Experienced Elementalist
- Joined
- Sep 8, 2009
- Messages
- 296
- Reaction score
- 78
So for the majority of the community out there using xBlubb's website and all of the scripts, there's an exploit that can be done using the login function. It's done by modifying the User-Agent header and then injecting code into the database.
I'm here to publicly release a fix to prevent anyone selling it and to ensure the community is safe. Not patching this exploit leaves you wide open to SQL Injection attacks.
There are two ways to patch this exploit.
1. Stop collecting the User-Agent data.
The proper way to do this would be to modify the LOG_LOGIN table and remove the "browser" field, then go into xinc_login and change the INSERT query to look like this:
2. Check the integrity of the data coming from User-Agent by running it through a filter and checking for key words like UPDATE, SHUTDOWN, DROP, INSERT, DELETE.
For my method, I used a function.
xinc_function.php
xinc_login.php Under
Add this:
Enjoy!
I'm here to publicly release a fix to prevent anyone selling it and to ensure the community is safe. Not patching this exploit leaves you wide open to SQL Injection attacks.
There are two ways to patch this exploit.
1. Stop collecting the User-Agent data.
The proper way to do this would be to modify the LOG_LOGIN table and remove the "browser" field, then go into xinc_login and change the INSERT query to look like this:
PHP:
INSERT INTO WEBSITE_DBF.dbo.[LOG_LOGIN] (
[account],
[ip],
[host],
[timestamp]
) VALUES (
\'' . $strPostAccount . '\',
\'' . $ServerIPAddr . '\',
\'' . gethostbyaddr($_SERVER['REMOTE_HOST']) . '\',
' . time() . '
2. Check the integrity of the data coming from User-Agent by running it through a filter and checking for key words like UPDATE, SHUTDOWN, DROP, INSERT, DELETE.
For my method, I used a function.
xinc_function.php
PHP:
function checkdata($data) {
$badchars = array("DROP", "DELETE", "TRUNCATE", "TABLE", "UPDATE", "SELECT", "INSERT");
foreach ($badchars as $key => $value)
{
if (strpos(strtoupper($data), $value, $offset = 0) !== FALSE)
{
$detection = $value;
}
else
{
$detection = 0;
}
}
return $detection;
}
xinc_login.php Under
PHP:
if(md5($_CONFIG['allg_svr_salt'].$strPostPassword) != @odbc_result($intValidateLoginInformation, 'password')) {
$strOutputErrorArray[] = $_LANG['error_wrong_password'];
}
PHP:
if(checkdata($_SERVER['HTTP_USER_AGENT']) !== 0){
$strOutputErrorArray[] = 'SQL INJECTION ATTEMPT!';
}
Enjoy!