Security Fix: members/retract_credits_link.php

[757jterrell]

It has come to our attention that people have been adding ad credits through their my ads pages. Here is the fix:

Go to your members/retract_credits_link.php  file around lines 24 to 40, remove what is in bold:

if($action == "retract") {
   if($credits < 1) {
      $error_msg="You must enter at least 1 credit!";
   }
 else if($thisad[username] != $username) {
      $error_msg="You do not have permission to edit this!!";
   }
   else {
      if($credits > $thisad[credits]) {
         $credits=$thisad[credits];
      }
      else {
      $sql=$Db1->query("UPDATE ads SET credits=credits-$credits WHERE id='$id'");
      $sql=$Db1->query("UPDATE user SET link_credits=link_credits+".($credits*$settings['class_'.strtolower($thisad['class']).'_credit_ratio'])." WHERE username='$username'");
      $Db1->sql_close();
      header("Location: index.php?view=account&ac=myads&adtype=link&".$url_variables."");
   }
}

and then add what is in bold so it looks like the code below:

if($action == "retract") {
   if($credits < 1) {
      $error_msg="You must enter at least 1 credit!";
   }   
   else if( ereg("[^0-9]", $credits) ){
        $error_msg="You can only put in numbers 0 to 9";
      }  
   else if($thisad[username] != $username) {
      $error_msg="You do not have permission to edit this!!";
   }
   else if($credits > $thisad[credits]) {
      $error_msg="You can not remove more credits than you have!!";
   }
   else {
      $credits=asql($credits);
      $username=asql($username);
      $formula=($credits*$settings['class_'.strtolower($thisad['class']).'_credit_ratio']);
      if(is_int($formula) || is_float($formula))
      {
         $sql=$Db1->query("UPDATE ads SET credits=credits-$credits WHERE id='$id'");
         $sql=$Db1->query("UPDATE user SET link_credits=link_credits+$formula WHERE username='$username'");
      $Db1->sql_close();
      header("Location: index.php?view=account&ac=myads&adtype=link&".$url_variables."");
      }
   }
}

[DDesign]

also be advised that you need to have your host disable the linux command wget. this will stop people from php shelling your site. Which is UBER bad.

[reider666]

I added this but when I try to retract credits i got always : You can only put in numbers 0 to 9

[DDesign]

I added this but when I try to retract credits i got always : You can only put in numbers 0 to 9

are you only using numbers?

[reider666]

Yes  i tried different numbers but result was this message

[bprasetio]

I think JT missed some parts...

here my modified version, tested on my local machine only..

remove this code:

  if($credits < 1) {
      $error_msg="You must enter at least 1 credit!";
   }

replace with this code:

  if( ereg("[^0-9]", $credits) ){
        $error_msg="You can only put in numbers 0 to 9";
   }  

Remove this code

  else if( ereg("[0-9]", $credits) ){
        $error_msg="You can only put in numbers 0 to 9";
   }  

So, the final piece of code looks like this:

if($action == "retract") {
  if( ereg("[^0-9]", $credits) ){
        $error_msg="You can only put in numbers 0 to 9";
   }  
  else if($thisad[username] != $username) {
      $error_msg="You do not have permission to edit this!!";
   }
   else if($credits > $thisad[credits]) {
      $error_msg="You can not remove more credits than you have!!";
   }
   else {
      $sql=$Db1->query("UPDATE ads SET credits=credits-$credits WHERE id='$id'");
      $sql=$Db1->query("UPDATE user SET link_credits=link_credits+".($credits*$settings['class_'.strtolower($thisad['class']).'_credit_ratio'])." WHERE username='$username'");
      $Db1->sql_close();
      header("Location: index.php?view=account&ac=myads&adtype=link&".$url_variables."");
   }
}

and same with other retract credit ad (banner, fbanner, xsite, ptsu, ptrads, fad, email)

Hope this help...

[reider666]

thx now it works

[757jterrell]

yeah looks like I forgot the ^ in that code. OP updated as well as the others.

[757jterrell]

 else {
      $credits=asql($credits);
      $username=asql($username);
      $formula=($thisad[credits]*$settings['class_'.strtolower($thisad['class']).'_credit_ratio']);
      $formula=asql($formula);
      if(is_int($formula) || is_float($formula))
      {
         $sql=$Db1->query("UPDATE ads SET credits=credits-$credits WHERE id='$id'");
         $sql=$Db1->query("UPDATE user SET link_credits=link_credits+$formula WHERE username='$username'");
      $Db1->sql_close();
      header("Location: index.php?view=account&ac=myads&adtype=link&".$url_variables."");
      }
   }

Added by Greg from Offerscript.

Thanks Greg

You will also need to add this functions to your includes/function.php file:
This is copyrighted by CODE COPYRIGHT TO GPSBLACK/OFFERSCRIPT

function asql($string)
{
  if(get_magic_quotes_gpc())
  {
     $string = strip_tags($string);
     $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
     $string = strip_tags($string);
      $string = mysql_real_escape_string($string);
  }
  else
  {
     $string = mysql_escape_string($string);
  }
  return $string;
}

[forcingnet]

I got this error

Parse error: syntax error, unexpected $end in /home/clicksca/public_html/members/retract_credits_link.php on line 88
 and on line 88  i have this: ?>
then the file finished.

[DDesign]

that means your missing a } somewhere

[clickinator]

So is this what I should now have in my retract-credit-links.php folder ?

if($action == "retract") {
  if( ereg("[^0-9]", $credits) ){
        $error_msg="You can only put in numbers 0 to 9";
   } 
  else if($thisad[username] != $username) {
      $error_msg="You do not have permission to edit this!!";
   }
   else if($credits > $thisad[credits]) {
      $error_msg="You can not remove more credits than you have!!";
   }
   else {
      $credits=asql($credits);
      $username=asql($username);
      $formula=($thisad[credits]*$settings['class_'.strtolower($thisad['class']).'_credit_ratio']);
      $formula=asql($formula);
      if(is_int($formula) || is_float($formula))
      {
         $sql=$Db1->query("UPDATE ads SET credits=credits-$credits WHERE id='$id'");
         $sql=$Db1->query("UPDATE user SET link_credits=link_credits+$formula WHERE username='$username'");
      $Db1->sql_close();
      header("Location: index.php?view=account&ac=myads&adtype=link&".$url_variables."");
      }
   }

Also you say add some code to includes/functions folder does it matter where you put the code in that folder ?


You will also need to add this functions to your includes/function.php file:
This is copyrighted by CODE COPYRIGHT TO GPSBLACK/OFFERSCRIPT

function asql($string)
{
  if(get_magic_quotes_gpc())
  {
     $string = strip_tags($string);
     $string = stripslashes($string);
  }
  if (phpversion() >= '4.3.0')
  {
     $string = strip_tags($string);
      $string = mysql_real_escape_string($string);
  }
  else
  {
     $string = mysql_escape_string($string);
  }
  return $string;
}

can I add this anywhere ?

[DDesign]

the function should go in the functions but it is possible that you already have it, if you still using the files you had me secure.

[cARRIE]

OP has been updated.