PDA

View Full Version : Flynax v4.0.1, security patch #1 (8 Jun, 2012)



John
June 8, 2012, 03:55 PM
Hello,
We would like to inform you that there was a small blemish detected in the script.
Here the simple instruction which will help you to fix the problem yourself easy, let's start:

BTW, if you see that the changes already done then someone from Flynax tech. dep. already implemented the fix for your website.

1. Make sure you save file copy before making changes in.

2. download the <b>.htaccess.zip</b> file and unzip it on your computer to some directory, zip archive contains
.htaccess file which should be copied to your server to the following directories:
- /files/
- /files/images/
- /tmp/upload/

3. changes in file
- open the following file for edit: /libs/system.lib.php
- find the code:


/* conditions list */
$l_cond = array(
'isEmail' => $GLOBALS['lang']['mail'],
'isUrl' => $GLOBALS['lang']['url']
);

- and replace it with this code


/* deny files extension regular expresion */
$l_deny_files_regexp = "/\.(php|php3|php4|php5|phtml|pl|py|psp|js|jsp|cgi|u til|inc)$/";

/* conditions list */
$l_cond = array(
'isEmail' => $GLOBALS['lang']['mail'],
'isUrl' => $GLOBALS['lang']['url']
);

- save changes

4. changes in file
- open the following file for edit: /admin/controllers/accounts.inc.php
- find the code (line ~ 534):


$rlHook -> load('apPhpAccountsValidate');

- and replace it with this code


if ( $back_errors = $rlCommon -> checkDynamicForm( $account_data, $fields, 'f', true ) )
{
foreach ( $back_errors as $error )
{
$errors[] = $error;
}

if ( $rlCommon -> error_fields )
{
$error_fields = $rlCommon -> error_fields;
$rlCommon -> error_fields = false;
}
}

- save changes

5. changes in file
- open the following file for edit: /admin/controllers/listings.inc.php
- find the code (line ~ 1004):


if ( $back = $rlCommon -> checkDynamicForm( $data, $category_fields, 'f', true ) )

- and replace it with this code


if ( $back = $rlCommon -> checkDynamicForm( $data, $listing_fields, 'f', true ) )

- save changes

6. changes in file
- open the following file for edit: /includes/classes/rlActions.class.php
- find the code (line ~ 601):


global $config;

- and replace it with this code


global $config, $l_deny_files_regexp;

- find the code (line ~ 608):


$file_tmp_name = $_SESSION['tmp_files'][$parent][$field] ? $_SESSION['tmp_files'][$parent][$field] : $_SESSION['tmp_files'][$field];

- and replace it with this code


$file_tmp_name = $_SESSION['tmp_files'][$parent][$field] ? $_SESSION['tmp_files'][$parent][$field] : $_SESSION['tmp_files'][$field];

/* prevent denied files upload */
if ( preg_match($l_deny_files_regexp, $file_tmp_name) )
{
return false;
}

- find the code (line ~ 617):


$file_tmp_name = $parent && $_FILES[$parent] ? $_FILES[$parent]['name'][$field] : $_FILES[$field]['name'];

- and replace it with this code


$file_tmp_name = $parent && $_FILES[$parent] ? $_FILES[$parent]['name'][$field] : $_FILES[$field]['name'];

/* prevent denied files upload */
if ( preg_match($l_deny_files_regexp, $file_tmp_name) )
{
return false;
}

- save changes

7. changes in file
- open the following file for edit: /includes/classes/rlCommon.class.php
- find the code (line ~ 246):


global $error_fields, $lang;

- and replace it with this code


global $error_fields, $lang, $languages, $l_deny_files_regexp;

- find the code (line ~ 504):


if ( !$this -> rlValid -> isImage($file_ext) )

- and replace it with this code


if ( !$this -> rlValid -> isImage($file_ext) || preg_match($l_deny_files_regexp, $_FILES[$f2]['name']) )

- find the code (line ~ 525):


if ( !$this -> rlValid -> isFile( $fields[$poss]['Default'], $file_ext) )

- and replace it with this code


if ( !$this -> rlValid -> isFile( $fields[$poss]['Default'], $file_ext) || preg_match($l_deny_files_regexp, $_FILES[$f2]['name']) )

- save changes

8. changes in file
- open the following file for edit: /includes/classes/reefless.class.php
- find the code (line ~ 362):


global $lang;

- and replace it with this code


global $lang, $l_deny_files_regexp;

- find the code (line ~ 370):


$file_name = $parent && $_FILES[$parent] ? $_FILES[$parent]['name'][$field] : $_FILES[$field]['name'];

- and replace it with this code


$file_name = $parent && $_FILES[$parent] ? $_FILES[$parent]['name'][$field] : $_FILES[$field]['name'];

/* prevent denied files upload */
if ( preg_match($l_deny_files_regexp, $file_name) )
{
return false;
}

- save changes

That's all, yes looks hard but you should just go through this instruction step by step and you will do it!
Feel free to submit a ticket to our technical department if you have any problems with this fix.

John

Morgan Bohman
June 8, 2012, 04:57 PM
Done, but there are a mistake in your description above in the line

global $error_fields, $lang, $languages;
It should be

global $error_fields, $lang;

And to be sure of what you're doing, use the tag /* old syntax*/ so you can go back if something goes wrong. I use Dreamweaver but you could also use Notepad+++

Steffen Buschkemper
June 8, 2012, 05:42 PM
Hello John,

the follow part in /admin/controllers/listings.inc.php is present twice (line ~ 725) and (line ~ 1004).



if ( $back = $rlCommon -> checkDynamicForm( $data, $category_fields, 'f', true ) )


What is to be replaced? Line ~ 725 or Line ~ 1004 ?
Thank you John!

Best regards
Steffen

Aimiliano Maral
June 8, 2012, 06:42 PM
Hello John,

the follow part in /admin/controllers/listings.inc.php is present twice (line ~ 725) and (line ~ 1004).



if ( $back = $rlCommon -> checkDynamicForm( $data, $category_fields, 'f', true ) )


What is to be replaced? Line ~ 725 or Line ~ 1004 ?
Thank you John!

Best regards
Steffen


What is to be replaced? Line ~ 725 or Line ~ 1004 ?

Thank you John!

Petrache Nicolae
June 8, 2012, 08:26 PM
waiting....and waiting....

Ang Jo jit
June 9, 2012, 03:29 AM
me too.. and Mike had done some changes to my .htaccess. How should I integrate the codes?

rosegarden
June 9, 2012, 04:55 AM
me too.. and Mike had done some changes to my .htaccess. How should I integrate the codes?

Make sure u read point 2 and not to overwrite your existing htacces in your main public folder. You are to only upload to that three directories stated above.

Morgan Bohman
June 9, 2012, 06:07 AM
What is to be replaced? Line ~ 725 or Line ~ 1004 ?

Thank you John!

I changed the one at near ~1004 and for me it is working. However, when we don't get a more comprehensive description why the changes are needed, we can not make our own assumptions, better wait for the Team. I guess that you check listings in the form instead of categories but I don't have a clue when.

John
June 9, 2012, 07:21 AM
Hello John,

the follow part in /admin/controllers/listings.inc.php is present twice (line ~ 725) and (line ~ 1004).



if ( $back = $rlCommon -> checkDynamicForm( $data, $category_fields, 'f', true ) )


What is to be replaced? Line ~ 725 or Line ~ 1004 ?
Thank you John!

Best regards
Steffen
Hello Steffan,
It is 1004 line, not 725.

John

John
June 9, 2012, 07:22 AM
me too.. and Mike had done some changes to my .htaccess. How should I integrate the codes?
Hello Ang,
You should NOT change root .htacess file, upload attached .htaccess file to the directories listed in the instruction.

John

Petrache Nicolae
June 9, 2012, 11:46 AM
a problem with step 3:

my original file has

/* deny files extension regular expresion */
$l_deny_files_regexp = "/\.(php|php3|php4|php5|phtml|pl|py|psp|js|jsp|cgi|u til|inc)$/";

/* conditions list */
$l_cond = array(
'isEmail' => $GLOBALS['lang']['mail'],
'isUrl' => $GLOBALS['lang']['url']
);


that will mean according to your instructions that i will have 2 of this?
/* deny files extension regular expresion */
$l_deny_files_regexp = "/\.(php|php3|php4|php5|phtml|pl|py|psp|js|jsp|cgi|u til|inc)$/";

or i should have just 1?

another problem. step 4

i have already in file

if ( $back_errors = $rlCommon -> checkDynamicForm( $account_data, $fields, 'f', true ) )
{
foreach ( $back_errors as $error )
{
$errors[] = $error;
}

if ( $rlCommon -> error_fields )
{
$error_fields = $rlCommon -> error_fields;
$rlCommon -> error_fields = false;
}
}

$rlHook -> load('apPhpAccountsValidate');

who made the modification into my site shoulded delete $rlHook -> load('apPhpAccountsValidate'); but didn't? i have that and olso the new code wich should replace it

should i submit a ticket to have my files checked?

Jose Bonilla
June 9, 2012, 04:15 PM
I am using flynax version 3.2, Do I have to fix it as well?

Steffen Buschkemper
June 9, 2012, 09:14 PM
Hi Jose,

The thread title is: Flynax v4.0.1, security patch #1 (8 Jun, 2012).
I think its only for v4.01.

Best regards
Steffen

Morgan Bohman
June 10, 2012, 06:17 AM
@all,
Are you facing anything wrong with the Online plug-in after making changes? It doesn't count up the visitors as it should and yesterday it was also counting down by one. Today I had a lot of different and unique visitors due to a newspaper been sent out but no registration of visitors.

John
June 11, 2012, 06:44 AM
Hi there,

Petrache Nicolae
You should not implement the patch if you already have the changes in the files.
It means that someone from Flynax already implemented the patch for you.


I am using flynax version 3.2, Do I have to fix it as well?
Here the patch for 3.2 version:
http://www.flynax.com/forum/showthread.php?436-Flynax-v3-2-security-patch-1-%2811-Jun-2012%29


Morgan Bohman
This patch doesn't affect to any plugins, submit a ticket for tech. support if you have any problems with plugins.

John

Ang Jo jit
June 13, 2012, 05:11 AM
what are the consequences of not applying the patch? i am worried things may go wrong after the patch.

Viktor
June 15, 2012, 05:48 AM
Hello Ang Jo Jit,


what are the consequences of not applying the patch? i am worried things may go wrong after the patch.


It can be a very sad consequences. All depends on the skills of the hackers.
If you are in doubt you can create ticket with the request and we will implement this patch without any consequences for your site.

Motaz Tawfik
July 2, 2012, 12:34 PM
Done the patch and all is working fine. From reading some of the codes changed, I would imagine this is a security patch, hence the urgency.