Results 1 to 2 of 2
  1. #1

    Default SECURITY ANNOUNCEMENT: XSS Vulnerabilities

    Last modified: August 4, 2006, 10:00 CST
    Note: Any changes to the instructions will be made to THIS POST. Keep an eye on this thread for updates to the security fix.

    Any version of Geo Classifieds, Geo Auctions, or Geo Class Auctions prior to July 31, 2006, is vulnerable to Cross Site Scripting (Sometimes called XSS) attacks. If you operate a site that uses any software mentioned above, it is highly recommended to apply the security vulnerability fix described below. If you are not comfortable with making these changes yourself, start a support ticket and we will be happy to do it for you, free of charge.

    Timeline:
    On Thursday, July 27, 2006 a post was made to these forums regarding Cross Site Scripting (XSS) issues discovered in the software.

    On Friday, July 28, 2006, we started using preliminary fixes to user's sites who filed tickets regarding the issues.

    On Saturday, July 29, 2006, we posted a preliminary fix to the above mentioned thread which involved adding text to the top of config.php.

    Monday, July 31, 2006: Released first official fix, found below.
    August 4, 2006: Made the "in admin" detection work better on servers with custom settings.

    Instructions to apply fix, Read Carefully:
    Upgrading XSS patch:
    1. If you have already applied these changes from this thread, just over-write your xss_filter_inputs.php by following steps 2-4 from the "First Time" instructions below.

    First Time:
    1. If you have already made changes to fix the XSS problems in config.php, index.php, register.php, or any others, using instructions that do not include xss_filter_inputs.php file, undo those changes and restore the original file(s).
    2. Download this file: xss_filter_inputs.zip
    3. Locate the file you just downloaded, and unzip it.
    4. Use FTP to upload the unzipped file (named xss_filter_inputs.php) to your site, to the same directory as config.php.
    5. Download (using FTP) your config.php file, and open it in any text editor. At the very top before
    Code:
    <? //config.php
    insert the entire following line:
    Code:
    <?php include_once ('xss_filter_inputs.php'); ?>
    When you insert the line, the top of your config.php should look simular to this (your version might look slightly different):
    Code:
    <?php include_once('xss_filter_inputs.php'); ?>
    <? //config.php
    /*
     Welcome to the Geodesic Software Configuration File. This file is the link 
     between the php files that run the functions of the software and your 
     database which stores all of the information. 
    
    We have organized the file in sections. Please follow the below carefully to 
    ensure a successful installation
    */
    6. Rename the original config.php located on your site to config.bak.php in case anything goes wrong. (The new filename must end in .php or people will be able to view your site settings!)
    7. Upload the modified config.php file.
    8. Test your site by going to the main page, using an Internet browser. If anything looks messed up, check your config.php and make sure you followed the instructions above exactly. Be sure there are no blank lines at the end of config.php. If you are experiencing problems, start a support ticket and we will be happy to help you out.

    Frequently Asked Questions:
    Q: Do I need to apply the fix to my site, or is it already fixed?
    A: Things to check:
    1. If you do not have a file named xss_filter_inputs.php OR clean_inputs.php in the same directory as your config.php file, you need to do the patch.
    2. If you have xss_filter_inputs.php, look at the top of that file. If the date is older than the date at the top of these instructions, follow the "Upgrade XSS Patch" instructions above.
    3. If you have clean_inputs.php, then your version of the software already came with the patch installed, so no modifications are needed. Do NOT use xss_filter_inputs.php if you have clean_inputs.php file, as the clean_inputs.php file is tailored to your version, while xss_filter_inputs.php is made to work with all versions of our software.

    Q: Will this break my templates if I try to edit them in the admin?
    A: The XSS fix works with editing ANYTHING on the admin side, as long as your admin directory is still named admin. If you have changed the admin directory name, see the FAQ below: "I changed the admin directory name, what do I do special?"

    Q: But it Did break my template!
    A: Make sure your xss_filter_inputs.php says August 4, 2006 at the top of the page (not an older date). We made some modifications for servers with non-standard settings. Also, see the next FAQ.

    Q: I changed the admin directory name, what do I do special?
    A: This requires being comfortable editing php files. If you are not comfortable, start a geo support ticket and we can do this for you.

    1. Open xss_filter_inputs.php with a text editor. In the file, there will be instructions on what to do if your admin directory is changed.

    Q: Will this break affiliate HTML when users try to edit their affiliate HTML (if your site supports this)?
    A: The XSS fix does not break affiliate HTML.

    Q: I saw someone said their security image does not display now, what is the status of that?
    A: The security image was because there was an extra blank line at the bottom of config.php. If you are experiencing problems with the security image, make sure there is not an extra blank line at the end of config.php.

    Q: Help! An older fix broke my templates, and now my site has weird stuff all over it!
    A: Start a support ticket and we will be happy to fix any templates that got messed up as a result of the previous fix. Note: The fix detailed above does NOT break templates, as long as you remove any previous fixes.

    Q: So will I have to go through all this again if another bug is found in the fix?
    A: The fix detailed above will only require you to replace the xss_filter_inputs.php in the event that a newer version is made. No more modifying of files will be necessary, as long as you followed the instructions above correctly.

    Q: What is the deal with the latest security vulnerability found regarding SQL injection?
    A: We are looking into these issues now. We will update this post regarding the status.

    Q: I have another question not answered here!?
    A: Use this thread for discussion or any questions regarding XSS issues.

    Q: Help! My site stopped working when I applied the fix above!!!
    A: Either start a support ticket (fastest way during working hours) or post your problem to the discussion thread.

    Q: Did you really mean to say paste the text ______(insert other location here)
    A: Follow the instructions above exactly. Yes, we meant to post BEFORE the <?. Be sure when copying, to include the <?php and ?>. Note that the instructions have changed from the initial fix posted to the thread on Saturday, and the code is updated from the original fix to work with affiliate HTML.

    Q: I already applied one of the previous fixes from another thread, do I need to do this one too?
    A: Un-do any changes you made to any of your files to fix XSS issues, and follow the instructions above. This new fix addresses issues with affiliate HTML, and properly detecting if in the admin side.

  2. #2

    Default Re: SECURITY ANNOUNCEMENT: XSS Vulnerabilities

    There is a new version of xss_filter_inputs.php.

    This update makes the admin detection work on servers with non-standard settings.

    Who should apply the update:
    Anyone that had broken templates after they edit a template in the admin with the xss_filter_inputs.php released on July 31. (any site that reports the script_filename as /bin/php or simular when doing a phpinfo();)

    If you fit into this category, follow the "Upgrading XSS patch" instructions from the first post above, or start a geo support ticket and we can do it for you.

    Note: This is not a critical update, you do not need to upgrade unless your site reports SCRIPT_FILENAME to be '/bin/php' or similar. If in doubt, go ahead and upgrade.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •