SQL Injection vulne...
 
Notifications
Clear all

[Sticky] SQL Injection vulnerability in eFiction

27 Posts
13 Users
0 Reactions
17.9 K Views
 SJP
(@sjp)
Posts: 66
Trusted Member
 

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).


 
Posted : 14/11/2014 11:03 am
(@babaca)
Posts: 722
Member Moderator
 

UPDATE: zip-archive attached with the modified files.

Updated package is postponed, also, until this fix has become somewhat stable.

Sheep, I think you are great to tackle this problem but I'm confused... is there an attachment on your post or not? I see a paperclip on the header like there is an attachment but I could find no link. I will attempt to manually alter my files, but if I do, will I screw something up? Seems like there are some unpredictable results.


******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

 
Posted : 14/11/2014 11:50 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁


 
Posted : 14/11/2014 4:08 pm
(@babaca)
Posts: 722
Member Moderator
 

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:


******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

 
Posted : 14/11/2014 4:13 pm
(@jetblack)
Posts: 33
Eminent Member
 

I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix.  Here's an example:

http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37

No matter what I do on the HTML editor side, I cannot remove those characters.  They persist over and over.

-- jb


Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36

 
Posted : 14/11/2014 6:51 pm
(@jetblack)
Posts: 33
Eminent Member
 

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.


Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36

 
Posted : 14/11/2014 6:52 pm
(@hpfanficarchive-com)
Posts: 41
Eminent Member
 

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:

I'd also be up for doing any beta testing when you are ready. 


http://www.FicSavers.Com
http://www.HPFanFicArchive.Com
http://www.FavoritesTracker.Org

 
Posted : 15/11/2014 1:11 am
(@sheepcontrol)
Posts: 332
Reputable Member
 

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.

So it'd good now?


 
Posted : 15/11/2014 5:17 am
(@jetblack)
Posts: 33
Eminent Member
 

It seems to be.  Once I backed out the config.php changes, all of the weird extra characters disappeared when I did the hand-edits to the HTML input editor.

-- jb


Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure. It's been heavily modded.
PHP: 7.4.27
MySQL: 5.7.36

 
Posted : 15/11/2014 8:27 am
(@jacci)
Posts: 503
Honorable Member
 

I am very willing too to help with beta testing, anything you need


why is nothing ever easy?
url: http://www.pretendercentre.com/missingpieces/     
php: 5.2.5  msql: 5.0.45-community
efic version: 3.4.3           latest patches: yes
bridges: none              mods: challenges, displayword, beta-search

 
Posted : 15/11/2014 5:32 pm
(@sheepcontrol)
Posts: 332
Reputable Member
 

Changes haven been included in the latest release, 3.5.5
Topic locked.


 
Posted : 25/01/2015 5:39 am
(@cristodulo)
Posts: 1
New Member
 

nice pice of history


 
Posted : 09/06/2021 6:18 am
Page 2 / 2
Share: