Enthusiast3 - Potential Security Risk

An Enthusiast3 user recently asked at thefanlistings.org message board how people were inserting non-standard data via the join form using what should be a restricted drop-down menu. The answer to that bit was easy: form spoofing. This bit is not important, it is possible to do this for many, many forms on the Internet. The problem is with the validation of the fields when a member joins a fanlisting powered by Enthusiast.. or rather, the lack of.

Don’t get me wrong, looking at the script I can see some great features here. I like the way parts of it are set up and I think the script beats some other fanlisting management scripts I’ve seen hands-down. However, if these validation issues are not addressed I can see people losing large amounts of data like people did with the big phpFanBase hacking. So, I’ve come up with a few unofficial changes that can at least go some way to ’securing’ the join form, until the next version of Enthusiast is released (which I’m led to believe is due soon?) by Angela.

Open show_join.php which is located by default in the enth3 folder and do the following:

  • At the top of the file somewhere, either before or after require 'config.php';, add the following:
    function clean_up($data) {
      $data = strip_tags($data);
      $data = trim(htmlentities($data));

      return $data;
    }

  • Find $name = ucfirst( $_POST['name'] ); and change it to: $name = ucfirst(clean_up($_POST['name']) );
  • Find && substr_count( $_POST['email'], ‘@’ ) > 0) and change it to: && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$”, strtolower($_POST['email'])))
  • Find $email = $_POST['email']; and replace it with: $email = clean_up($_POST['email']);
  • Find $country = $_POST["country"]; and change it to: $country = clean_up($_POST['country']);
  • Find $url = $_POST["url"]; and change it to: $url = clean_up($_POST['url']);
  • Find $comments = $_POST['comments']; and change it to: $comments = clean_up($_POST['comments']);
  • Find $show_email = $_POST['show_email']; and change it to: $show_email = clean_up($_POST['show_email']);
  • Find both occurences of $values[$field] = $_POST[$field]; and replace with $values[$field] = clean_up($_POST[$field]);

If you’re been told your enth join form is being used to send spam, you might find it helpful to insert:

$find = "/(content-type|bcc:|cc:|onload|onclick|javascript)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments) || preg_match($find, $country) || preg_match($find, $show_email)) {
  echo “<p>No naughty injecting, please.</p>”;
  exit;
}

below $table = $info['dbtable'];. This will also go some way to decreasing the risk JavaScript injections which, because enth3 passwords are stored as plain text in the cookie, would be a major problem if successful.

Please note — these modifications have not been approved or run by Angela have been approved by Angela, the owner of Enthusiast, and they are to be used at your own risk. To my knowledge these modifications will only inprove security, and will not have a detrimental effect on the running of the script. (Insert other legal babbling here.)

Edit: if you’re uncomfortable editing the files yourself, please see scripts.indisguise.org for the pre-modified show_join.php.

Parse Error Fix

There is unfortunately a typo in the modified version downloadable from the official site, and should you get any errors it’s probably because of this. To fix it, find line 61 (or thereabouts) and change: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", $_POST['email'])
..to: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email']))). This will also fix the bug where email addresses are not accepted if they contain capital letters.

Related Reading

On the Security of PHP, Part 1 (see “Trusting User Input”)
Top 7 Security Blunders (see “Unvalidated Input Errors”)

This entry was posted on Thursday, April 27th, 2006 at 10:06 am and is filed in Scripts, Security.

24 Comments on “Enthusiast3 - Potential Security Risk”

  1. Amelie says:

    I’ll ask the other staffers what they think about this. Maybe it could be CG approved :P

    Response posted: April 27th, 2006 at 11:06 am
  2. Amanda says:

    I don’t use Enthusiast myself, but sounds pretty funky. Have you contemplated posting this (or a link to this) on the TFL boards? It might help out the people there, as I see more and more of the TFL community switching over to Enthusiast from FanBase.

    Response posted: April 27th, 2006 at 2:57 pm
  3. Alexine says:

    That’s a useful code mod :) I don’t use enthusiast, but that’ll definitly come in handy for other scripts too ^.^

    Response posted: April 28th, 2006 at 1:32 am
  4. Julie says:

    I was curious as of whether something similar can be done with PHPFanBase?

    Response posted: April 28th, 2006 at 2:43 am
  5. Jem says:

    Julie: if you, or someone else could send me the latest version, I could take a look at it. :)

    Response posted: April 28th, 2006 at 8:28 am
  6. Amelie says:

    I’ll see if I can find it for you, if Julie hasn’t already done it :P

    Response posted: April 28th, 2006 at 9:09 am
  7. Vera says:

    You truly care about making the net more secure, I admire the resolve in that. I’m assuming that for your own fanlistings you use hand-made code though :) P.S. not to brag… but my new URL is up (provided above). *hides just in case*

    Response posted: April 28th, 2006 at 4:12 pm
  8. Bubs says:

    Wow, the function I use to validate my $_POST data is called cleanUp() … I guess great minds do think alike ;)

    Response posted: April 28th, 2006 at 11:51 pm
  9. Kelly says:

    Thanks a lot for the help! I WAS using PHPFanBase, but seeing as that’s not secure, switched to Enth.

    Response posted: April 29th, 2006 at 5:04 pm
  10. Mervi says:

    Thank you, you’re a gem!

    Response posted: May 3rd, 2006 at 9:48 am
  11. Julie says:

    You’re amazing! Thanks for figuring it out and making a fix!

    Response posted: May 4th, 2006 at 4:20 am
  12. Maria says:

    Thanks! :) it’s so nice that you took the time to figure a solution to this :D you rock.

    Response posted: May 5th, 2006 at 5:29 am
  13. Susanna says:

    I used (also) PHPFanbase, but switched to Enth. I love it. :-) Thanks so much for making it stable. :)

    Response posted: May 8th, 2006 at 11:48 pm
  14. Cara says:

    Thanks for the code but i’m having a problem. I got this “Parse error: syntax error, unexpected T_ELSE in xxxx/show_join.php on line 61″. I am aware of the similar problem that others encountered before for T_Variable, but not T_Else. Any clues?

    Response posted: May 15th, 2006 at 6:38 am
  15. Cara says:

    Jem, thanks for your help. Somehow it works after i manually edited the file (last resort). May be i should not be so lazy at first. :P

    Response posted: May 15th, 2006 at 6:29 pm
  16. Kay says:

    This mistake (well, I’m pretty sure) actually did create a security risk at my site - I should have checked earlier, but thanks anyhow for fixing it!

    Response posted: June 13th, 2006 at 8:57 pm
  17. Ren says:

    thanks for the bugfix! by the way, I have the some problem, too. It’s the “Parse error: syntax error, unexpected T_VARIABLE in /home/x/public_html/enth3/show_join.php on line 61″ Could you help me how to fix this? ;_;

    Response posted: June 22nd, 2006 at 8:40 am
  18. Jem says:

    Ren: I’ve e-mailed you the fix :)

    Response posted: June 22nd, 2006 at 8:45 am
  19. Maya says:

    I feel pretty dumb, but I’m having the same problem with T_VARIABLE. Could you email the fix to me too?

    Response posted: June 25th, 2006 at 4:34 am
  20. Rachel says:

    Hi Jem, I have a small problem. I don’t have this code: && substr_count( $_POST['email'], ‘@’ ) > 0) in my join form…Any suggestions on what to do? :\

    Response posted: July 5th, 2006 at 2:47 am
  21. Johari says:

    Hi Jem, I’ve actually got the same problem as Ren on my Join page. It was odd because when I first installed Enth3 with the show_join.php fix, it worked like a charm. But then a few minutes later, the parse error message shows up. Would it be possible to email me the fix too? Thanks!

    Response posted: July 7th, 2006 at 8:12 am
  22. Johari says:

    Hi Jem, I realized what happened. I used the show_join.php file from the Enth3 package from Angela’s site originally. That was the version that had worked. But when I reuploaded my FL, I had used the separate updated show_join.php file instead, which is why that parse error came up.

    Response posted: July 7th, 2006 at 8:47 am
  23. Juuhachi Go says:

    Hi Jem, thank you for the bugfix, but I got that T_VARIABLE error and I did’understand how to fix it ;_;!

    Response posted: July 19th, 2006 at 3:10 pm
  24. Kat says:

    Thankyou for the bugfix but I am also getting the error

    Response posted: November 18th, 2006 at 6:47 pm

Leave a Reply

I'm not interested in viagra or penis enhancers, first-time commenters are moderated and anonymous comments are deleted. Don't waste my time, or yours.