Search eAuction.pl for
sub get_form_data
Replace the sub by copy & paste the following
Code:#-#############################################
# Sub: Get Form Data
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub get_form_data {
use CGI;
my $query = CGI->new;
my ($file, $cnt, $type, $val, $ext, $err);
local $_;
$CGI::POST_MAX = 1024 * 1000; # 1000 kb
%form = $query->Vars;
for (1 .. 3) {
undef $val;
if ($file = $query->upload("UploadFile$_")) {
$cnt++;
$type = $query->uploadInfo($file)->{'Content-Type'};
$ext = (split /\./, $file)[-1];
binmode STDIN;
while (<$file>) {
$val .= $_;
(length($val) > 310000) && do {
($val = $file) =~ s/\\/\//g;
$val = (split /\//, $val)[-1];
$form{'error'} = "$val\n$txt{'File too big'}";
last;
};
};
close $file;
$form{'error'} && last;
(defined($err = check_data(\$val, $ext)) or $type !~ /image/i)
? do {
($val = $file) =~ s/\\/\//g;
$val = (split /\//, $val)[-1];
$form{'error'} = "$val\n$err";
last;
}
: write_data(\$val, $ext, $cnt, 1);
}
}
$form{'action'} = 'nodata' unless exists $form{'action'};
$form{'lang'} = $config{'lang'} unless exists $form{'lang'};
escape_content();
translate($form{'lang'});
}
#-#############################################
# Sub: Check Keys/Values and Escape Values
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub escape_content {
my ($error_mess, $key, $pattern);
my $err = 0;
my $subj = 'Hacker alert';
local $_;
my @forbid = qw/script applet embed system exec grep eval/;
foreach $key (keys %form) {
$err >= 1 && last;
$key =~ /\W/ && do {
$error_mess = qq|Form has been hacked by IP: $ENV{'REMOTE_ADDR'}|;
$error_mess .= qq|User: $form{'ALIAS'}\n| if $form{'ALIAS'};
$error_mess .= qq|Content: $key|;
$err++;
last;
};
$form{$key} =~ s/^\s//og;
($key eq 'error' or $key =~ /IMAGE/) && next;
$key eq 'DESC' && do {
$form{$key} =~ s/\r//og;
$form{$key} =~ s/\n/<br>/og unless $form{$key} =~ /\<.*?\>/;
};
$form{$key} =~ s/[\r\n]//og;
$form{$key} =~ /(\@\{\[)|(\`)/ && do {
$error_mess = qq|The field: $key\nhas been hacked by IP: $ENV{'REMOTE_ADDR'}\n|;
$error_mess .= qq|User: $form{'ALIAS'}\n| if $form{'ALIAS'};
$1 && ($pattern = " $1");
$2 && ($pattern .= " $2");
$error_mess .= qq|Content:$pattern|;
$err++;
last;
};
$form{$key} =~ s/(<[^>]*?)\b(on\w+\s*\=)/Hacker: $form{'ALIAS'} $1x$2/ig;
$form{$key} =~ s/<\!\-\-\s*?\#?\s*?\w+\s*?\=/Hacker: $form{'ALIAS'} \<\!\-\-/g;
foreach $pattern (@forbid) {
$form{$key} =~ s/(<\s*)($pattern)/Hacker: $form{'ALIAS'} \<\!\-\-$1x$2/ig;
$form{$key} =~ s/(<\s*\/+)($pattern\s*>)/\$1x$2\-\-\> Hacker: $form{'ALIAS'} /ig;
$form{$key} =~ s/(\s*$pattern\s*\W*.*?\W*\;+)/ Hacker: $form{'ALIAS'} /ig;
}
$form{$key} =~ s/([^\w.'@%\/\\\s\-\+])/sprintf("%%%2.2x", ord($1))/ge;
}
$err >= 1 && do {
sendemail(
\$config{'admin_address'},
\$config{'admin_address'},
\$subj,
\$error_mess
);
$error_mess =~ s/\n/\<br\>/g;
oops($error_mess);
};
}
Search eAuction.pl for 'sub enable_html'
and replace it with this:
Code:#-#############################################
# Sub: Enable HTML-Tags
# Written by: Dieter Werner
# All rights reserved by the author
#-#############################################
sub enable_html {
my $val = shift || return 0;
$val =~ s/%([0-9a-f]{2,2})/pack("c",hex($1))/ge;
return $val;
}