[XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)

  • 17 Replies
  • 27576 Views
*

Offline Lupin

  • *****
  • 10,985
  • +0/-0
    • http://www.btiteam.org
A possible exploit (SQL injection) was discover in the code, please update your trackers ASAP, hackers could retrieve password hash, then accessing your site like you!

Affected version:
- ALL version < revision 584

Vulnerables files:
- users.php
- torrents.php

Manual patch:

open users.php
find and replace
Code: [Select]
// getting order
          if (isset($_GET["order"]))
               $order=htmlspecialchars($_GET["order"]);
          else
              $order="joined";


          if (isset($_GET["by"]))
              $by=htmlspecialchars($_GET["by"]);
          else
              $by="ASC";
with
Code: [Select]
          $order_param=3;
          // getting order
          if (isset($_GET["order"]))
             {
             $order_param=(int)$_GET["order"];
             switch ($order_param)
               {
               case 1:
                    $order="username";
                    break;

               case 2:
                    $order="level";
                    break;

               case 3:
                    $order="joined";
                    break;

               case 4:
                    $order="lastconnect";
                    break;

               case 5:
                    $order="flag";
                    break;
                         
               case 6:
                    $order="ratio";
                    break;

               default:
                   $order="joined";

             }
          }
          else
              $order="joined";


          if (isset($_GET["by"]))
           {
              $by_param=(int)$_GET["by"];
              $by=($by_param==1?"ASC":"DESC");
          }
          else
              $by="ASC";
find and replace
Code: [Select]
         list($pagertop, $pagerbottom, $limit) = pager(20, $count,  $scriptname."&amp;" . $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");
with
Code: [Select]
         list($pagertop, $pagerbottom, $limit) = pager(20, $count,  $scriptname."&amp;" . $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;");
find and replace
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=username&amp;by=".($order=="username" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=level&amp;by=".($order=="level" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=joined&amp;by=".($order=="joined" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=lastconnect&amp;by=".($order=="lastconnect" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=flag&amp;by=".($order=="flag" && $by=="ASC"?"DESC":"ASC")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=ratio&amp;by=".($order=="ratio" && $by=="ASC"?"DESC":"ASC")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
with
Code: [Select]
$userstpl->set("users_sort_username", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="username" && $by=="ASC"?"2":"1")."\">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="level" && $by=="ASC"?"2":"1")."\">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="joined" && $by=="ASC"?"2":"1")."\">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="lastconnect" && $by=="ASC"?"2":"1")."\">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="flag" && $by=="ASC"?"2":"1")."\">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio", "<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="ratio" && $by=="ASC"?"2":"1")."\">".$language["RATIO"]."</a>".($order=="ratio"?$mark:""));
save and close.


open torrents.php
find and replace
Code: [Select]
    // getting order
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_real_escape_string($_GET["order"]));
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);

    if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_real_escape_string($_GET["by"]));
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");
with
Code: [Select]
    // getting order
    $order_param=3;
    if (isset($_GET["order"]))
       {
         $order_param=(int)$_GET["order"];
         switch ($order_param)
           {
           case 1:
                $order="cname";
                break;
           case 2:
                $order="filename";
                break;
           case 3:
                $order="data";
                break;
           case 4:
                $order="size";
                break;
           case 5:
                $order="seeds";
                break;
           case 6:
                $order="leechers";
                break;
           case 7:
                $order="finished";
                break;
           case 8:
                $order="dwned";
                break;
           case 9:
                $order="speed";
                break;
           default:
               $order="data";
               
         }

    }
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);

    $by_param=2;
    if (isset($_GET["by"]))
      {
        $by_param=(int)$_GET["by"];
        $by=($by_param==1?"ASC":"DESC");
    }
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;");
find and replace
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=cname&amp;by=".($order=="cname" && $by=="ASC"?"DESC":"ASC")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=filename&amp;by=".($order=="filename" && $by=="ASC"?"DESC":"ASC")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=data&amp;by=".($order=="data" && $by=="ASC"?"DESC":"ASC")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=size&amp;by=".($order=="size" && $by=="DESC"?"ASC":"DESC")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=seeds&amp;by=".($order=="seeds" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=leechers&amp;by=".($order=="leechers" && $by=="DESC"?"ASC":"DESC")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=finished&amp;by=".($order=="finished" && $by=="ASC"?"DESC":"ASC")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=dwned&amp;by=".($order=="dwned" && $by=="ASC"?"DESC":"ASC")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=speed&amp;by=".($order=="speed" && $by=="ASC"?"DESC":"ASC")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
with
Code: [Select]
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="cname" && $by=="ASC"?"2":"1")."\">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="filename" && $by=="ASC"?"2":"1")."\">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="data" && $by=="ASC"?"2":"1")."\">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="size" && $by=="DESC"?"1":"2")."\">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="seeds" && $by=="DESC"?"1":"2")."\">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="leechers" && $by=="DESC"?"1":"2")."\">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=7&amp;by=".($order=="finished" && $by=="ASC"?"2":"1")."\">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=8&amp;by=".($order=="dwned" && $by=="ASC"?"2":"1")."\">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href=\"$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=9&amp;by=".($order=="speed" && $by=="ASC"?"2":"1")."\">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]);
save and close.

your tracker should be patched

Alternatively you can download attached files and replace yours (maybe backup b4) with the new.

Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

*

djblackout

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #1 on: April 09, 2010, 10:23:01 am »
i just uploadet the files to my server how to chek if its stable now ?

*

terra3

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #2 on: April 09, 2010, 04:21:10 pm »
i patched the users.php but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php   Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found)   Ask Hack's Developer

please advise..and thanks for the fix...

*

Offline en3r0

  • ***
  • 243
  • +0/-0
    • Legit Torrents
Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #3 on: April 09, 2010, 08:24:06 pm »
This will break the Sticky torrents mod if you do not do it manually, or reapplying the mod I think is the official way to do things.


Thanks for the fix!

*

yanchev

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #4 on: April 09, 2010, 11:58:34 pm »
Thanks for the fix.

*

terra3

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #5 on: April 10, 2010, 12:34:36 am »
i patched the users.php but removed hacks that would be effected(only 1) but when i patched torrents.php i get this error when trying to reinstall gold & silver torrents hack:

D:\xampp\htdocs\terraj3/torrents.php   Sorry search string: "if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";..." (first 20 chars) was not found)   Ask Hack's Developer

please advise..and thanks for the fix...

*

Offline friendly

  • ****
  • 718
  • +0/-0
    • Friendly Styles
Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #6 on: April 10, 2010, 12:55:51 am »
that can be fixed m8 the xml searches for


Code: [Select]
if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";

but now the code is

Code: [Select]
if (isset($_GET["by"]))
      {
        $by_param=(int)$_GET["by"];
        $by=($by_param==1?"ASC":"DESC");
    }
    else
        $by="DESC";

just edit the xml to match the new code  ;)

*

terra3

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #7 on: April 10, 2010, 01:16:03 am »
phone rang here, just got off of it. that worked, thanks m8 :) much obliged...

*

Offline friendly

  • ****
  • 718
  • +0/-0
    • Friendly Styles
Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #8 on: April 10, 2010, 01:24:07 am »
no probs m8 happy to help  :)

*

terra3

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #9 on: April 10, 2010, 02:10:46 am »
this has been bugging me friendly. my site still isnt up to par without the thanks hack, this error:

D:\xampp\htdocs\terraj3/style/xbtit_default/torrent.details.tpl   Sorry search string: "<tr>
<td align="right" class="header"><tag:language.INFO_HASH /></td>
<td class="lista" align="center"..." (first 20 chars) was not found)

the thanks.php is in root and i commented out the path from the xml, manually installed it, also uninstalled 'fore the sec patch.

please advise and thanks very much for your assistance.. :)


*

Offline Lupin

  • *****
  • 10,985
  • +0/-0
    • http://www.btiteam.org
Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #10 on: April 10, 2010, 11:00:59 am »
the best way is applying manually the patch on already modified torrents.php (with hacks installed)
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

*

pedro444

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #11 on: April 12, 2010, 11:23:31 am »
tremoço. CORREÇÃO DE SEGURANÇA dá o tracker CyBerFuN xBTiT totalmente MODDED
é porque eu enfectado..thanks   :-[

*

robbee

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #12 on: April 14, 2010, 12:07:16 am »
how do i combine the torrents.php fix with the gold torrents mod? the part i have to replace looks like this:

Code: [Select]
    // getting order
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_escape_string($_GET["order"]));
    else
        $order="data";

    $qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds, $tcompletes),$order);


/*Mod by losmi - gold mod*/
/*Mod by losmi - sticky mod
Operation #4*/
if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_escape_string($_GET["by"]));
    else
        $by="DESC";


    list($pagertop, $pagerbottom, $limit) = pager($torrentperpage, $count,  $scriptname."&amp;" . $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;");

*

Offline Lupin

  • *****
  • 10,985
  • +0/-0
    • http://www.btiteam.org
Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #13 on: April 14, 2010, 09:34:04 am »
you can do it like explained on 1st post, just ignore
Code: [Select]
/*Mod by losmi - gold mod*/
/*Mod by losmi - sticky mod
Operation #4*/

from your code
Please don't PM me about question already asked in forum!

Help or support requested using PM will be billed 50 euros/hour, minimum 1 hour; support on forum is free.

*

alein

Re: [XBTIT VULNERABILITY] URGENT - PROTECTION FIX (ALL REVISIONS < 584)
« Reply #14 on: April 14, 2010, 06:51:20 pm »
I use btit 1.4.8 any security problem on this version?

 


Powered by EzPortal