11
zyspec
Re: MyAds 2.x vulnerable!
  • 2006/7/2 2:50

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


The patch to fix the specific SQL injection cited is pretty easy to make. Does someone have a copy of the "latest" MyAds module (whatever version that is)? If so I can tell you exactly what line number. Otherwise you can follow the instructions below.

Towards the bottom of the listing-p-f.php (or annonces-p-f.php depending on which version of MyAds you have) file you'll find the following code just before:

switch($op) {

You'll find:
foreach ($_POST as $k => $v) {
    ${
$k} = $v;
}

$lid = isset( $_GET['lid'] ) ? $_GET['lid'] : '' ;

if(!isset(
$_POST['op']) && isset($_GET['op']) ) {
    
$op $_GET['op'] ;
}


Just delete these lines or comment it out with // at the beginning of each line) and replace it with:

$lid = isset( $_GET['lid'] ) ? intval($_GET['lid']) : '' ;
$op = isset($_POST['op']) ? $_POST['op'] : '' ;
$op = isset($_GET['op']) ? $_GET['op'] : $op ;

$yname = isset($_POST['yname'] ? $myts->addSlashes($_POST['yname']) : '';
$ymail = isset($_POST['ymail'] ? $myts->addSlashes($_POST['ymail']) : '';
$fname = isset($_POST['fname'] ? $myts->addSlashes($_POST['fname']) : '';
$fmail = isset($_POST['fmail'] ? $myts->addSlashes($_POST['fmail']) : '';

Remember, place this BEFORE the switch($op) statement. By the way, the fix for the Job Listing module (jobs ver 1.9) is the same.

12
DobePhat
Re: MyAds 2.x vulnerable!
  • 2006/7/2 4:59

  • DobePhat

  • Friend of XOOPS

  • Posts: 656

  • Since: 2003/4/15


Hi, thanks for sharing that:

Roughly lines 205-215

Nothing like this fix was on the myads_2_0_4jp version-and so could be applied it appears..
But in the myAds2.05_jp_13_malaika version there is the following (for comparisons)

$yname = !empty($_POST['yname']) ? $myts->makeTboxData4Save($_POST['yname']) : "";
$ymail = !empty($_POST['ymail']) ? $myts->makeTboxData4Save($_POST['ymail']) : "";
$fname = !empty($_POST['fname']) ? $myts->makeTboxData4Save($_POST['fname']) : "";
$fmail = !empty($_POST['fmail']) ? $myts->makeTboxData4Save($_POST['fmail']) : "";

if(!isset(
$_POST['lid']) && isset($_GET['lid']) ) {
    
$lid intval($_GET['lid']) ;
}else {
    
$lid intval($_POST['lid']) ;
}

$op'';
if (!empty(
$_GET['op'])) {
    
$op $_GET['op'];
} elseif (!empty(
$_POST['op'])) {
    
$op $_POST['op'];
}

switch(
$op) {


?
FYI hmm

13
penkay
Re: MyAds 2.x vulnerable!
  • 2006/7/4 0:58

  • penkay

  • Just popping in

  • Posts: 10

  • Since: 2006/3/4 1


Some ass**** broke in to my XOOPS 2.013 and left this web address in my sql tables last night ... under config
---
http://jiqqags.ji.funpic.de/t.html
---

I have the my ads module on two applications running on my site. I quess this is how they got in. I will do this update and hope this is the hole.. thanks for the coding

14
jlm69
Re: MyAds 2.x , jobs, alumni vulnerable!
  • 2006/7/4 14:55

  • jlm69

  • Module Developer

  • Posts: 719

  • Since: 2002/7/19


This vulnerability does exist in all versions of the jobs and alumni modules, The modules are updated with the fix. I chose to use zyspec's fix. Users can either make the fix manually or update the modules to the newest versions. Thanks to zyspec for taking the time to make a fix for this problem, very much appreciated.

Thanks,

John

15
davidl2
Re: MyAds 2.x vulnerable!
  • 2006/7/4 15:42

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


An updated version of Jobs (2.4) is available from dev.xoops.org here

Thanks for the fast update JLM

16
phppp
Re: MyAds 2.x vulnerable!
  • 2006/7/4 15:45

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


jlm69, could you plz submit a news article to xoops.org and dev.xoops.org for the module update to let users know it?
thx

17
jlm69
Re: MyAds 2.x vulnerable!
  • 2006/7/4 15:52

  • jlm69

  • Module Developer

  • Posts: 719

  • Since: 2002/7/19


I guess I forgot to put a link, thanks David.

For the updated Alumni module you can get it at Xoops Module Dev Forge

Thanks,

John

18
jlm69
Re: MyAds 2.x vulnerable!
  • 2006/7/4 16:11

  • jlm69

  • Module Developer

  • Posts: 719

  • Since: 2002/7/19


I was trying to write a news story on Xoops.org but I get the 'Sorry you don't have permission to access this area' message.

John

19
davidl2
Re: MyAds 2.x vulnerable!
  • 2006/7/4 16:16

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


Hmm - not sure why - but if you can email it me JLM - I'll publish it on your behalf.

20
giba
Re: MyAds 2.x vulnerable!
  • 2006/7/4 17:33

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Quote:

jlm69 wrote:
I guess I forgot to put a link, thanks David.

For the updated Alumni module you can get it at Xoops Module Dev Forge

Thanks,

John


Hei John, you is Great Very, Very thanks.

Login

Who's Online

354 user(s) are online (215 user(s) are browsing Support Forums)


Members: 0


Guests: 354


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits