Forum

Notifications
Clear all

[Sticky] SQL Injection vulnerability in eFiction

Page 2 / 2
SJP
 SJP
(@sjp)
Trusted Member

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

ReplyQuote
Posted : 14/11/2014 4:03 pm
babaca
(@babaca)
Member Moderator

UPDATE: zip-archive attached with the modified files.

Updated package is postponed, also, until this fix has become somewhat stable.

Sheep, I think you are great to tackle this problem but I'm confused... is there an attachment on your post or not? I see a paperclip on the header like there is an attachment but I could find no link. I will attempt to manually alter my files, but if I do, will I screw something up? Seems like there are some unpredictable results.

******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

ReplyQuote
Posted : 14/11/2014 4:50 pm
Sheepcontrol
(@sheepcontrol)
Member Admin

Thank you, Robert for pointing this out, and thank you, Sheepcontrol for working on the fix.

I wanted to point out that the 2 lines of code that were previously added to the config.php file, and now are listed for the dbfuctions.php file:

$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);

May help with the SQL injection issue, but they throw off some of the site functionality. A member of my site emailed me to let me know that when she was trying to add a challenge, the site wouldn't save the characters she was trying to tie to the challenge. I checked, and she was correct. It looks like any input that comes from a box where multiple options can be chosen is being disregarded (for ex. in the advanced search it won't use selected classtypes to include/exclude).

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

ReplyQuote
Posted : 14/11/2014 9:08 pm
babaca
(@babaca)
Member Moderator

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:

******************************************
Mucking around in eFiction since circa 2001 (ver. 1.0)
Now running v.3

ReplyQuote
Posted : 14/11/2014 9:13 pm
jetblack
(@jetblack)
Eminent Member

I'm getting a bunch of reports from authors stating that "rn" is being added to each line since I applied the hotfix.  Here's an example:

http://www.adastrafanfic.com/viewstory.php?sid=2061&chapter=37

No matter what I do on the HTML editor side, I cannot remove those characters.  They persist over and over.

-- jb

Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure.  It's been heavily modded.
PHP: 5.0
MySQL: 5.5

ReplyQuote
Posted : 14/11/2014 11:51 pm
jetblack
(@jetblack)
Eminent Member

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.

Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure.  It's been heavily modded.
PHP: 5.0
MySQL: 5.5

ReplyQuote
Posted : 14/11/2014 11:52 pm
HPFanFicArchive.Com
(@hpfanficarchive-com)
Eminent Member

Darn, that's what I was fearing. Well, as I said, I don't know the code very well, ok, scratch that as well - I need to finish v5 ASAP 🙁

Hey I'm ready to beta test v5 whenever you are ready.  :agree:

I'd also be up for doing any beta testing when you are ready. 

http://www.FicSavers.Com
http://www.HPFanFicArchive.Com
http://www.FavoritesTracker.Org

ReplyQuote
Posted : 15/11/2014 6:11 am
Sheepcontrol
(@sheepcontrol)
Member Admin

Can I get a post of Step 3 so I can back out the changes?

-- Jb

EDIT: Nevermind.  I found it and edited it out.

So it'd good now?

ReplyQuote
Posted : 15/11/2014 10:17 am
jetblack
(@jetblack)
Eminent Member

It seems to be.  Once I backed out the config.php changes, all of the weird extra characters disappeared when I did the hand-edits to the HTML input editor.

-- jb

Archive: Ad Astra Star Trek Fanfiction Archive
Version: 3.5.3
Skin: One of Kali's, but I'm not sure.  It's been heavily modded.
PHP: 5.0
MySQL: 5.5

ReplyQuote
Posted : 15/11/2014 1:27 pm
jacci
(@jacci)
Honorable Member

I am very willing too to help with beta testing, anything you need

why is nothing ever easy?
url: http://www.pretendercentre.com/missingpieces/     
php: 5.2.5  msql: 5.0.45-community
efic version: 3.4.3           latest patches: yes
bridges: none              mods: challenges, displayword, beta-search

ReplyQuote
Posted : 15/11/2014 10:32 pm
Sheepcontrol
(@sheepcontrol)
Member Admin

Changes haven been included in the latest release, 3.5.5
Topic locked.

ReplyQuote
Posted : 25/01/2015 10:39 am
Page 2 / 2
Share: