Input Parsing - *** Critical ***, Security - Applies to phpCOIN v1.6.5

As a result of a small number of users reporting that their phpCOIN installation was being used as the vector for a web server compromise, we have reviewed the handling routines in the ~/coin_includes/security.php file and revised them.

My great thanks to azcappy who worked tirelessly in helping to test and refine this code.

This HotFix is rated : PATCH NOW !

Instructions:

1) Download the file and unzip it as security.php
2) Change the file permissions if required
3) Upload the file to your phpCOIN installation OVERWRITING the file in ~/coin_includes/security.php

Known Issues:

1) This may break passwords that are set to use auto-generated password that utilize the full alphanumeric character set and symbols, in the ASCII range 33 to 126 - Solution - switch this to utilize only lowercase letters


This HotFix is rated : PATCH NOW !

Note: This file is deliberately aggressive in the way it sanitizes input as passed by a GET or POST URL.

This file has been tested on a variety of live phpCOIN v1.6.5 installations and appears to work fine. Older installations may also be able to use this file if it already exists in the fileset but users should be aware that no testing has been performed on versions older than v1.6.5 so apply it with care or upgrade to the v1.6.5 version first.

If you encounter any loss of functionality after applying this file - please let us know.

This HotFix is rated : PATCH NOW !


Download file : HotFix_v165_1_2010_12_16.zip

MD5sum efff3185820acac9e1d1b4d60aae0ab0

This HotFix is rated : PATCH NOW !

NOTES

* A user reported problems with the format of menu external links

Add

into the # Some variables are allowed to contain html section of the security.php file to resolve this



* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode.

into the # Some variables are allowed to contain html section of the security.php file to resolve this

where you want to add the code? sorry 4 my english

thanks, I figured. file security.php line 94

Hi, I have,
1. downloaded the patch zip file
2. extracted on my windows 7 machine
3. made the suggested amended in the posts above
4. uploaded to my server
5. change permission to be same as previous version of security.php

I get a blank page when I load the site, althought when I remove the suggested amendment the site loads again, but yet it still writes "Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26"
Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended

am I doing it right please help in this regard

The HotFix will NOT remove the notification in the admin or summery page !!!

See http://forums.phpcoin.com/index.php?showtopic=3222

If you are getting a blank page, it is probably because of a parse error caused by a corrupted or partially uploaded file, or the file has had the wrong permissions set.

even after applying this patch, the update notice reads this:

Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26

Fix-File 2010-12-16 for version 1.6.5

* HotFixs are available for this version
* Security : Input Parsing - *** PATCH NOW !! ***
* Security : Mail Archive Of Password Resets - Optional
* Security : Captcha Exploit, Ddos And Handling - Recommended
* BugFix : Google Webmaster Verification Tag - Recommended



Is it normal?

Oh dear

I realize this post is a couple years old, but I for one, still use php_coin... One solution is to fix the security.php file to white-list an IP address like this:

in "clean_input_array" function under "$res = array" add the following:

and change the "127.0.0.1" ip address to your own. I tested this code and it works for my purposes...

Of course, the better solution is to not have sanitization didn't strip out ALL the HTML, and return a relevant error if it did. But, alas, another dying project...