The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
This security fix applies to all Snitz 3.4.x versions and can coexist with the previous fix, even if this one makes the previous fix redundant.
1. Around line #86, add this code:
After adding the code, members.asp will look like this, near the point where the code will be added:
2. Add function isValidString to the end of the file:
At line #598, add:
After adding the fix, the code will look like this:
If you need help with the fix, please post in the General Help forum.
1. Around line #86, add this code:
Code:
If SearchName <> "" Then
If Not IsValidString(SearchName) Then
Err_Msg = "Invalid Name!"
Response.Write " <table width=""100%"" border=""0"">" & vbNewLine & _
" <tr>" & vbNewLine & _
" <td><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & vbNewLine & _
" " & getCurrentIcon(strIconFolderOpen,"","") & " <a href=""default.asp"">All Forums</a><br />" & vbNewLine & _
" " & getCurrentIcon(strIconBar,"","") & getCurrentIcon(strIconFolderOpenTopic,"","") & " Member Information</font></td>" & vbNewLine & _
" </tr>" & vbNewLine & _
" </table>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """ color=""" & strHiLiteFontColor & """>There Was A Problem!</font></p>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """ color=""" & strHiLiteFontColor & """>" & Err_Msg & "</font></p>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """><a href=""JavaScript:history.go(-1)"">Back to Forum</a></font></p>" & vbNewLine & _
" <br />" & vbNewLine
WriteFooter
Response.End
End If
End if
After adding the code, members.asp will look like this, near the point where the code will be added:
Code:
SearchName = trim(Request("M_NAME"))
if SearchName = "" then
SearchName = trim(Request.Form("M_NAME"))
end If
If SearchName <> "" Then
If Not IsValidString(SearchName) Then
Err_Msg = "Invalid Name!"
Response.Write " <table width=""100%"" border=""0"">" & vbNewLine & _
" <tr>" & vbNewLine & _
" <td><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & vbNewLine & _
" " & getCurrentIcon(strIconFolderOpen,"","") & " <a href=""default.asp"">All Forums</a><br />" & vbNewLine & _
" " & getCurrentIcon(strIconBar,"","") & getCurrentIcon(strIconFolderOpenTopic,"","") & " Member Information</font></td>" & vbNewLine & _
" </tr>" & vbNewLine & _
" </table>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strHeaderFontSize & """ color=""" & strHiLiteFontColor & """>There Was A Problem!</font></p>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """ color=""" & strHiLiteFontColor & """>" & Err_Msg & "</font></p>" & vbNewLine & _
" <p align=""center""><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """><a href=""JavaScript:history.go(-1)"">Back to Forum</a></font></p>" & vbNewLine & _
" <br />" & vbNewLine
WriteFooter
Response.End
End If
End if
SearchNameDisplay = Server.HTMLEncode(SearchName)
SearchName = chkString(SearchName, "sqlstring")
2. Add function isValidString to the end of the file:
At line #598, add:
Code:
Function IsValidString(sValidate)
Dim sInvalidChars
Dim bTemp
Dim i
' Disallowed characters
sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "
for i = 1 To Len(sInvalidChars)
if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
if bTemp then Exit For
next
for i = 1 to Len(sValidate)
if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
if bTemp then Exit For
next
' extra checks for double dots or double spaces
' no two consecutive dots or spaces
if not bTemp then
bTemp = InStr(sValidate, "..") > 0
end if
if not bTemp then
bTemp = InStr(sValidate, " ") > 0
end if
if not bTemp then
bTemp = (len(sValidate) <> len(Trim(sValidate)))
end if 'Addition for leading and trailing spaces
' if any of the above are true, invalid string
IsValidString = Not bTemp
End Function
After adding the fix, the code will look like this:
Code:
Function sGetColspan(lIN, lOUT)
if (mlev = "4" or mlev = "3") then lOut = lOut + 2
If lOut > lIn then
sGetColspan = lIN
Else
sGetColspan = lOUT
End If
end Function
Function IsValidString(sValidate)
Dim sInvalidChars
Dim bTemp
Dim i
' Disallowed characters
sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "
for i = 1 To Len(sInvalidChars)
if InStr(sValidate, Mid(sInvalidChars, i, 1)) > 0 then bTemp = True
if bTemp then Exit For
next
for i = 1 to Len(sValidate)
if Asc(Mid(sValidate, i, 1)) = 160 then bTemp = True
if bTemp then Exit For
next
' extra checks for double dots or double spaces
' no two consecutive dots or spaces
if not bTemp then
bTemp = InStr(sValidate, "..") > 0
end if
if not bTemp then
bTemp = InStr(sValidate, " ") > 0
end if
if not bTemp then
bTemp = (len(sValidate) <> len(Trim(sValidate)))
end if 'Addition for leading and trailing spaces
' if any of the above are true, invalid string
IsValidString = Not bTemp
End Function
%>
If you need help with the fix, please post in the General Help forum.
Posted
For anyone wanting to be able to search names with spaces, this line can be changed from:
to
The change is just the removal of the space character at the end of the string.
Code:
sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@' "
Code:
sInvalidChars = "!#$%^&*()=+{}[]|\.;:/?>,<@'"
The change is just the removal of the space character at the end of the string.