Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: Security Related Bug Fixes
 new security fix, Snitz 3.4.07		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

ruirib
Snitz Forums Admin

Portugal
26364 Posts
Posted - 11 January 2010 :  08:10:49  Show Profile  Send ruirib a Yahoo! Message
We are posting a security fix to several Snitz files, involving the handling of IP addresses.

1. Inc_func_common.asp, lines #576-584, add the red part:

function UpdateLastHereDate(fTime,UserName)
	UserIPAddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
	if UserIPAddress = "" or left(UserIPAddress, 7) = "unknown" then
  		UserIPAddress = Request.ServerVariables("REMOTE_ADDR")
	elseif InStr(UserIPAddress, ",") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ",")-1)
	elseif InStr(UserIPAddress, ";") > 0 then
		UserIPAddress = Left(UserIPAddress, InStr(UserIPAddress, ";")-1)
	end If
	UserIPAddress = Trim(ChkString(UserIPAddress,"SQLString"))


2. The same fix (adding the red line) is needed in:

- Line#825, post_info.asp;
- Line#1017, post_info.asp;
- Line#544, register.asp;

3. Not Snitz base code, but as it is used in many forums, IPgate may need a similar fix.
Somewhere around line#73, inc_ipgate.asp above

 useriparr = split(userip,".")

add this line:

userip = Trim(ChkString(userip,"SQLString"))


This affects Snitz 3.4.07. Previous versions that applied a bug fix that was posted for 3.4.06, using server variables HTTP_X_FORWARDED_FOR and REMOTE_ADDR may need similar fixing.

Snitz 3.4 Readme | Like the support? Support Snitz too
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.07 seconds. Powered By: Snitz Forums 2000 Version 3.4.07