Enthusiast3 – Potential Security Risk

An Enthusiast3 user recently asked at thefanlistings.org message board how people were inserting non-standard data via the join form using what should be a restricted drop-down menu. The answer to that bit was easy: form spoofing. This bit is not important, it is possible to do this for many, many forms on the Internet. The problem is with the validation of the fields when a member joins a fanlisting powered by Enthusiast.. or rather, the lack of.

Don’t get me wrong, looking at the script I can see some great features here. I like the way parts of it are set up and I think the script beats some other fanlisting management scripts I’ve seen hands-down. However, if these validation issues are not addressed I can see people losing large amounts of data like people did with the big phpFanBase hacking. So, I’ve come up with a few unofficial changes that can at least go some way to ‘securing’ the join form, until the next version of Enthusiast is released (which I’m led to believe is due soon?) by Angela.

Open show_join.php which is located by default in the enth3 folder and do the following:

At the top of the file somewhere, either before or after require 'config.php';, add the following:
function clean_up($data) { $data = strip_tags($data); $data = trim(htmlentities($data));
return $data; }
Find $name = ucfirst( $_POST['name'] ); and change it to: $name = ucfirst(clean_up($_POST['name']) );
Find && substr_count( $_POST['email'], '@' ) > 0) and change it to: && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email'])))
Find $email = $_POST['email']; and replace it with: $email = clean_up($_POST['email']);
Find $country = $_POST["country"]; and change it to: $country = clean_up($_POST['country']);
Find $url = $_POST["url"]; and change it to: $url = clean_up($_POST['url']);
Find $comments = $_POST['comments']; and change it to: $comments = clean_up($_POST['comments']);
Find $show_email = $_POST['show_email']; and change it to: $show_email = clean_up($_POST['show_email']);
Find both occurences of $values[$field] = $_POST[$field]; and replace with $values[$field] = clean_up($_POST[$field]);

If you’re been told your enth join form is being used to send spam, you might find it helpful to insert:

$find = "/(content-type|bcc:|cc:|onload|onclick|javascript)/i"; if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments) || preg_match($find, $country) || preg_match($find, $show_email)) { echo "<p>No naughty injecting, please.</p>"; exit; }

below $table = $info['dbtable'];. This will also go some way to decreasing the risk JavaScript injections which, because enth3 passwords are stored as plain text in the cookie, would be a major problem if successful.

Please note — these modifications ~~have not been approved or run by Angela~~ have been approved by Angela, the owner of Enthusiast, and they are to be used at your own risk. To my knowledge these modifications will only inprove security, and will not have a detrimental effect on the running of the script. (Insert other legal babbling here.)

Edit: if you’re uncomfortable editing the files yourself, please see scripts.indisguise.org for the pre-modified show_join.php.

Parse Error Fix

There is unfortunately a typo in the modified version downloadable from the official site, and should you get any errors it’s probably because of this. To fix it, find line 61 (or thereabouts) and change: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", $_POST['email'])
..to: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email']))). This will also fix the bug where email addresses are not accepted if they contain capital letters.

24 comments so far

Amelie said:
On 27 Apr at 10:06 am

I’ll ask the other staffers what they think about this. Maybe it could be CG approved :P
Amanda said:
On 27 Apr at 1:57 pm

I don’t use Enthusiast myself, but sounds pretty funky. Have you contemplated posting this (or a link to this) on the TFL boards? It might help out the people there, as I see more and more of the TFL community switching over to Enthusiast from FanBase.
Alexine said:
On 28 Apr at 12:32 am

That’s a useful code mod :) I don’t use enthusiast, but that’ll definitly come in handy for other scripts too ^.^
Julie said:
On 28 Apr at 1:43 am

I was curious as of whether something similar can be done with PHPFanBase?
Jem said:
On 28 Apr at 7:28 am

Julie: if you, or someone else could send me the latest version, I could take a look at it. :)
Amelie said:
On 28 Apr at 8:09 am

I’ll see if I can find it for you, if Julie hasn’t already done it :P
Vera said:
On 28 Apr at 3:12 pm

You truly care about making the net more secure, I admire the resolve in that. I’m assuming that for your own fanlistings you use hand-made code though :) P.S. not to brag… but my new URL is up (provided above). *hides just in case*
Bubs said:
On 28 Apr at 10:51 pm

Wow, the function I use to validate my $_POST data is called cleanUp() … I guess great minds do think alike ;)
Kelly said:
On 29 Apr at 4:04 pm

Thanks a lot for the help! I WAS using PHPFanBase, but seeing as that’s not secure, switched to Enth.
Mervi said:
On 03 May at 8:48 am

Thank you, you’re a gem!
Julie said:
On 04 May at 3:20 am

You’re amazing! Thanks for figuring it out and making a fix!
Maria said:
On 05 May at 4:29 am

Thanks! :) it’s so nice that you took the time to figure a solution to this :D you rock.
Susanna said:
On 08 May at 10:48 pm

I used (also) PHPFanbase, but switched to Enth. I love it. :-) Thanks so much for making it stable. :)
Cara said:
On 15 May at 5:38 am

Thanks for the code but i’m having a problem. I got this “Parse error: syntax error, unexpected T_ELSE in xxxx/show_join.php on line 61”. I am aware of the similar problem that others encountered before for T_Variable, but not T_Else. Any clues?
Cara said:
On 15 May at 5:29 pm

Jem, thanks for your help. Somehow it works after i manually edited the file (last resort). May be i should not be so lazy at first. :P
Kay said:
On 13 Jun at 7:57 pm

This mistake (well, I’m pretty sure) actually did create a security risk at my site – I should have checked earlier, but thanks anyhow for fixing it!
Ren said:
On 22 Jun at 7:40 am

thanks for the bugfix! by the way, I have the some problem, too. It’s the “Parse error: syntax error, unexpected T_VARIABLE in /home/x/public_html/enth3/show_join.php on line 61” Could you help me how to fix this? ;_;
Jem said:
On 22 Jun at 7:45 am

Ren: I’ve e-mailed you the fix :)
Maya said:
On 25 Jun at 3:34 am

I feel pretty dumb, but I’m having the same problem with T_VARIABLE. Could you email the fix to me too?
Rachel said:
On 05 Jul at 1:47 am

Hi Jem, I have a small problem. I don’t have this code: && substr_count( $_POST[’email’], ‘@’ ) > 0) in my join form…Any suggestions on what to do? :\
Johari said:
On 07 Jul at 7:12 am

Hi Jem, I’ve actually got the same problem as Ren on my Join page. It was odd because when I first installed Enth3 with the show_join.php fix, it worked like a charm. But then a few minutes later, the parse error message shows up. Would it be possible to email me the fix too? Thanks!
Johari said:
On 07 Jul at 7:47 am

Hi Jem, I realized what happened. I used the show_join.php file from the Enth3 package from Angela’s site originally. That was the version that had worked. But when I reuploaded my FL, I had used the separate updated show_join.php file instead, which is why that parse error came up.
Juuhachi Go said:
On 19 Jul at 2:10 pm

Hi Jem, thank you for the bugfix, but I got that T_VARIABLE error and I did’understand how to fix it ;_;!
Kat said:
On 18 Nov at 6:47 pm

Thankyou for the bugfix but I am also getting the error