Printable Version of Topic
Click here to view this topic in its original format
phpCOIN Support Forums > HotFix's for phpCOIN v1.6.5 > Input Parsing - *** Critical ***


Posted by: lightman December 16, 2010 09:17 am
As a result of a small number of users reporting that their phpCOIN installation was being used as the vector for a web server compromise, we have reviewed the handling routines in the ~/coin_includes/security.php file and revised them.

My great thanks to azcappy who worked tirelessly in helping to test and refine this code.

This HotFix is rated : PATCH NOW !

Instructions:

1) Download the file and unzip it as security.php
2) Change the file permissions if required
3) Upload the file to your phpCOIN installation OVERWRITING the file in ~/coin_includes/security.php

Known Issues:

1) This may break passwords that are set to use auto-generated password that utilize the full alphanumeric character set and symbols, in the ASCII range 33 to 126 - Solution - switch this to utilize only lowercase letters


This HotFix is rated : PATCH NOW !

Note: This file is deliberately aggressive in the way it sanitizes input as passed by a GET or POST URL.

This file has been tested on a variety of live phpCOIN v1.6.5 installations and appears to work fine. Older installations may also be able to use this file if it already exists in the fileset but users should be aware that no testing has been performed on versions older than v1.6.5 so apply it with care or upgrade to the v1.6.5 version first.

If you encounter any loss of functionality after applying this file - please let us know.

This HotFix is rated : PATCH NOW !


Download file : http://forums.phpcoin.com/HotFix/HotFix_v165_1_2010_12_16.zip

MD5sum efff3185820acac9e1d1b4d60aae0ab0

This HotFix is rated : PATCH NOW !

Posted by: lightman December 28, 2010 05:08 pm
NOTES

* A user reported problems with the format of menu external links

Add
CODE
$key != 'item_url' &&
into the # Some variables are allowed to contain html section of the security.php file to resolve this



* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode.

Posted by: ahouse January 07, 2011 09:06 am
QUOTE (lightman @ December 28, 2010 04:08 pm)
NOTES

A user reported problems with the format of menu external links

Add
CODE
$key != 'item_url' &&
into the # Some variables are allowed to contain html section of the security.php file to resolve this

where you want to add the code? sorry 4 my english

Posted by: ahouse January 07, 2011 09:10 am
thanks, I figured. file security.php line 94

Posted by: 4u2cnnv January 14, 2011 02:32 pm
Hi, I have,
1. downloaded the patch zip file
2. extracted on my windows 7 machine
3. made the suggested amended in the posts above
4. uploaded to my server
5. change permission to be same as previous version of security.php

I get a blank page when I load the site, althought when I remove the suggested amendment the site loads again, but yet it still writes "Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26"
Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended

am I doing it right please help in this regard

Posted by: lightman January 15, 2011 06:39 am
The HotFix will NOT remove the notification in the admin or summery page !!!

See http://forums.phpcoin.com/index.php?showtopic=3222

If you are getting a blank page, it is probably because of a parse error caused by a corrupted or partially uploaded file, or the file has had the wrong permissions set.

Posted by: qtriangle February 26, 2011 01:41 pm
even after applying this patch, the update notice reads this:

Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26

Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended



Is it normal?

Posted by: lightman February 26, 2011 02:01 pm
Oh dear sad.gif

QUOTE
The HotFix will NOT remove the notification in the admin or summery page !!!

See http://forums.phpcoin.com/index.php?showtopic=3222

Posted by: mrsdonovan June 04, 2012 05:54 pm
QUOTE (lightman @ December 28, 2010 04:08 pm)
* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode.

I realize this post is a couple years old, but I for one, still use php_coin... One solution is to fix the security.php file to white-list an IP address like this:

in "clean_input_array" function under "$res = array" add the following:

CODE
IF ($_SERVER['REMOTE_ADDR'] == "127.0.0.1") {
 $res = $_array;
} ELSE {
               //Move the foreach loop into here
}

and change the "127.0.0.1" ip address to your own. I tested this code and it works for my purposes...

Of course, the better solution is to not have sanitization didn't strip out ALL the HTML, and return a relevant error if it did. But, alas, another dying project...

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)