta test v5 whenever you are ready. :agree:

Re: SQL Injection vulnerability in eFiction

Sheepcontrol — Fri, 14 Nov 2014 20:08:38 +0000

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP :(