The eAuction Support Forums

The eAuction Support Forums
https://www.everyscript.de/cgi-bin/yabb/YaBB.pl
eAuction 1.6.1.x >> Start Up and more >> Security Patch (2)
https://www.everyscript.de/cgi-bin/yabb/YaBB.pl?num=1112793026

Message started by Dieter Werner on 04/06/05 at 15:10:26

Title: Security Patch (2)
Post by Dieter Werner on 04/06/05 at 15:10:26

Search eAuction.pl for
sub get_form_data
Replace the sub by copy & paste the following

Code:

#-#############################################
# Sub: Get Form Data
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub get_form_data {
use CGI;

my $query = CGI->new;
my ($file, $cnt, $type, $val, $ext, $err);
local $_;

$CGI::POST_MAX = 1024 * 1000; # 1000 kb
%form = $query->Vars;

for (1 .. 3) {
undef $val;

if ($file = $query->upload("UploadFile$_")) {
$cnt++;
$type = $query->uploadInfo($file)->{'Content-Type'};
$ext = (split /\./, $file)[-1];

binmode STDIN;

while (<$file>) {
$val .= $_;
(length($val) > 310000) && do {
($val = $file) =~ s/\\/\//g;
$val = (split /\//, $val)[-1];
$form{'error'} = "$val\n$txt{'File too big'}";
last;
};
};

close $file;
$form{'error'} && last;

(defined($err = check_data(\$val, $ext)) or $type !~ /image/i)
? do {
($val = $file) =~ s/\\/\//g;
$val = (split /\//, $val)[-1];
$form{'error'} = "$val\n$err";
last;
}
: write_data(\$val, $ext, $cnt, 1);
}
}

$form{'action'} = 'nodata' unless exists $form{'action'};
$form{'lang'} = $config{'lang'} unless exists $form{'lang'};

escape_content();
translate($form{'lang'});
}

#-#############################################
# Sub: Check Keys/Values and Escape Values
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub escape_content {
my ($error_mess, $key, $pattern);
my $err = 0;
my $subj = 'Hacker alert';
local $_;

my @forbid = qw/script applet embed system exec grep eval/;

foreach $key (keys %form) {
$err >= 1 && last;
$key =~ /\W/ && do {
$error_mess = qq|Form has been hacked by IP: $ENV{'REMOTE_ADDR'}|;
$error_mess .= qq|User: $form{'ALIAS'}\n| if $form{'ALIAS'};
$error_mess .= qq|Content: $key|;
$err++;
last;
};

$form{$key} =~ s/^\s//og;
($key eq 'error' or $key =~ /IMAGE/) && next;

$key eq 'DESC' && do {
$form{$key} =~ s/\r//og;
$form{$key} =~ s/\n/<br>/og unless $form{$key} =~ /\<.*?\>/;
};

$form{$key} =~ s/[\r\n]//og;

$form{$key} =~ /(\@\{\[)|(\`)/ && do {
$error_mess = qq|The field: $key\nhas been hacked by IP: $ENV{'REMOTE_ADDR'}\n|;
$error_mess .= qq|User: $form{'ALIAS'}\n| if $form{'ALIAS'};

$1 && ($pattern = " $1");
$2 && ($pattern .= " $2");

$error_mess .= qq|Content:$pattern|;
$err++;
last;
};

$form{$key} =~ s/(<[^>]*?)\b(on\w+\s*\=)/Hacker: $form{'ALIAS'} $1x$2/ig;
$form{$key} =~ s/<\!\-\-\s*?\#?\s*?\w+\s*?\=/Hacker: $form{'ALIAS'} \<\!\-\-/g;

foreach $pattern (@forbid) {
$form{$key} =~ s/(<\s*)($pattern)/Hacker: $form{'ALIAS'} \<\!\-\-$1x$2/ig;
$form{$key} =~ s/(<\s*\/+)($pattern\s*>)/\$1x$2\-\-\> Hacker: $form{'ALIAS'} /ig;
$form{$key} =~ s/(\s*$pattern\s*\W*.*?\W*\;+)/ Hacker: $form{'ALIAS'} /ig;
}

$form{$key} =~ s/([^\w.'@%\/\\\s\-\+])/sprintf("%%%2.2x", ord($1))/ge;
}

$err >= 1 && do {
sendemail(
\$config{'admin_address'},
\$config{'admin_address'},
\$subj,
\$error_mess
);

$error_mess =~ s/\n/\<br\>/g;
oops($error_mess);
};
}

Search eAuction.pl for 'sub enable_html'
and replace it with this:

Code:

#-#############################################
# Sub: Enable HTML-Tags
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub enable_html {
my $val = shift || return 0;

$val =~ s/%([0-9a-f]{2,2})/pack("c",hex($1))/ge;
return $val;
}

Title: Re: Security Patch (2)
Post by PaulC on 05/19/05 at 04:07:53

I updated my eAuction file with the two updates, and now I get "Your setup is not correct... illegal seek!"
I checked the permissions and they are still 755 for the auction.pl file (version 1.6.1.60 created 4/17/2005)

Double checked the search and replace and I don't see any additional characters inserted where the modifications were, but I did see a bit of corruption on the first line of the file, which I removed.
I used the edit function of winscp to edit the file directly on my RH9 server.

Just noticed the source file was created after the patches were released on the forum????
I did not see the sub escape_content anywhere in the original file.

Restored the original "bits" into the file and all is well again. I guess I won't incorporate these security patches right now... :)

Any ideas anyone??
Paul

Title: Re: Security Patch (2)
Post by Dieter Werner on 05/19/05 at 15:13:44

PaulC wrote:

but I did see a bit of corruption on the first line of the file, which I removed.

Looks like your editor is the bad boy ;)

Title: Re: Security Patch (2)
Post by PaulC on 05/19/05 at 21:48:33

Dieter;

I removed the corruption and the error stayed :(

I then cut and pasted the original script back in over top of the new subs, and the error went away. ???

So by that process I think there was no other corruption in the file, but something in the patch that was incompatible with version 1.6.1.60

Are the security mods very critical? I am planning to use the script internally within our office to manage a fundraiser next Christmas. As our office operates 24/7 (police communications centre) I wanted to give all employees the option of proxy bidding on the gift packages even when they are not at work. There have been complaints in past years that people not at work when the auctions close lose the opportunity to bid higher on their package of choice. As the funds raised go to charity, we should be trying to get the maximum for each package.. ;D

Cheers..
Paul

Title: Re: Security Patch (2)
Post by Dieter Werner on 05/20/05 at 18:10:07

Run it as it is ...
A Hacker must be very experienced in order to damage the system.

Title: Re: Security Patch (2)
Post by Volf on 01/07/06 at 21:04:38

It works,
I have instaled it, and tested it.
But when I try to post new auction,or bid...
Error,
You mast enter valid amount

tested with usa and other setting, anyway same message?

Title: Re: Security Patch (2)
Post by Dieter Werner on 01/08/06 at 13:15:59

OK - I will ckeck that issue ...

Title: Re: Security Patch (2)
Post by annetappe on 01/09/06 at 21:13:24

Look at your config file:

Try entering 'US - dollars & cents'........ example 200.00 not 200

I have experienced this simple error.

I am not that experienced yet so take the above lightly but it is worth looking at.

Title: Re: Security Patch (2)
Post by Volf on 01/10/06 at 14:22:32

Thanks,

But… as I have already said, have tested it with both settings.
Still same problem.

Title: Re: Security Patch (2)
Post by Dieter Werner on 01/24/06 at 15:44:11

The new release
eAuction v1.6.1.62
is containing a modified version of the the security patch.

It's very important to download and install the new release!