Announcement

Do not use the forums to submit bug reports, feature requests or patches, submit a New Ticket instead.

Pages: 1

#1 2005-09-22 04:57:04

c0
Xinha Community Member
Registered: 2005-09-01
Posts: 25
Website

ImageManager backend security error

I have found a possible reason why the backend security fails:

serialized IMConfig variable:
a:2:{s:10:"images_dir";s:54:"/home/e-smith/files/ibays/Primary/html/uploads/images/";s:10:"images_url";s:36:"https://coeleveld.nl/uploads/images/";}


$_REQUEST['backend_config']
a:2:{s:10:\"images_dir\";s:54:\"/home/e-smith/files/ibays/Primary/html/uploads/images/\";s:10:\"images_url\";s:36:\"https://coeleveld.nl/uploads/images/\";}

Last edited by c0 (2005-09-22 07:30:24)

Offline

#2 2005-09-22 07:38:22

c0
Xinha Community Member
Registered: 2005-09-01
Posts: 25
Website

Re: ImageManager backend security error

This solves my problem:

xinha/plugins/ImageManager/config.inc.php
(pay attention to the added stripslashes command)

=====

...
...

// If config specified from front end, merge it
if(isset($_REQUEST['backend_config']))
{
  // Config specified from front end, check that it's valid
  session_start();
  $secret = $_SESSION[$_REQUEST['backend_config_secret_key_location']];

  if($_REQUEST['backend_config_hash'] !== sha1(stripslashes($_REQUEST['backend_config'] . $secret)))
  {
    die("Backend security error.");
  }
  $to_merge = unserialize(stripslashes($_REQUEST['backend_config']));
  if(!is_array($to_merge))
  {
    die("Backend config syntax error.");
  }

  $IMConfig = array_merge($IMConfig, $to_merge);
  $IMConfig['backend_url'] .= "backend_config=" . rawurlencode(stripslashes($_REQUEST['backend_config'])) . '&';
  $IMConfig['backend_url'] .= "backend_config_hash=" . rawurlencode(stripslashes($_REQUEST['backend_config_hash'])) . '&';
  $IMConfig['backend_url'] .= "backend_config_secret_key_location=" . rawurlencode(stripslashes($_REQUEST['backend_config_secret_key_location'])) . '&';

}

...
...

=====

Last edited by c0 (2005-09-22 07:51:52)

Offline

#3 2005-09-22 07:43:42

c0
Xinha Community Member
Registered: 2005-09-01
Posts: 25
Website

Re: ImageManager backend security error

Found this here: http://nl3.php.net/unserialize
=============================

I got the same case as yabba at the dot hut with his post
>> caveat: stripslashes!!!

In my server configutation the magic_quotes_gpc is on therefore it will automatically escape ' (single-quote), " (double quote), \ (backslash) and NUL's with a backslash.
And the stripslashes is the workaround for my case as well.

Erwin

Offline

#4 2005-09-22 11:19:11

henke
Xinha Community Member
From: Sweden
Registered: 2005-09-22
Posts: 12

Re: ImageManager backend security error

Cheers c0!

I had exactly the same problem and your solution works smooth. smile

Offline

Pages: 1

Board footer

Powered by FluxBB