Neuigkeiten
  • Die modified eCommerce Shopsoftware ist kostenlos, aber nicht umsonst.
    Spenden
  • Damit wir die modified eCommerce Shopsoftware auch zukünftig kostenlos anbieten können:
    Spenden
  • Thema: BUGFIX: SQL Injection

    Tomcraft

    • modified Team
    • Gravatar
    • Beiträge: 46.161
    • Geschlecht:
    BUGFIX: SQL Injection
    am: 23. Februar 2011, 20:26:54
    Dieser Bugfix ist für alle modified eCommerce Shopsoftware Versionen vor 1.05 dringend einzuspielen!

    Grüße

    Torsten



    Linkback: https://www.modified-shop.org/forum/index.php?topic=11242.0

    karl

    • Schreiberling
    • Beiträge: 439
    Re: BUGFIX: SQL Injection
    Antwort #1 am: 05. August 2012, 13:45:46
    Hallo Torsten,
    bin mir nicht mehr sicher ob ich die damals so übernommen hatte.
    Ein Vergleich mit der Aktuellen SP1d + letzter "security fix" zeigt aber Unterschiede!

    Auch das Datum von meiner inc/ weist zwar bereits eine Überarbeitung auf aber es stimmt mit der von 2011 nicht überein.

    Hier mal meine bestehende:
    Code: PHP  [Auswählen]
    <?php
    /* -----------------------------------------------------------------------------------------
       $Id: xtc_validate_email.inc.php 2085 2011-08-03 15:25:38Z web28 $

       modified eCommerce Shopsoftware - community made shopping
       http://www.modified eCommerce Shopsoftware.org

       Copyright (c) 2010 modified eCommerce Shopsoftware
       -----------------------------------------------------------------------------------------
       based on:
       (c) 2000-2001 The Exchange Project  (earlier name of osCommerce)
       (c) 2002-2003 osCommerce(validations.php,v 1.11 2003/02/11); www.oscommerce.com
       (c) 2003 nextcommerce (xtc_validate_email.inc.php,v 1.5 2003/08/14); www.nextcommerce.org
       (c) 2003 XT-Commerce (xtc_validate_email.inc.php 899 2005-04-29)
       (c) 2010 osCommerce (validations.php)

       Released under the GNU General Public License
       ---------------------------------------------------------------------------------------*/


      ////////////////////////////////////////////////////////////////////////////////////////////////
      //
      // Function    : xtc_validate_email
      //
      // Arguments   : email   email address to be checked
      //
      // Return      : true  - valid email address
      //               false - invalid email address
      //
      // Description : function for validating email address that conforms to RFC 822 specs
      //
      //              This function will first attempt to validate the Email address using the filter
      //              extension for performance. If this extension is not available it will
      //              fall back to a regex based validator which doesn't validate all RFC822
      //              addresses but catches 99.9% of them. The regex is based on the code found at
      //              http://www.regular-expressions.info/email.html
      //
      //              Optional validation for validating the domain name is also valid is supplied
      //              and can be enabled using the administration tool.
      //
      // Sample Valid Addresses:
      //
      //    first.last@host.com
      //    firstlast@host.to
      //    first-last@host.com
      //    first_last@host.com
      //
      // Invalid Addresses:
      //
      //    first last@host.com
      //    first@last@host.com
      //
      ////////////////////////////////////////////////////////////////////////////////////////////////

      function xtc_validate_email($email) {

        //BOF - web28 - 2011-07-31 - SQL nullbyte injection fix 16.02.2011
        if (strpos($email,"\0")!== false) {return false;}
        if (strpos($email,"\x00")!== false) {return false;}
        if (strpos($email,"\u0000")!== false) {return false;}
        if (strpos($email,"\000")!== false) {return false;}
        //EOF - web28 - 2011-07-31 - SQL nullbyte injection fix 16.02.2011

        $email = trim($email);
        $valid_address = false;
        if (strlen($email) > 255) {
          $valid_address = false;    
        } else {
          if ( substr_count( $email, '@' ) > 1 ) {
            $valid_address = false;
          }    
         
          //web28 - 2011-07-28 - new $regex see http://www.regular-expressions.info/email.html      
          $regex = "/^[a-z0-9!#$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|asia|jobs|museum)$/i";
          $valid_address = preg_match($regex, $email);      
        }
       
        if ($valid_address && ENTRY_EMAIL_ADDRESS_CHECK == 'true') {
          $domain = explode('@', $email);
          if (!checkdnsrr($domain[1], "MX") && !checkdnsrr($domain[1], "A")) {
            $valid_address = false;
          }
        }    
        return $valid_address;
      }
    ?>

    und die vom Fix:
    Code: PHP  [Auswählen]
    <?php
    /* -----------------------------------------------------------------------------------------
       $Id: xtc_validate_email.inc.php 899 2005-04-29 02:40:57Z hhgag $  

       XT-Commerce - community made shopping
       http://www.(( Wir dulden keine kommerziellen Werbelinks - Bitte <a href="index.php?topic=3013.0">Forenregeln</a> beachten! ))

       Copyright (c) 2003 XT-Commerce
       -----------------------------------------------------------------------------------------
       based on:
       (c) 2000-2001 The Exchange Project  (earlier name of osCommerce)
       (c) 2002-2003 osCommerce(validations.php,v 1.11 2003/02/11); www.oscommerce.com
       (c) 2003      nextcommerce (xtc_validate_email.inc.php,v 1.5 2003/08/14); www.nextcommerce.org

       Released under the GNU General Public License
       ---------------------------------------------------------------------------------------*/


      ////////////////////////////////////////////////////////////////////////////////////////////////
      //
      // Function    : xtc_validate_email
      //
      // Arguments   : email   email address to be checked
      //
      // Return      : true  - valid email address
      //               false - invalid email address
      //
      // Description : function for validating email address that conforms to RFC 822 specs
      //
      //               This function is converted from a JavaScript written by
      //               Sandeep V. Tamhankar (stamhankar@hotmail.com). The original JavaScript
      //               is available at http://javascript.internet.com
      //
      // Sample Valid Addresses:
      //
      //    first.last@host.com
      //    firstlast@host.to
      //    "first last"@host.com
      //    "first@last"@host.com
      //    first-last@host.com
      //    first.last@[123.123.123.123]
      //
      // Invalid Addresses:
      //
      //    first last@host.com
      //
      //
      ////////////////////////////////////////////////////////////////////////////////////////////////

      function xtc_validate_email($email) {
        //Security Fix 2011-02-23
        if (strpos($email,"\0")!==false) {return false;}
        $valid_address = true;

        $mail_pat = '^(.+)@(.+)$';
        $valid_chars = "[^] \(\)<>@,;:\.\\\"\[]";
        $atom = "$valid_chars+";
        $quoted_user='(\"[^\"]*\")';
        $word = "($atom|$quoted_user)";
        $user_pat = "^$word(\.$word)*$";
        $ip_domain_pat='^\[([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\]$';
        $domain_pat = "^$atom(\.$atom)*$";

        if (preg_match('/'.$mail_pat.'/i', $email, $components)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
          $user = $components[1];
          $domain = $components[2];
          // validate user
          if (preg_match('/'.$user_pat.'/i', $user)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
            // validate domain
            if (preg_match('/'.$ip_domain_pat.'/i', $domain, $ip_components)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
              // this is an IP address
              for ($i=1;$i<=4;$i++) {
                if ($ip_components[$i] > 255) {
                  $valid_address = false;
                  break;
                }
              }
            } else {
              // Domain is a name, not an IP
              if (preg_match('/'.$domain_pat.'/i', $domain)) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
                /* domain name seems valid, but now make sure that it ends in a valid TLD or ccTLD
                   and that there's a hostname preceding the domain or country. */

                $domain_components = explode(".", $domain);
                // Make sure there's a host name preceding the domain.
                if (sizeof($domain_components) < 2) {
                  $valid_address = false;
                } else {
                  $top_level_domain = strtolower($domain_components[sizeof($domain_components)-1]);
                  // Allow all 2-letter TLDs (ccTLDs)
                  if (preg_match('/^[a-z][a-z]$/i', $top_level_domain) != 1) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
                    $tld_pattern = '';
                    // Get authorized TLDs from text file
                    $tlds = file(DIR_FS_INC.'tld.txt');
                    while (list(,$line) = each($tlds)) {
                      // Get rid of comments
                      $words = explode('#', $line);
                      $tld = trim($words[0]);
                      // TLDs should be 3 letters or more
                      if (preg_match('/^[a-z]{3,}$/i', $tld) == 1) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
                        $tld_pattern .= '^' . $tld . '$|';
                      }
                    }
                    // Remove last '|'
                    $tld_pattern = substr($tld_pattern, 0, -1);
                    if (preg_match('/'.$tld_pattern.'/i', $top_level_domain) == 0) { // Hetfield - 2009-08-19 - replaced deprecated function eregi with preg_match to be ready for PHP >= 5.3
                        $valid_address = false;
                    }
                  }
                }
              } else {
                $valid_address = false;
              }
            }
          } else {
            $valid_address = false;
          }
        } else {
          $valid_address = false;
        }
        if ($valid_address && ENTRY_EMAIL_ADDRESS_CHECK == 'true') {
          if (!checkdnsrr($domain, "MX") && !checkdnsrr($domain, "A")) {
            $valid_address = false;
          }
        }
        return $valid_address;
      }

    ?>

    und die password_doble_opt
    ab ca. Zeile 90 (vom FIx)
    Code: PHP  [Auswählen]
    //Security Fix 2011-02-23
        xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".xtc_db_input($check_customer['customers_email_address'])."'");
                    //xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".$check_customer['customers_email_address']."'");
                    xtc_db_query("update ".TABLE_CUSTOMERS." set password_request_key = '' where customers_id = '".$check_customer['customers_id']."'");
                    // assign language to template for caching

    und meine:
    Code: PHP  [Auswählen]
    xtc_db_query("update ".TABLE_CUSTOMERS." set customers_password = '".$crypted_password."' where customers_email_address = '".$check_customer['customers_email_address']."'");
                    xtc_db_query("update ".TABLE_CUSTOMERS." set password_request_key = '' where customers_id = '".$check_customer['customers_id']."'");
                    // assign language to template for caching

    Dachte bevor ich hier einen alten Fix einbaue (nach all den Updates) vieleicht ist das so und ursprünglich nicht mehr notwendig.

    Ein paar klärende Worte wären nett. :popcorn:
    rechtstexte für onlineshop
    12 Antworten
    7740 Aufrufe
    22. März 2012, 13:24:41 von h-h-h
    29 Antworten
    11621 Aufrufe
    26. Februar 2013, 15:19:24 von dragan123