Bravo List
Register
Go Back   > Bravo List > Sourcecode > xBTiT
Reply
  #1  
Old 09-04-10, 10:50
Fynnon's Avatar
Fynnon Fynnon is offline
xxx
 
Join Date: Nov 2007
P2P
Posts: 958
Default New announcement: XBTIT VULNERABILITY
A possible exploit (SQL injection) was discover in the code, please update your trackers ASAP, hackers could retrieve password hash, then accessing your site like you!

Affected version:
- ALL version < revision 584

Vulnerables files:
- users.php
- torrents.php


Manual patch:

1. open users.php

find and replace
PHP Code:
// getting order
          
if (isset($_GET["order"]))
               
$order=htmlspecialchars($_GET["order"]);
          else
              
$order="joined";


          if (isset(
$_GET["by"]))
              
$by=htmlspecialchars($_GET["by"]);
          else
              
$by="ASC"
with
PHP Code:
$order_param=3;
          
// getting order
          
if (isset($_GET["order"]))
             {
             
$order_param=(int)$_GET["order"];
             switch (
$order_param)
               {
               case 
1:
                    
$order="username";
                    break;

               case 
2:
                    
$order="level";
                    break;

               case 
3:
                    
$order="joined";
                    break;

               case 
4:
                    
$order="lastconnect";
                    break;

               case 
5:
                    
$order="flag";
                    break;
                         
               case 
6:
                    
$order="ratio";
                    break;

               default:
                   
$order="joined";

             }
          }
          else
              
$order="joined";


          if (isset(
$_GET["by"]))
           {
              
$by_param=(int)$_GET["by"];
              
$by=($by_param==1?"ASC":"DESC");
          }
          else
              
$by="ASC"
find and replace
PHP Code:
list($pagertop$pagerbottom$limit) = pager(20$count,  $scriptname."&amp;" $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;"); 
with
PHP Code:
list($pagertop$pagerbottom$limit) = pager(20$count,  $scriptname."&amp;" $addparams.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;"); 
find and replace
PHP Code:
$userstpl->set("users_sort_username""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=username&amp;by=".($order=="username" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=level&amp;by=".($order=="level" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=joined&amp;by=".($order=="joined" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=lastconnect&amp;by=".($order=="lastconnect" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=flag&amp;by=".($order=="flag" && $by=="ASC"?"DESC":"ASC")."">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=ratio&amp;by=".($order=="ratio" && $by=="ASC"?"DESC":"ASC")."">".$language["RATIO"]."</a>".($order=="ratio"?$mark:"")); 


with

PHP Code:
$userstpl->set("users_sort_username""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="username" && $by=="ASC"?"2":"1")."">".$language["USER_NAME"]."</a>".($order=="username"?$mark:""));
$userstpl->set("users_sort_userlevel""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="level" && $by=="ASC"?"2":"1")."">".$language["USER_LEVEL"]."</a>".($order=="level"?$mark:""));
$userstpl->set("users_sort_joined""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="joined" && $by=="ASC"?"2":"1")."">".$language["USER_JOINED"]."</a>".($order=="joined"?$mark:""));
$userstpl->set("users_sort_lastaccess""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="lastconnect" && $by=="ASC"?"2":"1")."">".$language["USER_LASTACCESS"]."</a>".($order=="lastconnect"?$mark:""));
$userstpl->set("users_sort_country""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="flag" && $by=="ASC"?"2":"1")."">".$language["USER_COUNTRY"]."</a>".($order=="flag"?$mark:""));
$userstpl->set("users_sort_ratio""<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="ratio" && $by=="ASC"?"2":"1")."">".$language["RATIO"]."</a>".($order=="ratio"?$mark:"")); 


save and close.



2. open torrents.php

find and replace

PHP Code:
// getting order
    
if (isset($_GET["order"]))
         
$order=htmlspecialchars(mysql_real_escape_string($_GET["order"]));
    else
        
$order="data";

    
$qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds$tcompletes),$order);

    if (isset(
$_GET["by"]))
        
$by=htmlspecialchars(mysql_real_escape_string($_GET["by"]));
    else
        
$by="DESC";


    list(
$pagertop$pagerbottom$limit) = pager($torrentperpage$count,  $scriptname."&amp;" $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order&amp;by=$by&amp;"); 


with

PHP Code:
// getting order
    
$order_param=3;
    if (isset(
$_GET["order"]))
       {
         
$order_param=(int)$_GET["order"];
         switch (
$order_param)
           {
           case 
1:
                
$order="cname";
                break;
           case 
2:
                
$order="filename";
                break;
           case 
3:
                
$order="data";
                break;
           case 
4:
                
$order="size";
                break;
           case 
5:
                
$order="seeds";
                break;
           case 
6:
                
$order="leechers";
                break;
           case 
7:
                
$order="finished";
                break;
           case 
8:
                
$order="dwned";
                break;
           case 
9:
                
$order="speed";
                break;
           default:
               
$order="data";
               
         }

    }
    else
        
$order="data";

    
$qry_order=str_replace(array("leechers","seeds","finished"),array($tleechs,$tseeds$tcompletes),$order);

    
$by_param=2;
    if (isset(
$_GET["by"]))
      {
        
$by_param=(int)$_GET["by"];
        
$by=($by_param==1?"ASC":"DESC");
    }
    else
        
$by="DESC";


    list(
$pagertop$pagerbottom$limit) = pager($torrentperpage$count,  $scriptname."&amp;" $addparam.(strlen($addparam)>0?"&amp;":"")."order=$order_param&amp;by=$by_param&amp;"); 



find and replace

PHP Code:
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=cname&amp;by=".($order=="cname" && $by=="ASC"?"DESC":"ASC")."">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=filename&amp;by=".($order=="filename" && $by=="ASC"?"DESC":"ASC")."">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=data&amp;by=".($order=="data" && $by=="ASC"?"DESC":"ASC")."">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=size&amp;by=".($order=="size" && $by=="DESC"?"ASC":"DESC")."">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=seeds&amp;by=".($order=="seeds" && $by=="DESC"?"ASC":"DESC")."">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=leechers&amp;by=".($order=="leechers" && $by=="DESC"?"ASC":"DESC")."">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=finished&amp;by=".($order=="finished" && $by=="ASC"?"DESC":"ASC")."">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=dwned&amp;by=".($order=="dwned" && $by=="ASC"?"DESC":"ASC")."">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=speed&amp;by=".($order=="speed" && $by=="ASC"?"DESC":"ASC")."">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]); 


with

PHP Code:
$torrenttpl->set("torrent_pagertop",$pagertop);
$torrenttpl->set("torrent_header_category","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=1&amp;by=".($order=="cname" && $by=="ASC"?"2":"1")."">".$language["CATEGORY"]."</a>".($order=="cname"?$mark:""));
$torrenttpl->set("torrent_header_filename","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=2&amp;by=".($order=="filename" && $by=="ASC"?"2":"1")."">".$language["FILE"]."</a>".($order=="filename"?$mark:""));
$torrenttpl->set("torrent_header_comments",$language["COMMENT"]);
$torrenttpl->set("torrent_header_rating",$language["RATING"]);
$torrenttpl->set("WT",intval($CURUSER["WT"])>0,TRUE);
$torrenttpl->set("torrent_header_waiting",$language["WT"]);
$torrenttpl->set("torrent_header_download",$language["DOWN"]);
$torrenttpl->set("torrent_header_added","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=3&amp;by=".($order=="data" && $by=="ASC"?"2":"1")."">".$language["ADDED"]."</a>".($order=="data"?$mark:""));
$torrenttpl->set("torrent_header_size","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=4&amp;by=".($order=="size" && $by=="DESC"?"1":"2")."">".$language["SIZE"]."</a>".($order=="size"?$mark:""));
$torrenttpl->set("uploader",$SHOW_UPLOADER,TRUE);
$torrenttpl->set("torrent_header_uploader",$language["UPLOADER"]);
$torrenttpl->set("torrent_header_seeds","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=5&amp;by=".($order=="seeds" && $by=="DESC"?"1":"2")."">".$language["SHORT_S"]."</a>".($order=="seeds"?$mark:""));
$torrenttpl->set("torrent_header_leechers","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=6&amp;by=".($order=="leechers" && $by=="DESC"?"1":"2")."">".$language["SHORT_L"]."</a>".($order=="leechers"?$mark:""));
$torrenttpl->set("torrent_header_complete","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=7&amp;by=".($order=="finished" && $by=="ASC"?"2":"1")."">".$language["SHORT_C"]."</a>".($order=="finished"?$mark:""));
$torrenttpl->set("torrent_header_downloaded","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=8&amp;by=".($order=="dwned" && $by=="ASC"?"2":"1")."">".$language["DOWNLOADED"]."</a>".($order=="dwned"?$mark:""));
$torrenttpl->set("torrent_header_speed","<a href="$scriptname&amp;$addparam".(strlen($addparam)>0?"&amp;":"")."order=9&amp;by=".($order=="speed" && $by=="ASC"?"2":"1")."">".$language["SPEED"]."</a>".($order=="speed"?$mark:""));
$torrenttpl->set("torrent_header_average",$language["AVERAGE"]); 
save and close.

your tracker should be patched
Reply With Quote
The Following User Says Thank You to Fynnon For This Useful Post:
DAKz (24-05-11)
  #2  
Old 12-04-10, 11:35
pedro444's Avatar
pedro444 pedro444 is offline
Member
 
Join Date: Dec 2009
Portugal
Posts: 6
Unhappy FIX PROTECTION
CORRECTION Security Tracker CyBerFuN xBTiT FULLY MODDED
And I thank WHY enfectado..
Reply With Quote
Reply

Tags
announcement , vulnerability , xbtit

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
TS 5.1 Announcement Problem rulebreaker Template Shares 4 07-10-09 00:49
[important] urgent - protection fix Fynnon xBTiT 1 17-04-09 03:27
Announcement Problem rulebreaker YSE 9 24-02-09 00:05
IRC announcement.. wizard2 Torrent Strike 0 26-10-08 20:24
Urgent Help !!!!! DrNet Template Shares 2 03-08-08 06:19



All times are GMT +2. The time now is 09:55. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2017, vBulletin Solutions Inc.