Fynnon |
9th April 2010 10:50 |
New announcement: XBTIT VULNERABILITY
A possible exploit (SQL injection) was discover in the code, please update your trackers ASAP, hackers could retrieve password hash, then accessing your site like you!
Affected version:
- ALL version < revision 584
Vulnerables files:
- users.php
- torrents.php
Manual patch:
1. open users.php
find and replace
PHP Code:
// getting order if (isset($_GET["order"])) $order=htmlspecialchars($_GET["order"]); else $order="joined";
if (isset($_GET["by"])) $by=htmlspecialchars($_GET["by"]); else $by="ASC";
with
PHP Code:
$order_param=3; // getting order if (isset($_GET["order"])) { $order_param=(int)$_GET["order"]; switch ($order_param) { case 1: $order="username"; break;
case 2: $order="level"; break;
case 3: $order="joined"; break;
case 4: $order="lastconnect"; break;
case 5: $order="flag"; break; case 6: $order="ratio"; break;
default: $order="joined";
} } else $order="joined";
if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="ASC";
find and replace
PHP Code:
list($pagertop, $pagerbottom, $limit) = pager(20, $count, $scriptname."&" . $addparams.(strlen($addparam)>0?"&":"")."order=$order&by=$by&");
with
PHP Code:
list($pagertop, $pagerbottom, $limit) = pager(20, $count, $scriptname."&" . $addparams.(strlen($addparam)>0?"&":"")."order=$order_param&by=$by_param&");
find and replace
PHP Code:
$userstpl->set("users_sort_username", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=username&by=".($order=="username" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_NAME"]."</a>".($order=="username"?$mark:"")); $userstpl->set("users_sort_userlevel", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=level&by=".($order=="level" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:"")); $userstpl->set("users_sort_joined", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=joined&by=".($order=="joined" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:"")); $userstpl->set("users_sort_lastaccess", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=lastconnect&by=".($order=="lastconnect" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:"")); $userstpl->set("users_sort_country", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=flag&by=".($order=="flag" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:"")); $userstpl->set("users_sort_ratio", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=ratio&by=".($order=="ratio" && $by=="ASC"?"DESC":"ASC")."">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
with
PHP Code:
$userstpl->set("users_sort_username", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=1&by=".($order=="username" && $by=="ASC"?"2":"1")."">".$language["USER_NAME"]."</a>".($order=="username"?$mark:"")); $userstpl->set("users_sort_userlevel", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=2&by=".($order=="level" && $by=="ASC"?"2":"1")."">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:"")); $userstpl->set("users_sort_joined", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=3&by=".($order=="joined" && $by=="ASC"?"2":"1")."">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:"")); $userstpl->set("users_sort_lastaccess", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=4&by=".($order=="lastconnect" && $by=="ASC"?"2":"1")."">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:"")); $userstpl->set("users_sort_country", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=5&by=".($order=="flag" && $by=="ASC"?"2":"1")."">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:"")); $userstpl->set("users_sort_ratio", "<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=6&by=".($order=="ratio" && $by=="ASC"?"2":"1")."">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
save and close.
2. open torrents.php
find and replace
PHP Code:
// getting order if (isset($_GET["order"])) $order=htmlspecialchars(mysql_real_escape_string($_GET["order"])); else $order="data";
$qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);
if (isset($_GET["by"])) $by=htmlspecialchars(mysql_real_escape_string($_GET["by"])); else $by="DESC";
list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count, $scriptname."&" . $addparam.(strlen($addparam)>0?"&":"")."order=$order&by=$by&");
with
PHP Code:
// getting order $order_param=3; if (isset($_GET["order"])) { $order_param=(int)$_GET["order"]; switch ($order_param) { case 1: $order="cname"; break; case 2: $order="filename"; break; case 3: $order="data"; break; case 4: $order="size"; break; case 5: $order="seeds"; break; case 6: $order="leechers"; break; case 7: $order="finished"; break; case 8: $order="dwned"; break; case 9: $order="speed"; break; default: $order="data"; }
} else $order="data";
$qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);
$by_param=2; if (isset($_GET["by"])) { $by_param=(int)$_GET["by"]; $by=($by_param==1?"ASC":"DESC"); } else $by="DESC";
list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count, $scriptname."&" . $addparam.(strlen($addparam)>0?"&":"")."order=$order_param&by=$by_param&");
find and replace
PHP Code:
$torrenttpl->set("torrent_pagertop",$pagertop); $torrenttpl->set("torrent_header_category","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=cname&by=".($order=="cname" && $by=="ASC"?"DESC":"ASC")."">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:"")); $torrenttpl->set("torrent_header_filename","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=filename&by=".($order=="filename" && $by=="ASC"?"DESC":"ASC")."">".$language["FILE"]."</a>".($order=="filename"?$mark:"")); $torrenttpl->set("torrent_header_comments",$language["COMMENT"]); $torrenttpl->set("torrent_header_rating",$language["RATING"]); $torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE); $torrenttpl->set("torrent_header_waiting",$language["WT"]); $torrenttpl->set("torrent_header_download",$language["DOWN"]); $torrenttpl->set("torrent_header_added","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=data&by=".($order=="data" && $by=="ASC"?"DESC":"ASC")."">".$language["ADDED"]."</a>".($order=="data"?$mark:"")); $torrenttpl->set("torrent_header_size","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=size&by=".($order=="size" && $by=="DESC"?"ASC":"DESC")."">".$language["SIZE"]."</a>".($order=="size"?$mark:"")); $torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE); $torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]); $torrenttpl->set("torrent_header_seeds","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=seeds&by=".($order=="seeds" && $by=="DESC"?"ASC":"DESC")."">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:"")); $torrenttpl->set("torrent_header_leechers","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=leechers&by=".($order=="leechers" && $by=="DESC"?"ASC":"DESC")."">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:"")); $torrenttpl->set("torrent_header_complete","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=finished&by=".($order=="finished" && $by=="ASC"?"DESC":"ASC")."">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:"")); $torrenttpl->set("torrent_header_downloaded","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=dwned&by=".($order=="dwned" && $by=="ASC"?"DESC":"ASC")."">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:"")); $torrenttpl->set("torrent_header_speed","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=speed&by=".($order=="speed" && $by=="ASC"?"DESC":"ASC")."">".$language["SPEED"]."</a>".($order=="speed"?$mark:"")); $torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
with
PHP Code:
$torrenttpl->set("torrent_pagertop",$pagertop); $torrenttpl->set("torrent_header_category","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=1&by=".($order=="cname" && $by=="ASC"?"2":"1")."">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:"")); $torrenttpl->set("torrent_header_filename","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=2&by=".($order=="filename" && $by=="ASC"?"2":"1")."">".$language["FILE"]."</a>".($order=="filename"?$mark:"")); $torrenttpl->set("torrent_header_comments",$language["COMMENT"]); $torrenttpl->set("torrent_header_rating",$language["RATING"]); $torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE); $torrenttpl->set("torrent_header_waiting",$language["WT"]); $torrenttpl->set("torrent_header_download",$language["DOWN"]); $torrenttpl->set("torrent_header_added","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=3&by=".($order=="data" && $by=="ASC"?"2":"1")."">".$language["ADDED"]."</a>".($order=="data"?$mark:"")); $torrenttpl->set("torrent_header_size","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=4&by=".($order=="size" && $by=="DESC"?"1":"2")."">".$language["SIZE"]."</a>".($order=="size"?$mark:"")); $torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE); $torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]); $torrenttpl->set("torrent_header_seeds","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=5&by=".($order=="seeds" && $by=="DESC"?"1":"2")."">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:"")); $torrenttpl->set("torrent_header_leechers","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=6&by=".($order=="leechers" && $by=="DESC"?"1":"2")."">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:"")); $torrenttpl->set("torrent_header_complete","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=7&by=".($order=="finished" && $by=="ASC"?"2":"1")."">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:"")); $torrenttpl->set("torrent_header_downloaded","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=8&by=".($order=="dwned" && $by=="ASC"?"2":"1")."">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:"")); $torrenttpl->set("torrent_header_speed","<a href="$scriptname&$addparam".(strlen($addparam)>0?"&":"")."order=9&by=".($order=="speed" && $by=="ASC"?"2":"1")."">".$language["SPEED"]."</a>".($order=="speed"?$mark:"")); $torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
save and close.
your tracker should be patched
|