phpCOIN

Forum Rules Hotfixs

Make sure you read and understand any instructions relevant to the Hotfix you are about to implement.

  Reply to this topicStart new topic

> Input Parsing - *** Critical ***, Security - Applies to phpCOIN v1.6.5
lightman
Posted: December 16, 2010 09:17 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,638
Member No.: 3
Joined: August 25, 2006



As a result of a small number of users reporting that their phpCOIN installation was being used as the vector for a web server compromise, we have reviewed the handling routines in the ~/coin_includes/security.php file and revised them.

My great thanks to azcappy who worked tirelessly in helping to test and refine this code.

This HotFix is rated : PATCH NOW !

Instructions:

1) Download the file and unzip it as security.php
2) Change the file permissions if required
3) Upload the file to your phpCOIN installation OVERWRITING the file in ~/coin_includes/security.php

Known Issues:

1) This may break passwords that are set to use auto-generated password that utilize the full alphanumeric character set and symbols, in the ASCII range 33 to 126 - Solution - switch this to utilize only lowercase letters


This HotFix is rated : PATCH NOW !

Note: This file is deliberately aggressive in the way it sanitizes input as passed by a GET or POST URL.

This file has been tested on a variety of live phpCOIN v1.6.5 installations and appears to work fine. Older installations may also be able to use this file if it already exists in the fileset but users should be aware that no testing has been performed on versions older than v1.6.5 so apply it with care or upgrade to the v1.6.5 version first.

If you encounter any loss of functionality after applying this file - please let us know.

This HotFix is rated : PATCH NOW !


Download file : HotFix_v165_1_2010_12_16.zip

MD5sum efff3185820acac9e1d1b4d60aae0ab0

This HotFix is rated : PATCH NOW !


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
lightman
Posted: December 28, 2010 05:08 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,638
Member No.: 3
Joined: August 25, 2006



NOTES

* A user reported problems with the format of menu external links

Add
CODE
$key != 'item_url' &&
into the # Some variables are allowed to contain html section of the security.php file to resolve this



* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode.


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
ahouse
Posted: January 07, 2011 09:06 am
Quote Post


Advanced Member
***

Group: Members
Posts: 34
Member No.: 4,263
Joined: June 03, 2010



QUOTE (lightman @ December 28, 2010 04:08 pm)
NOTES

A user reported problems with the format of menu external links

Add
CODE
$key != 'item_url' &&
into the # Some variables are allowed to contain html section of the security.php file to resolve this

where you want to add the code? sorry 4 my english
PMEmail Poster
Top
ahouse
Posted: January 07, 2011 09:10 am
Quote Post


Advanced Member
***

Group: Members
Posts: 34
Member No.: 4,263
Joined: June 03, 2010



thanks, I figured. file security.php line 94
PMEmail Poster
Top
4u2cnnv
  Posted: January 14, 2011 02:32 pm
Quote Post


Newbie
*

Group: Probation
Posts: 1
Member No.: 4,400
Joined: January 14, 2011



Hi, I have,
1. downloaded the patch zip file
2. extracted on my windows 7 machine
3. made the suggested amended in the posts above
4. uploaded to my server
5. change permission to be same as previous version of security.php

I get a blank page when I load the site, althought when I remove the suggested amendment the site loads again, but yet it still writes "Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26"
Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended

am I doing it right please help in this regard
PMEmail Poster
Top
lightman
Posted: January 15, 2011 06:39 am
Quote Post


The Janitor
***

Group: Admin
Posts: 3,638
Member No.: 3
Joined: August 25, 2006



The HotFix will NOT remove the notification in the admin or summery page !!!

See http://forums.phpcoin.com/index.php?showtopic=3222

If you are getting a blank page, it is probably because of a parse error caused by a corrupted or partially uploaded file, or the file has had the wrong permissions set.


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
qtriangle
Posted: February 26, 2011 01:41 pm
Quote Post


Member
**

Group: Members
Posts: 19
Member No.: 3,942
Joined: August 19, 2009



even after applying this patch, the update notice reads this:

Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26

Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended



Is it normal?
PMEmail Poster
Top
lightman
Posted: February 26, 2011 02:01 pm
Quote Post


The Janitor
***

Group: Admin
Posts: 3,638
Member No.: 3
Joined: August 25, 2006



Oh dear sad.gif

QUOTE
The HotFix will NOT remove the notification in the admin or summery page !!!

See http://forums.phpcoin.com/index.php?showtopic=3222


--------------------
***** Unless otherwise stated, all replies refer to the following *****
====================================================================
--- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post.
--- All relevant HotFix files applied - One of the four included unmodified themes - The original language files .
--- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :)
PM
Top
mrsdonovan
  Posted: June 04, 2012 05:54 pm
Quote Post


Newbie
*

Group: Probation
Posts: 1
Member No.: 4,563
Joined: June 04, 2012



QUOTE (lightman @ December 28, 2010 04:08 pm)
* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode.

I realize this post is a couple years old, but I for one, still use php_coin... One solution is to fix the security.php file to white-list an IP address like this:

in "clean_input_array" function under "$res = array" add the following:

CODE
IF ($_SERVER['REMOTE_ADDR'] == "127.0.0.1") {
 $res = $_array;
} ELSE {
               //Move the foreach loop into here
}

and change the "127.0.0.1" ip address to your own. I tested this code and it works for my purposes...

Of course, the better solution is to not have sanitization didn't strip out ALL the HTML, and return a relevant error if it did. But, alas, another dying project...
PMEmail Poster
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topic

 


Inscrita el Registro Mercantil de Mallorca Tomo 2140, Hoja No. PM-51034, Folio 135
This website owned and operated by: Technology Services RPVW S.L. CIF# B57345084
Avda Constitucion 48 Bajos Alaro 07340 Baleares SPAIN
Tel:+34 971518362    Fax: +34 971518368    eMail: support@phpcoin.com