Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Help Groups for Snitz Forums 2000 Users
 Help: General / Previous versions
 About the new security fix		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

marckmcgill
Junior Member

Italy
134 Posts
Posted - 12 January 2010 :  04:50:37  Show Profile
Hi there.

I've read about the security fix
http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69117
and then checked my situation.

I have V. 3.4.03
I could find the function block only in Inc_func_common.asp, but not in post_info.asp and register.asp. Is that okay?
Did the patch need to be applied at all to Inc_func_common.asp?

Thanks a lot for reading.

HuwR
Forum Admin

United Kingdom
20584 Posts
Posted - 12 January 2010 :  05:42:38  Show Profile  Visit HuwR's Homepage
This affects Snitz 3.4.07. Previous versions that applied a bug fix that was posted for 3.4.06, using server variables HTTP_X_FORWARDED_FOR and REMOTE_ADDR may need similar fixing.

if you don't have the bug fix that was posted for 3.4.06, using server variables HTTP_X_FORWARDED_FOR and REMOTE_ADDR then you won't need to fix anything
Go to Top of Page

kgrammer
Starting Member

USA
16 Posts
Posted - 12 January 2010 :  22:35:48  Show Profile  Visit kgrammer's Homepage
I wanted to verify that the fix should be here:

function UpdateLastHereDate(fTime,UserName)
    UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    if UserIPAddress = "" or left(UserIPAddress, 7) = "unknown" then
        UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
    elseif InStr(UserIPAddress, ",") > 0 then
        UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
    elseif InStr(UserIPAddress, ";") > 0 then
        UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
    end If
    UserIPAddress = Trim(ChkString(UserIPAddress,"SQLString"))

And NOT here:

function UpdateLastHereDate(fTime,UserName)
    UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
    if UserIPAddress = "" or left(UserIPAddress, 7) = "unknown" then
        UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
    elseif InStr(UserIPAddress, ",") > 0 then
        UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
    elseif InStr(UserIPAddress, ";") > 0 then
        UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
    end If
    if InStr(UserIPAddress, ":") > 0 then
        UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ":")-1)
    end if
    UserIPAddress = Trim(ChkString(UserIPAddress,"SQLString"))

Can you verify that the RED code placement is correct?

Thanks.
Ken Grammer
Used Snitz on SpecRacer.com and GT_RaceCar.com
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 12 January 2010 :  22:43:44  Show Profile  Send ruirib a Yahoo! Message
Both the red and blue will work without any issues, but if you ask me, I would do the blue, just as a matter of preference. Effectiveness wise the results will be the same.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

kgrammer
Starting Member

USA
16 Posts
Posted - 12 January 2010 :  23:54:00  Show Profile  Visit kgrammer's Homepage
Thanks! I also thought both would ultimately produce the same results, but the blue seemed to make more sense to me (and any future readers of the code!
Ken Grammer
Used Snitz on SpecRacer.com and GT_RaceCar.com
Go to Top of Page

marckmcgill
Junior Member

Italy
134 Posts
Posted - 13 January 2010 :  05:22:52  Show Profile
I applied every patch ever released for my version, so, even though that sentence is involuted and hard to understand, if logic doesn't fail me it implies that my software does need the patch indeed.

As said, however, I could locate the function subject to application of this patch only in one of the three files. Is that okay, or should I worry?

By the way I realize now that I should have opened this thread in the "current version" board. I apologize for this, I didn't get immediately that my version is still considered the current one. Mods can eventually move this topic there.
Go to Top of Page

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 13 January 2010 :  05:57:23  Show Profile  Send ruirib a Yahoo! Message
quote:
Originally posted by marckmcgill

I applied every patch ever released for my version, so, even though that sentence is involuted and hard to understand, if logic doesn't fail me it implies that my software does need the patch indeed.

As said, however, I could locate the function subject to application of this patch only in one of the three files. Is that okay, or should I worry?

By the way I realize now that I should have opened this thread in the "current version" board. I apologize for this, I didn't get immediately that my version is still considered the current one. Mods can eventually move this topic there.

This is the correct forum for previous versions. As HuwR stated elsewhere, this affects mainly 3.4.06 patched versions and 3.4.07. In previous versions, X_FORWARDED_FOR wasn't even used and that is the biggest risk the fix tries to protect.

For the ultimate protection, all requests for Request.ServerVariables("REMOTE_ADDR") should be sanitized too, but it's much less pressing that sanitizing X_FORWARDED_FOR.

Our fix takes care of both.

Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.13 seconds. Powered By: Snitz Forums 2000 Version 3.4.07