From: Lo?c C. <lo...@us...> - 2002-04-07 16:53:49
|
Update of /cvsroot/phpmychat/phpMyChat - 0.14/chat In directory usw-pr-cvs1:/tmp/cvs-serv19795/chat Modified Files: messagesL.php3 loader.php3 input.php3 handle_inputH.php3 Log Message: Security issues fixed thanks to SeazoN ***** Bogus filespec: - ***** Bogus filespec: 0.14/chat Index: messagesL.php3 =================================================================== RCS file: /cvsroot/phpmychat/phpMyChat - 0.14/chat/messagesL.php3,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -r1.8 -r1.9 *** messagesL.php3 7 Dec 2001 17:04:15 -0000 1.8 --- messagesL.php3 7 Apr 2002 16:53:45 -0000 1.9 *************** *** 49,53 **** // ** Updates user info in connected users tables ** ! $DbLink->query("SELECT room,status,ip FROM ".C_USR_TBL." WHERE username = '$U' LIMIT 1"); if($DbLink->num_rows() != 0) { --- 49,81 ---- // ** Updates user info in connected users tables ** ! // Fixed a security issue thanks to SeazoN ! if (C_REQUIRE_REGISTER && (!isset($PWD_Hash) || $PWD_Hash == '')) ! { ! exit(); // hack attack ! } ! else if (isset($PWD_Hash) && $PWD_Hash != '') ! { ! $DbLink->query( 'SELECT ' . C_USR_TBL . '.room, ' . C_USR_TBL . '.status, ' . C_USR_TBL . '.ip' ! . ' FROM ' . C_USR_TBL . ', ' . C_REG_TBL ! . ' WHERE ' . C_USR_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.password = \'' . $PWD_Hash . '\'' ! . ' LIMIT 1'); ! } ! else // C_REQUIRE_REGISTER == 0 && $PWD_Hash is empty ! { ! $DbLink->query('SELECT username FROM ' . C_REG_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! if ($DbLink->num_rows() == 0) ! { ! $DbLink->query('SELECT room, status, ip FROM ' . C_USR_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! } ! else ! { ! $DbLink->clean_results(); ! $DbLink->close(); ! exit(); // hack attack ! } ! } ! // End of SeazoN Fix if($DbLink->num_rows() != 0) { Index: loader.php3 =================================================================== RCS file: /cvsroot/phpmychat/phpMyChat - 0.14/chat/loader.php3,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -r1.11 -r1.12 *** loader.php3 7 Dec 2001 17:04:15 -0000 1.11 --- loader.php3 7 Apr 2002 16:53:45 -0000 1.12 *************** *** 40,48 **** // ** Updates user info in connected users tables **; ! $DbLink->query("SELECT status,room,ip FROM ".C_USR_TBL." WHERE username = '$U' LIMIT 1"); if($DbLink->num_rows() != 0) { // There is a row for the user in the users table ! list($status,$room,$knownIp) = $DbLink->next_record(); $DbLink->clean_results(); $kicked = 0; --- 40,76 ---- // ** Updates user info in connected users tables **; ! // Fixed a security issue thanks to SeazoN ! if (C_REQUIRE_REGISTER && (!isset($PWD_Hash) || $PWD_Hash == '')) ! { ! exit(); // hack attack ! } ! else if (isset($PWD_Hash) && $PWD_Hash != '') ! { ! $DbLink->query( 'SELECT ' . C_USR_TBL . '.room, ' . C_USR_TBL . '.status, ' . C_USR_TBL . '.ip' ! . ' FROM ' . C_USR_TBL . ', ' . C_REG_TBL ! . ' WHERE ' . C_USR_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.password = \'' . $PWD_Hash . '\'' ! . ' LIMIT 1'); ! } ! else // C_REQUIRE_REGISTER == 0 && $PWD_Hash is empty ! { ! $DbLink->query('SELECT username FROM ' . C_REG_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! if ($DbLink->num_rows() == 0) ! { ! $DbLink->query('SELECT room, status, ip FROM ' . C_USR_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! } ! else ! { ! $DbLink->clean_results(); ! $DbLink->close(); ! exit(); // hack attack ! } ! } ! // End of SeazoN Fix if($DbLink->num_rows() != 0) { // There is a row for the user in the users table ! list($room,$status,$knownIp) = $DbLink->next_record(); $DbLink->clean_results(); $kicked = 0; Index: input.php3 =================================================================== RCS file: /cvsroot/phpmychat/phpMyChat - 0.14/chat/input.php3,v retrieving revision 1.15 retrieving revision 1.16 diff -C2 -r1.15 -r1.16 *** input.php3 7 Dec 2001 17:04:15 -0000 1.15 --- input.php3 7 Apr 2002 16:53:45 -0000 1.16 *************** *** 54,58 **** // ** Updates user info in connected users tables and fix some security issues ** ! $DbLink->query("SELECT room, status, ip FROM ".C_USR_TBL." WHERE username = '$U' LIMIT 1"); if ($DbLink->num_rows() != 0) { --- 54,86 ---- // ** Updates user info in connected users tables and fix some security issues ** ! // Fixed a security issue thanks to SeazoN ! if (C_REQUIRE_REGISTER && (!isset($PWD_Hash) || $PWD_Hash == '')) ! { ! exit(); // hack attack ! } ! else if (isset($PWD_Hash) && $PWD_Hash != '') ! { ! $DbLink->query( 'SELECT ' . C_USR_TBL . '.room, ' . C_USR_TBL . '.status, ' . C_USR_TBL. '.ip' ! . ' FROM ' . C_USR_TBL . ', ' . C_REG_TBL ! . ' WHERE ' . C_USR_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.password = \'' . $PWD_Hash . '\'' ! . ' LIMIT 1'); ! } ! else // C_REQUIRE_REGISTER == 0 && $PWD_Hash is empty ! { ! $DbLink->query('SELECT username FROM ' . C_REG_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! if ($DbLink->num_rows() == 0) ! { ! $DbLink->query('SELECT room, status, ip FROM ' . C_USR_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! } ! else ! { ! $DbLink->clean_results(); ! $DbLink->close(); ! exit(); // hack attack ! } ! } ! // End of SeazoN Fix if ($DbLink->num_rows() != 0) { *************** *** 451,455 **** if (window.parent.connect == 0) { ! window.parent.refresh_query = "<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U))."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&ST=$ST&NT=$NT".$Tmp."&First=$First"); ?>"; window.parent.force_refresh(); }; --- 479,483 ---- if (window.parent.connect == 0) { ! window.parent.refresh_query = "<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U)).(isset($PWD_Hash) ? '&PWD_Hash=' . $PWD_Hash : '')."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&ST=$ST&NT=$NT".$Tmp."&First=$First"); ?>"; window.parent.force_refresh(); }; *************** *** 459,463 **** { ?> ! window.parent.frames['messages'].window.location = 'messagesL.php3?<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U))."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&O=$O&ST=$ST&NT=$NT".$Tmp); ?>'; <?php }; --- 487,491 ---- { ?> ! window.parent.frames['messages'].window.location = 'messagesL.php3?<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U)).(isset($PWD_Hash) ? '&PWD_Hash=' . $PWD_Hash : '')."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&O=$O&ST=$ST&NT=$NT".$Tmp); ?>'; <?php }; Index: handle_inputH.php3 =================================================================== RCS file: /cvsroot/phpmychat/phpMyChat - 0.14/chat/handle_inputH.php3,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -r1.11 -r1.12 *** handle_inputH.php3 7 Dec 2001 17:04:15 -0000 1.11 --- handle_inputH.php3 7 Apr 2002 16:53:45 -0000 1.12 *************** *** 59,63 **** // ** Updates user info in connected users tables and fix some security issues ** ! $DbLink->query("SELECT room, status, ip FROM ".C_USR_TBL." WHERE username = '$U' LIMIT 1"); if ($DbLink->num_rows() != 0) { --- 59,91 ---- // ** Updates user info in connected users tables and fix some security issues ** ! // Fixed a security issue thanks to SeazoN ! if (C_REQUIRE_REGISTER && (!isset($PWD_Hash) || $PWD_Hash == '')) ! { ! exit(); // hack attack ! } ! else if (isset($PWD_Hash) && $PWD_Hash != '') ! { ! $DbLink->query( 'SELECT ' . C_USR_TBL . '.room, ' . C_USR_TBL . '.status, ' . C_USR_TBL. '.ip' ! . ' FROM ' . C_USR_TBL . ', ' . C_REG_TBL ! . ' WHERE ' . C_USR_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.username = \'' . $U . '\'' ! . ' AND ' . C_REG_TBL . '.password = \'' . $PWD_Hash . '\'' ! . ' LIMIT 1'); ! } ! else // C_REQUIRE_REGISTER == 0 && $PWD_Hash is empty ! { ! $DbLink->query('SELECT username FROM ' . C_REG_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! if ($DbLink->num_rows() == 0) ! { ! $DbLink->query('SELECT room, status, ip FROM ' . C_USR_TBL . ' WHERE username = \'' . $U . '\' LIMIT 1'); ! } ! else ! { ! $DbLink->clean_results(); ! $DbLink->close(); ! exit(); // hack attack ! } ! } ! // End of SeazoN Fix if ($DbLink->num_rows() != 0) { *************** *** 314,318 **** if (window.parent.connect == 0) { ! window.parent.refresh_query = "<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U))."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&ST=$ST&NT=$NT".$Tmp."&First=$First"); ?>"; window.parent.force_refresh(); }; --- 342,346 ---- if (window.parent.connect == 0) { ! window.parent.refresh_query = "<?php echo("From=".urlencode($From)."&L=$L&U=".urlencode(stripslashes($U)).(isset($PWD_Hash) ? '&PWD_Hash=' . $PWD_Hash : '')."&R=".urlencode(stripslashes($R))."&T=$T&D=$D&N=$N&ST=$ST&NT=$NT".$Tmp."&First=$First"); ?>"; window.parent.force_refresh(); }; |