Apr 27 2006

Enthusiast3 – Potential Security Risk

An Enthusiast3 user recently asked at thefanlistings.org message board how people were inserting non-standard data via the join form using what should be a restricted drop-down menu. The answer to that bit was easy: form spoofing. This bit is not important, it is possible to do this for many, many forms on the Internet. The problem is with the validation of the fields when a member joins a fanlisting powered by Enthusiast.. or rather, the lack of.

Don’t get me wrong, looking at the script I can see some great features here. I like the way parts of it are set up and I think the script beats some other fanlisting management scripts I’ve seen hands-down. However, if these validation issues are not addressed I can see people losing large amounts of data like people did with the big phpFanBase hacking. So, I’ve come up with a few unofficial changes that can at least go some way to ‘securing’ the join form, until the next version of Enthusiast is released (which I’m led to believe is due soon?) by Angela.

Open show_join.php which is located by default in the enth3 folder and do the following:

  • At the top of the file somewhere, either before or after require 'config.php';, add the following:
    function clean_up($data) {
      $data = strip_tags($data);
      $data = trim(htmlentities($data));

      return $data;
    }

  • Find $name = ucfirst( $_POST['name'] ); and change it to: $name = ucfirst(clean_up($_POST['name']) );
  • Find && substr_count( $_POST['email'], '@' ) > 0) and change it to: && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email'])))
  • Find $email = $_POST['email']; and replace it with: $email = clean_up($_POST['email']);
  • Find $country = $_POST["country"]; and change it to: $country = clean_up($_POST['country']);
  • Find $url = $_POST["url"]; and change it to: $url = clean_up($_POST['url']);
  • Find $comments = $_POST['comments']; and change it to: $comments = clean_up($_POST['comments']);
  • Find $show_email = $_POST['show_email']; and change it to: $show_email = clean_up($_POST['show_email']);
  • Find both occurences of $values[$field] = $_POST[$field]; and replace with $values[$field] = clean_up($_POST[$field]);

If you’re been told your enth join form is being used to send spam, you might find it helpful to insert:

$find = "/(content-type|bcc:|cc:|onload|onclick|javascript)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments) || preg_match($find, $country) || preg_match($find, $show_email)) {
  echo "<p>No naughty injecting, please.</p>";
  exit;
}

below $table = $info['dbtable'];. This will also go some way to decreasing the risk JavaScript injections which, because enth3 passwords are stored as plain text in the cookie, would be a major problem if successful.

Please note — these modifications have not been approved or run by Angela have been approved by Angela, the owner of Enthusiast, and they are to be used at your own risk. To my knowledge these modifications will only inprove security, and will not have a detrimental effect on the running of the script. (Insert other legal babbling here.)

Edit: if you’re uncomfortable editing the files yourself, please see scripts.indisguise.org for the pre-modified show_join.php.

Parse Error Fix

There is unfortunately a typo in the modified version downloadable from the official site, and should you get any errors it’s probably because of this. To fix it, find line 61 (or thereabouts) and change: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", $_POST['email'])
..to: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email']))). This will also fix the bug where email addresses are not accepted if they contain capital letters.

Related Reading

On the Security of PHP, Part 1 (see “Trusting User Input”)
Top 7 Security Blunders (see “Unvalidated Input Errors”)

24

Tags: , , .

Warning

This post is over 6 months old. This means that, despite my best intentions, it may no longer be accurate. Age, motherhood, experience, loss... these things have all changed me from when this blog was started back in the heady (ha) days of my youth.

As much as I would like to go back and edit 10 years of archives to provide an insight into the 'me' of now — to update coding snippets and revise website advice — it would probably take years to do so (by which point I'd have to start again!) This would defeat the point of keeping these archives anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey.

24 Responses so far

  1. Amelie says: April 27, 2006 at 10:06 am # ·

    I’ll ask the other staffers what they think about this. Maybe it could be CG approved :P

  2. Amanda says: April 27, 2006 at 1:57 pm # ·

    I don’t use Enthusiast myself, but sounds pretty funky. Have you contemplated posting this (or a link to this) on the TFL boards? It might help out the people there, as I see more and more of the TFL community switching over to Enthusiast from FanBase.

  3. Alexine says: April 28, 2006 at 12:32 am # ·

    That’s a useful code mod :) I don’t use enthusiast, but that’ll definitly come in handy for other scripts too ^.^

  4. Julie says: April 28, 2006 at 1:43 am # ·

    I was curious as of whether something similar can be done with PHPFanBase?

  5. Jem says: April 28, 2006 at 7:28 am # ·

    Julie: if you, or someone else could send me the latest version, I could take a look at it. :)

  6. Amelie says: April 28, 2006 at 8:09 am # ·

    I’ll see if I can find it for you, if Julie hasn’t already done it :P

  7. Vera says: April 28, 2006 at 3:12 pm # ·

    You truly care about making the net more secure, I admire the resolve in that. I’m assuming that for your own fanlistings you use hand-made code though :) P.S. not to brag… but my new URL is up (provided above). *hides just in case*

  8. Bubs says: April 28, 2006 at 10:51 pm # ·

    Wow, the function I use to validate my $_POST data is called cleanUp() … I guess great minds do think alike ;)

  9. Kelly says: April 29, 2006 at 4:04 pm # ·

    Thanks a lot for the help! I WAS using PHPFanBase, but seeing as that’s not secure, switched to Enth.

  10. Mervi says: May 3, 2006 at 8:48 am # ·

    Thank you, you’re a gem!

  11. Julie says: May 4, 2006 at 3:20 am # ·

    You’re amazing! Thanks for figuring it out and making a fix!

  12. Maria says: May 5, 2006 at 4:29 am # ·

    Thanks! :) it’s so nice that you took the time to figure a solution to this :D you rock.

  13. Susanna says: May 8, 2006 at 10:48 pm # ·

    I used (also) PHPFanbase, but switched to Enth. I love it. :-) Thanks so much for making it stable. :)

  14. Cara says: May 15, 2006 at 5:38 am # ·

    Thanks for the code but i’m having a problem. I got this “Parse error: syntax error, unexpected T_ELSE in xxxx/show_join.php on line 61″. I am aware of the similar problem that others encountered before for T_Variable, but not T_Else. Any clues?

  15. Cara says: May 15, 2006 at 5:29 pm # ·

    Jem, thanks for your help. Somehow it works after i manually edited the file (last resort). May be i should not be so lazy at first. :P

  16. Kay says: June 13, 2006 at 7:57 pm # ·

    This mistake (well, I’m pretty sure) actually did create a security risk at my site – I should have checked earlier, but thanks anyhow for fixing it!

  17. Ren says: June 22, 2006 at 7:40 am # ·

    thanks for the bugfix! by the way, I have the some problem, too. It’s the “Parse error: syntax error, unexpected T_VARIABLE in /home/x/public_html/enth3/show_join.php on line 61″ Could you help me how to fix this? ;_;

  18. Jem says: June 22, 2006 at 7:45 am # ·

    Ren: I’ve e-mailed you the fix :)

  19. Maya says: June 25, 2006 at 3:34 am # ·

    I feel pretty dumb, but I’m having the same problem with T_VARIABLE. Could you email the fix to me too?

  20. Rachel says: July 5, 2006 at 1:47 am # ·

    Hi Jem, I have a small problem. I don’t have this code: && substr_count( $_POST['email'], ‘@’ ) > 0) in my join form…Any suggestions on what to do? :\

  21. Johari says: July 7, 2006 at 7:12 am # ·

    Hi Jem, I’ve actually got the same problem as Ren on my Join page. It was odd because when I first installed Enth3 with the show_join.php fix, it worked like a charm. But then a few minutes later, the parse error message shows up. Would it be possible to email me the fix too? Thanks!

  22. Johari says: July 7, 2006 at 7:47 am # ·

    Hi Jem, I realized what happened. I used the show_join.php file from the Enth3 package from Angela’s site originally. That was the version that had worked. But when I reuploaded my FL, I had used the separate updated show_join.php file instead, which is why that parse error came up.

  23. Juuhachi Go says: July 19, 2006 at 2:10 pm # ·

    Hi Jem, thank you for the bugfix, but I got that T_VARIABLE error and I did’understand how to fix it ;_;!

  24. Kat says: November 18, 2006 at 6:47 pm # ·

    Thankyou for the bugfix but I am also getting the error