You are here:
  1. Home
  2. Blog
  3. Interwebs
  4. Enthusiast3 - Potential Security Risk

Enthusiast3 – Potential Security Risk

 |  Interwebs

An Enthusiast3 user recently asked at thefanlistings.org message board how people were inserting non-standard data via the join form using what should be a restricted drop-down menu. The answer to that bit was easy: form spoofing. This bit is not important, it is possible to do this for many, many forms on the Internet. The problem is with the validation of the fields when a member joins a fanlisting powered by Enthusiast.. or rather, the lack of.

Don’t get me wrong, looking at the script I can see some great features here. I like the way parts of it are set up and I think the script beats some other fanlisting management scripts I’ve seen hands-down. However, if these validation issues are not addressed I can see people losing large amounts of data like people did with the big phpFanBase hacking. So, I’ve come up with a few unofficial changes that can at least go some way to ‘securing’ the join form, until the next version of Enthusiast is released (which I’m led to believe is due soon?) by Angela.

Open show_join.php which is located by default in the enth3 folder and do the following:

  • At the top of the file somewhere, either before or after require 'config.php';, add the following:
    function clean_up($data) {
      $data = strip_tags($data);
      $data = trim(htmlentities($data));

      return $data;
    }

  • Find $name = ucfirst( $_POST['name'] ); and change it to: $name = ucfirst(clean_up($_POST['name']) );
  • Find && substr_count( $_POST['email'], '@' ) > 0) and change it to: && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email'])))
  • Find $email = $_POST['email']; and replace it with: $email = clean_up($_POST['email']);
  • Find $country = $_POST["country"]; and change it to: $country = clean_up($_POST['country']);
  • Find $url = $_POST["url"]; and change it to: $url = clean_up($_POST['url']);
  • Find $comments = $_POST['comments']; and change it to: $comments = clean_up($_POST['comments']);
  • Find $show_email = $_POST['show_email']; and change it to: $show_email = clean_up($_POST['show_email']);
  • Find both occurences of $values[$field] = $_POST[$field]; and replace with $values[$field] = clean_up($_POST[$field]);

If you’re been told your enth join form is being used to send spam, you might find it helpful to insert:

$find = "/(content-type|bcc:|cc:|onload|onclick|javascript)/i";
if (preg_match($find, $name) || preg_match($find, $email) || preg_match($find, $url) || preg_match($find, $comments) || preg_match($find, $country) || preg_match($find, $show_email)) {
  echo "<p>No naughty injecting, please.</p>";
  exit;
}

below $table = $info['dbtable'];. This will also go some way to decreasing the risk JavaScript injections which, because enth3 passwords are stored as plain text in the cookie, would be a major problem if successful.

Please note — these modifications have not been approved or run by Angela have been approved by Angela, the owner of Enthusiast, and they are to be used at your own risk. To my knowledge these modifications will only inprove security, and will not have a detrimental effect on the running of the script. (Insert other legal babbling here.)

Edit: if you’re uncomfortable editing the files yourself, please see scripts.indisguise.org for the pre-modified show_join.php.

Parse Error Fix

There is unfortunately a typo in the modified version downloadable from the official site, and should you get any errors it’s probably because of this. To fix it, find line 61 (or thereabouts) and change: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", $_POST['email'])
..to: if( $_POST['email'] && ereg("^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+(.[a-z0-9-]+)*(.[a-z]{2,6})$", strtolower($_POST['email']))). This will also fix the bug where email addresses are not accepted if they contain capital letters.

Related Reading

On the Security of PHP, Part 1 (see “Trusting User Input”)
Top 7 Security Blunders (see “Unvalidated Input Errors”)

Jem Turner jem@jemjabella.co.uk +44(0)7521056376

24 comments so far

  1. Amanda said:

    I don’t use Enthusiast myself, but sounds pretty funky. Have you contemplated posting this (or a link to this) on the TFL boards? It might help out the people there, as I see more and more of the TFL community switching over to Enthusiast from FanBase.

  2. Vera said:

    You truly care about making the net more secure, I admire the resolve in that. I’m assuming that for your own fanlistings you use hand-made code though :) P.S. not to brag… but my new URL is up (provided above). *hides just in case*

  3. Cara said:

    Thanks for the code but i’m having a problem. I got this “Parse error: syntax error, unexpected T_ELSE in xxxx/show_join.php on line 61”. I am aware of the similar problem that others encountered before for T_Variable, but not T_Else. Any clues?

  4. Cara said:

    Jem, thanks for your help. Somehow it works after i manually edited the file (last resort). May be i should not be so lazy at first. :P

  5. Kay said:

    This mistake (well, I’m pretty sure) actually did create a security risk at my site – I should have checked earlier, but thanks anyhow for fixing it!

  6. Ren said:

    thanks for the bugfix! by the way, I have the some problem, too. It’s the “Parse error: syntax error, unexpected T_VARIABLE in /home/x/public_html/enth3/show_join.php on line 61” Could you help me how to fix this? ;_;

  7. Rachel said:

    Hi Jem, I have a small problem. I don’t have this code: && substr_count( $_POST[’email’], ‘@’ ) > 0) in my join form…Any suggestions on what to do? :\

  8. Johari said:

    Hi Jem, I’ve actually got the same problem as Ren on my Join page. It was odd because when I first installed Enth3 with the show_join.php fix, it worked like a charm. But then a few minutes later, the parse error message shows up. Would it be possible to email me the fix too? Thanks!

  9. Johari said:

    Hi Jem, I realized what happened. I used the show_join.php file from the Enth3 package from Angela’s site originally. That was the version that had worked. But when I reuploaded my FL, I had used the separate updated show_join.php file instead, which is why that parse error came up.

Follow on Instagram