Author Topic: Security Fix: wizards/link.php  (Read 2889 times)

0 Members and 1 Guest are viewing this topic.

Offline 757jterrell

  • Hero Member
  • *****
  • Posts: 1629
    • View Profile
    • PTC Factory
Security Fix: wizards/link.php
« on: October 09, 2010, 06:14:22 PM »
With the cooperation of Scott Klarr (http://diffusionstudios.com/) we are pleased to release this security update:

This will prevent people from uploading free credits into your ptc ads.

EDIT: You will also want to fix the frame.php file also, which is located here:
http://auroraadmintraining.info/index.php/topic,1096.0.html

You will want to cut and paste the entire code into your wizards/link.php file:

Code: [Select]
<?
$producttitle="Link Ad";
//**VS**//$setting[ptc]//**VE**//
//**S**//
if($action == "setlink") {
if($adoption1 == "newlink") {
if((!isset($title)) || (strlen($title) < 5)) {
$err="You must enter a valid title at least 5 letters long!";
}
else if(!isset($target)) {
$err="You must enter a valid target!";
}
else if(is_ad_blocked($target)) {
$err="Ad blocked was returned. Please contact support!";
}
else if (($daily_limit) <= "24" && ($daily_limit != "0")) {
         $err="Your add must have daily limit of at least 25 clicks, or leave 0 for unlimited!";
       }
else {
$sql=$Db1->query("INSERT INTO ads SET
username='$username',
title='".addslashes($title)."',
target='".addslashes($target)."',
targetban='".addslashes($targetban)."',
daily_limit='".addslashes($daily_limit)."',
upgrade='".addslashes($premOnly)."',
country='".addslashes($country)."',
dsub='".time()."',
credits='0',
pref='$order[order_id]'
");
$sql=$Db1->query("SELECT * FROM ads WHERE pref='$order[order_id]' ORDER BY id DESC LIMIT 1");
$pad=$Db1->fetch_array($sql);
}
}
else if($adoption1 == "exsistlink") {
$exsistlink = mysql_real_escape_string($_POST['exsistlink']);
$sql=$Db1->query("SELECT * FROM ads WHERE id='$exsistlink'");
$pad=$Db1->fetch_array($sql);
}
if(!isset($err)) {
$sql=$Db1->query("UPDATE orders SET
ad_id='$pad[id]'
WHERE order_id='$order[order_id]'
");
$Db1->sql_close();
header("Location: index.php?view=account&ac=buywizard&step=3".iif($samount, "&samount=$samount")."&pid=$order[order_id]&".$url_variables."");
}
}

$sql=$Db1->query("SELECT * FROM ads WHERE username='$username' and class!='P' ORDER BY title");
$currenlinks=$Db1->num_rows();
while($temp=$Db1->fetch_array($sql)) {
$linklist.="<option value=\"$temp[id]\">$temp[title]\n";
}

$includes[content]="
".iif(isset($err),"<script>alert('$err');</script>")."
<div align=\"center\">

<a href=\"index.php?view=account&ac=buywizard&step=2&ptype=linkc&".$url_variables."\">Click Here To Order Account Credits Only</a>
<br />Or<br />

<form action=\"index.php?view=account&ac=buywizard&pid=$order[order_id]".iif($samount, "&samount=$samount")."&step=2&action=setlink&".$url_variables."\" method=\"post\">
<table>
".iif($currenlinks>0,"
<tr>
<td valign=\"top\"><input id=\"exsistlink\" type=\"radio\" name=\"adoption1\" value=\"exsistlink\"".iif($adoption1 != "newlink"," checked=\"checked\"")."></td>
<td>
<label for=\"exsistlink\"><strong>Extend Exsisting Link Ad</strong></label><br />
<select name=\"exsistlink\">
$linklist
</select>
</td>
</tr>
<tr>
<td height=10></td>
</tr>
")."
<tr>
<td valign=\"top\"><input id=\"newlink\" type=\"radio\" name=\"adoption1\" value=\"newlink\"".iif(($currenlinks==0) || ($adoption1 == "newlink")," checked=\"checked\"")."></td>
<td>
<strong><label for=\"newlink\">Create A New Link Ad</label></strong><br />
<table>
<tr>
<td>Title: </td>
<td><input type=\"text\" name=\"title\" value=\"$title\"></td>
</tr>
<tr>
<td>Target Url: </td>
<td><input type=\"text\" name=\"target\" value=\"$target\"></td>
</tr>
<tr>
<td>PTC Banner Url: </td>
<td><input type=\"text\" name=\"targetban\" value=\"$targetban\"></td>
</tr>
<tr>
<td>Target Country: </td>
<td><select name=\"country\">".targetCountryList()."</select></td>
</tr>
<tr>
<td>Daily Limit: </td>
<td><input type=\"text\" name=\"daily_limit\" value=\"".iif($daily_limit == "","0",$daily_limit)."\" size=4></td>
</tr>
<tr>
<td>Premium Members Only? </td>
<td><input type=\"checkbox\" name=\"premOnly\" value=\"1\"></td>
</tr>
</table>
<div align=\"center\"><small>URL's must include <strong>http://</strong></small></div>
</td>
</tr>
<tr>
<td height=10></td>
</tr>
<tr>
<td colspan=2 align=\"right\"><input type=\"submit\" value=\"Next Step =>\"></td>
</tr>
</table>
</form>
</div>
";
//**E**//
?>
« Last Edit: November 03, 2010, 09:56:26 PM by 757jterrell »

Offline Claudeski

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: Security Fix: wizards/link.php
« Reply #1 on: October 13, 2010, 05:55:26 AM »
Thanks for the fix but I'm still getting users creating PTC ads with unlimited credits.

Offline 757jterrell

  • Hero Member
  • *****
  • Posts: 1629
    • View Profile
    • PTC Factory
Re: Security Fix: wizards/link.php
« Reply #2 on: October 14, 2010, 09:17:09 PM »
I will put scott back on it next week

Addons

  • Guest
Re: Security Fix: wizards/link.php
« Reply #3 on: October 15, 2010, 04:32:29 AM »
done :)

Offline Claudeski

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: Security Fix: wizards/link.php
« Reply #4 on: October 29, 2010, 01:43:47 AM »
Any update on this? Still getting ads created and ads that are already there having their links changed.

Offline 757jterrell

  • Hero Member
  • *****
  • Posts: 1629
    • View Profile
    • PTC Factory
Re: Security Fix: wizards/link.php
« Reply #5 on: November 03, 2010, 09:55:47 PM »
Make sure you do the fix for frame.php located here:
http://auroraadmintraining.info/index.php/topic,1096.0.html

Offline piniesta

  • Newbie
  • *
  • Posts: 45
    • View Profile
    • Bux-Gpx.Net
Re: Security Fix: wizards/link.php
« Reply #6 on: January 20, 2011, 04:20:47 PM »
Make sure you do the fix for frame.php located here:
http://auroraadmintraining.info/index.php/topic,1096.0.html

Hello:
I have a cuestion. The other ads wizards have the same bug?

The bug on wizards/links.php was at lines:
Code: [Select]
else if ($adoption1 == "exsistlink") {
    $sql = $Db1->query("SELECT * FROM ads WHERE id='$exsistlink'");
    $pad = $Db1->fetch_array($sql);
This same code are in wizards/banner.php, wizards/fbanner.php, wizards/flink.php, wizards/fad.php, wizards/popups.php, wizards/ptr.php, wizards/ptra.php, and wizards/ptsu.php.

Thanks

I feel like a fool. Sorry for the dumb question, I saw the other posts.
« Last Edit: January 20, 2011, 04:23:44 PM by piniesta »