[IMPORTANT] URGENT - PROTECTION FIX

[Lupin]

a vulnerability (sql injection which can give the admins nick + passhash) has been discover in all btit 1.4.x/xbtit <= rev 544 version (http://www.milw0rm.com/exploits/6296), please apply urgently the patch

quick fix:
open scrape.php
below

Code:

require("$BASEPATH/include/config.php");
require("$BASEPATH/include/common.php");

add

Code:

require_once $BASEPATH.'/include/crk_protection.php';

or download attached, upload to your tracker's root and rename to scrape.php

[monosgeri]

I have getscrape.php and my file is 9kB and the attached is 4. Should I replace the whole file, or just insert that extra line? My tracker v. is 1.47

[ssmet]

I have getscrape.php and my file is 9kB and the attached is 4. Should I replace the whole file, or just insert that extra line? My tracker v. is 1.47

Hi!

You must have "srape.php" if your engine is v.1.47.

[Lupin]

yes, the file is scrape, not getscrape

[Soshen]

is it needed for 1.3.x too ?

[eutobias]

i have btit 1.4.1 and in my include directory i don´t find crk_protection.php, where i get this file?

i am dowloanding a new version of btit to search for this file.

sorry my bad english xD

[Lupin]

all btit 1.4.x and below are vulnerable, attached you find crk_protection.php for whom which don't have it

[eutobias]

i already find crk_protection downloading last version of xbit but now i am searching for the file that contains the function sqlesc()

i get this msg error when running my tests:
Fatal error: Call to undefined function sqlesc() in C:\work\workspace\Futuratec\trunk\deploy\include\crk_protection.php on line 51

now i am searching in the included files...

thx
xD

EDIT:
the function sqlesc() are in line 963 of functions.php (last xbtit version)

is as small function

Code:

function sqlesc($x) {
   return "'".mysql_escape_string($x)."'";
}

and now i am seeing that some functions need other functions and etc etc etc, maybe this are happening why i costumize somethings in btit but if u cant test this in a older version of btit maybe you get some errors too

i am editing crk_proctection for this works without other files, i post this here soon.

sorry bad english again.

[ehm9000]

So for BtitTracker (1.3.2) by Btiteam / XBTT Mod by KiD

I need the new scrape.php and also crk_protection.php

Am I correct, any other edits, etc.?

[fatepower]

Well eutobias that is because the function is in the funcitons.php and not in the crk_proteciton.php.
If u add the funciton into crk_protection.php it will be declared twice when crk_proteciton is included from functions.php. The scrape.php has not the funcitons.php included so. . . There it will be error. All other pages will see function allready declared but not from the torrent client when running the scrape.

So for getting this to work we need to find another way. Like add the function to the scrape.php, then add all the content in crk_protection.php into scrape.php, after the include url for config example.

Cheers