FIX - 7.9 patched (maybe 7.8?? also) "UNION" posti

woodb01 · New Member Joined: Jan 21, 2005 Posts: 14

Thanks to omega13a @ nukefixes.com for this reference:

Only registered users can see links on this board!
Get registered or login to the forums!

That gave me some of the coding I needed to get this to work!

I modified it a bit to fit my needs, and to bypass the "die" back to index.php

IF YOU USE THIS MODIFICATION, YOU DO SO AT YOUR OWN RISK!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mainfile.php modification to fix union injection by inserting an underscore in front of the word "union."

Whenever a post finds the word "union" it will be converted to "_union"

Code:

// Old Code that was Replaced near line 145
// $postString = "";
// foreach ($_POST as $postkey => $postvalue) {
//    if ($postString > "") {
//    $postString .= "&".$postkey."=".$postvalue;
//    } else {
//    $postString .= $postkey."=".$postvalue;
//    }
// }
// str_replace("%09", "%20", $postString);
// $postString_64 = base64_decode($postString);
// if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
// header("Location: index.php");
// die();
// }
// End of old code replacement

// Start Fix Union Injection Posting Bug

function convert_injection($string)
{
$string = str_replace("U", "_U", $string);
$string = str_replace("u", "_u", $string);
   return $string;
}

$postString = "";
foreach ($_POST as $postkey => $postvalue) {
if ($postString > "") {
   $postString .= "&".$postkey."=".$postvalue;
} else {
   $postString .= $postkey."=".$postvalue;
}
}
$postString = str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
foreach($_POST as $postkey => $postvalue)
{
$newvalue = preg_replace('#(union)#ise', 'convert_injection("\\1")', $postvalue);
$_POST[$postkey] = $newvalue;
$HTTP_POST_VARS[$postkey] = $newvalue;
$$postkey = $newvalue;
}
}

// End Fix Union Injection Posting Bug

Hope this helps someone. There are other more elegant options I'm looking at, this one is a little crude but will work for now...

PLEASE NOTE that this solution will allow the word -union- to be inserted into the database. Also, if you do a preview first, and then a post of the message, it will add 2 underscores. Your input will look like this "__union"

When I get some more time I'll play with the offset so that it will only ever return one underscore. But for now, this allows me to post articles, content, and Forum posts with the word -union- and still prevents the injections.

montego · Posted: Sat Apr 15, 2006 4:03 pm

Hhhmmmm... not sure the implications of this. Will have to see...

woodb01 · New Member Joined: Jan 21, 2005 Posts: 14

montego wrote:

Hhhmmmm... not sure the implications of this. Will have to see...

If the underscore can be bypassed, then what other special characters chould be used?

Also, I may get around to formatting the "_" insertion with CSS to match the background. That way the inserted text or character doesn't even "appear" when reading an article or content or forum post.

~~~~~~~~~~~~~~~~~~~

I'd certainly be interested in your feedback. I need a solution that allows me to post the word, but also secures the site from this vulnerability.

technocrat · Involved Joined: Jul 07, 2005 Posts: 492

How about you just change it going in or out of DB. Thats really the easiest way. Look for the word UNION and change the o to 0 going in and 0 to o going out.

woodb01 · New Member Joined: Jan 21, 2005 Posts: 14

Excellent Suggestion to replace the "O's" with zeroes...

Here's the modified code. And at some point in the future, again when I get more time, I may work on that write / read option. For now though replacing the O with a zero is a little better solution...

Below is a copy of the code with the zero substitution... I have tested it with my version 7.9.32 and it works fine. However, as always, use this change at your own risk and be SURE to test it before ever posting it to a production site.

Code:

// Old Code that was Replaced near line 145
// $postString = "";
// foreach ($_POST as $postkey => $postvalue) {
// if ($postString > "") {
// $postString .= "&".$postkey."=".$postvalue;
// } else {
// $postString .= $postkey."=".$postvalue;
// }
// }
// str_replace("%09", "%20", $postString);
// $postString_64 = base64_decode($postString);
// if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
// header("Location: index.php");
// die();
// }
// End of old code replacement

// Start Fix Union Injection Posting Bug

function convert_injection($string)
{
$string = str_replace("O", "0", $string);
$string = str_replace("o", "0", $string);
return $string;
}

$postString = "";
foreach ($_POST as $postkey => $postvalue) {
if ($postString > "") {
$postString .= "&".$postkey."=".$postvalue;
} else {
$postString .= $postkey."=".$postvalue;
}
}
$postString = str_replace("%09", "%20", $postString);
$postString_64 = base64_decode($postString);
if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
foreach($_POST as $postkey => $postvalue)
{
$newvalue = preg_replace('#(union)#ise', 'convert_injection("\\1")', $postvalue);
$_POST[$postkey] = $newvalue;
$HTTP_POST_VARS[$postkey] = $newvalue;
$$postkey = $newvalue;
}
}

// End Fix Union Injection Posting Bug

danmih · New Member Joined: Aug 02, 2006 Posts: 2

Hi guys,
I haven't made the changes in the code, but I have added the word union in Word Censoring list and it is working fine.
Is there something wrong with my solution?
Thanks,
Daniel

Gremmie · Posted: Sat Nov 24, 2007 1:05 pm

This is a pretty old thread. What version/flavor of nuke are you running? For the best protection against this kind of thing, you need Nuke Sentinel.

The word censor list is only applied to things like news articles, comments, etc.

fkelly · Posted: Sat Nov 24, 2007 2:49 pm

Like Gremmie said, this is old. In my area our local newspaper is named the Time Union. I was always running into users getting blocked for referencing it. That is stupid. Eventually that poststring was taken out of mainfile and concentrated in Sentinel, where it belongs. Union is a perfectly legitimate word except in a hacker's SQL string and our systems should allow it.