Simple Line of code to stop Session Hijacking and Auto-Admin

[Zeggy]

Yeah, what crimgame said.

Since your image only needs to pass validation the first time you use it, you can host a valid image on your own server and use it.

Once it's passed validation, you can replace the file and change the mimetype so it still executes as a php file.

This is why linking to remote images is not easy to secure. It's better if you let users upload images instead. That way you can control the content of the images, and display the images in a more secure environment.

It is also possible to add php code within an image file which will execute in the browser. This is usually used when images are uploaded to a server.

Also, the getimagesize function is useful in most cases, but it is possible to have a valid image and also have executable code embedded, which is why checking file extensions isn't useless.

[p_T_s]

"QUOTE djkanna"

Okay I didn't understand this that well but I think I've got it < I think

 

function do_pic_change()
{
global $db, $h, $userid;
$image = getimagesize("".$_POST['newpic']."");
if($_POST['newpic'] == "")
{
echo "Sorry it seems like you haven't inputed anything please go back and try again.

[url='preferences.php?action=picchange']Back[/url]";
}
elseif(!$image)
{
echo "Um yeah you didn't actually think that would work did you?";
}
else
{
$db->query(sprintf("UPDATE users SET display_pic='%s' WHERE(userid=%u)", $db->escape($_POST['newpic']), $userid));
echo "Display picture has been changed";
$h->endpage();
exit;
}

}

 

It doesn't seem to allow anything but a image file so I think that's a good start to defeating the Admin Hi-Jack.

Thanks

DJK

This is for the forums_Avatar

function do_forum_change()
{
global $db, $h, $userid;
$image = getimagesize("".$_POST['forums_avatar']."");
if($_POST['forums_avatar'] == "")
{
echo "Sorry it seems like you haven't inputed anything please go back and try again.

[url='preferences.php?action=forumchange2']Back[/url]";
}
elseif(!$image)
{
echo "Um yeah you didn't actually think that would work did you?";
}
else
{
$db->query(sprintf("UPDATE users SET forums_avatar='%s' WHERE(userid=%u)", $db->escape($_POST['forums_avatar']), $userid));
echo "Display picture has been changed";
$h->endpage();
exit;
}

}

[Joshua]

Few things

1. This isnt "session hi-jacking" I was wrong.

2. These fixes will not fully stop the hack. Refer to crimegames comment.

[Zero-Affect]

i did just scan through this code but am i right in assuming this just checks for .jpg or .gif ?

i wondered why people thought that was secure, alot of websites paid for that mistake im sure (not by my hand).

Simple to bypass think like someone trying to abuse a bug, if i added whatever.php and got this message "Stop trying to abuse a Bug, Enter a picture format" so now i know the issue, rather than simply saying "invalid command" or something you explained the exact issue so now i know to add my little code to bypass that and presto.

Why not look for a photobucket upload script or something external hosting but with guidelines.

getimagesize is a unusual one i've not had the pleasure on looking up but im sure there is a issue other than external ej.am edit .htaccess to change .gif to .php which bypasses the editional Preferences check.. but getimagesize isn't to check if it's a image so there will be a draw back somewhere im sure Alain will surely add to this.

Maybe it will allow .SWF or even .exe ?

[Joshua]

No further comments on this mod until you've helped me fully test the new method that appears to work *wink wink nudge nudge* ^_^