AdBaker - Classifieds Module

[doc]

Hi,

have had a quick look on some of the source files.

The file sc.create_cat.php has some issues which could be used for SQL-Injection. As an example the POST parameter cat_id is not sanitized and directly used in the SQL string (around line 38):

Code:

if(isset($_POST['cat_id']) AND !isset($_POST['subcat'])) {
   $cat_id = $_POST['cat_id'];
   //SQL statement to insert values into database
   $sql = "INSERT INTO ".TABLE_PREFIX."mod_ad_baker_subcategories (subcat_id, subcat_title, cat_id)
      VALUES
      (NULL ,'$title', '$cat_id')";
}

This is a serious security issue, as the access to  sc.create_cat.php is not limited to allowed users (e.g. via $admin->get_permissions) or similar. In other words this file can be accessed from outside without beeing loged in. One simply needs to create a local html file with a form pointing to the file sc.create_cat.php to pass over harmful statements to the POST value to manipulate the database (e.g. if magic_quotes is off). In a worst case, this "hole" can be used to break into the backend by modifying the users database table etc.

So all files should be limited to users allows to view the files and all user inputs needs to be checked before outputed on the screen or used in SQL queries etc.

To limit e.g. access to users which have permission for viewing the modul, you could use:

Code:

// check if user has permissions to access the Postits module
require_once('../../framework/class.admin.php');
$admin = new admin('Modules', 'module_view', false, false);
if (!($admin->is_authenticated() && $admin->get_permission('your_module', 'module')))
    die(header('Location: ../../index.php'));

You should also add slashes to your SQL statements and if possible to a whitelist check before using user parameter in SQL statements (e.g. by $admin->add_slashes which takes care about magic quote settings).

Have only checked a couple of files and have not reviewed the whole module so there may be more issues in other files which may needs to be addressed.

Maybe some of the active and more "experienced" developers here in the forum can help you to review the module. I think the idea of the module is a very good one and a kind of classified module is missing in WB so far, so keep up your work.

Regards Doc

[mahalleday]

Thanks for  the heads up on that security hole.  I will try and work some kind of fix for that.  I php skills aren't that great but i will see what I can do.  As for the add slashes I have added that into all sc.whatever.php files and I have re-written the image uplaod portions so that a new random name is generated, and I will be adding a check to ensure only the allowed file types are able to be uploaded.

Regards,

Mike

Update..

I have created a function to 'clean' anything entered into the forms.  I have tried running a few sql injections with the forms and so far everything just gets escaped out like it should.  I am still working out how to properly check for user permssions when executing some scripts in the backend.  I am working to move the validation portion of those scripts into the pages containg the forms and having action point back to itself.  Once the form is checked and all entries and valide a function is called to actually run the sql to added, delete modify etc.


I will post updated code once I get all forms set up this way.

Mike.

[mahalleday]

New version AdBaker_v0.3 available in first post.  See info.php and post to see changes and updates.

Cheers,

Mike

[mahalleday]

Guys I really wan to move ahead with this release.  So I really need people to test this especially fort security holes.  Thanks.

[Hans]

WB 2.8 RC2: can add an ad and edit it - so works fine
Cannot edit currencies or categories

Code:

Table 'datis_testsite.mod_ad_Baker_categories' doesn't exist

Would be  nice if there was a button te edit the CSS (like in some other modules)
Thanks, beautiful module!
Hans

[mahalleday]

I have not tested this mod with Version 2.8.  When I gte home I'll install RC2 and se what the issues are for now please just use with 2.7.

[crnogorac081]

Code:

Things  to do

    * Pagination
    * Revised interface and layout
    * Option for admin to make own forms for creating and editing ads
    * Multiple image support
    * Option to contact seller
    * Front end Menu check to see if user logged in DONE v0.2
    * Show number of ads in each category/subcategory
    * Template support for front end display of ads list and full ad view
    * Integrate Js and Ajax support in front end for slicker interface (flyout/drop down categories etc)
    * Paypal support
    * Admin access to settings (ads per page, thumbnail sizes, templates, ad expiration date, ad published/unpublished etc)
    * Ad auto expiration -> goes form published to unpublished to allow user or admin to reactivate
    * General security checkSQL inject done, all form entries cleaned, all file uploads limited to max file size and type and renamed to random 26 digit name for further security -> v0.3

Please consider option that admin (or mod or some group) must approve every add before it become visible (to prevent this from spam text)

Also consider that admin(moderator or some group) can make some add different (like VIP add - which will be specialy styled)

These are just some of mine suggestions..
All best,
ivan

[mahalleday]

Thanks for the suggestions,  I will work to implement both.  though for this first release only admins will have permissions over everything,  once I gte around to allow settings to be changed in the backend I'll will add the option to select which user groups have backend access to change things.

[crnogorac081]

Im glad you accepted suggestions.

Also I found somewhere that new adds are styled different (color or something) and for example if you have free and paid adds, paid are styled differently.. So it would be handy that adds can be selected (by defult) to be one style, and for "paid" or vip or anything else, some other style and new adds also some other

just my suggestions, I am not a coder so I have no idea ow dificult this is to code..

cheers

[mahalleday]

Again, all things I plan to add eventually.  My main goal right now is to get a basic,stable aand secure module complete.   What I really need is for people to test the heck out of the code I have released and look for security holes and other broken items so they can be patched up.

[StefanRSA]

Last year it was my idea to use WB to build a classified module. Because I am new to php and Mysql I decided to first try and reverse engineer php classifieds and try and find all the loopholes and also get the hang of this kind of system...

Eventually I decided to rather develop my own system and it is about a month from completion. All that said... You guys can contact me if you would need any advise or help for the WB module.
I am a huge supporter of WB and already have over 10 WB sites on the www.

If you want a sneak preview of this system. Feel free to contact me to get the url.
There is still a whole lot of work to be completed but am sure it will give you an idea of what is needed to get a system like this working...

You are welcome to contact me.

[mahalleday]

Is this already integrated into WB???  We should have worked together on this made one solid stable mod instead of two.  If this is integrated into WB might we have to files to see how things work.  And if it isnt perhaps you and I could work together on clean up what I have done so far. 

Have a look at my mod see what you think.

[StefanRSA]

No this is my own system and I did not use WB but am willing to help with your WB module. Will download and test at the earliest

[mahalleday]

That would be great.  I think and have been told my module is shaping up very niclely.  I will post the most current code tonight for testing etc.  It has a few more fetures such as CSS editing and the ability for admins to change some settings.

[mahalleday]

New version v0.4 posted in top post.  See Top post for features and changes.

[Hans]

Hi
I get this message both in WB 2.7 and WB 2.8 RC2, also after uninstalling and re-installing the module:

Code:

Table 'datis_testsite.mod_ad_Baker_categories' doesn't exist

I can update the settings, but that's it.
MySQL version    5.0.81-community
PHP version    5.2.10
Apache version    2.2.11 (Unix)
Errormessages:
When trying to change currencies e.g.: Fatal error: Call to a member function fetchRow() on a non-object in /home/datis/public_html/modules/AdBaker/includes/be.cur_list.php on line 29
Please help, I would like to implement this module
Thanks
Hans

EDIT:
The database looked okay but I "repaired" it nevertheless. Results:
datis_testsite.addo ns                              OK
datis_testsite.grou ps                              OK
datis_testsite.mod_ ad_baker                        OK
datis_testsite.mod_ ad_baker_ads                    OK
datis_testsite.mod_ ad_baker_categories              OK
datis_testsite.mod_ ad_baker_currencies              OK
datis_testsite.mod_ ad_baker_settings               OK
But the module doesn't work yet...

[crnogorac081]

I can confirm the same error.

cheers

[mahalleday]

Very strange I always unistall and test a fresh install before uploading anything, I saw no errors.  Perhaps I grabed some older code in for this release.  I will try what i have uploaded tonight and resolve all issues.  I made some lat minute adjustements to the settings table so I am sure there are still a few bugs to be worked out with that.  

I do know that it doen't work correctly with 2.8RC2 so for knwo stick with 2.7 I will work on getting a 2.8 compliant version up and running as soon as I can.

Thanks for the heads up guys.

Mike.

[crnogorac081]

Is they a way to remove curency and prices to be required (*) fields ?

----

Also, when I tried to add NEW AD I got this error:

Warning: Cannot modify header information - headers already sent by (output started at I:\WebsiteBaker Portable1_2\htdocs\inf\include\phplib\template.inc:660) in I:\WebsiteBaker Portable1_2\htdocs\inf\modules\AdBaker\abFunctions.php on line 189

All fields were filled in except picture..


cheers

[mahalleday]

As of right now there is noy way to change which feilds are required with out modifying the php files them selves.

for the ads just eit cm.make_ad.php and cm.modify.php

and change the esle{$errors = "Whatever";} to else{$var = &_POST['feild name'];} in the if(isset) {} for the feild you wish to make optional.

This module is untested in wb portable but the imageupload should work just fine and the headers and cntent type of the page are never and should never be changed by any of the code so i am not sure where that error is coming from.  What size of file areyou attemptig to upload?

On a side note i just treid the mod with a fresh install in my test site on my live server and I got the same table does not exist error.  it seems the the module code is looking to a table with a 'wb_' prefix when ther isnt one. 

I'll work on that this weekend and solve it ASAP.

[crnogorac081]

That seems to be a problem, as there is no table prefix on my instalation..And the error shows that module is looking for DB table with prefix: Table 'test.wb_mod_ad_bake r_settings' doesn't exist

You misunderstood me, I didnt tried to upload image, I said I filled in all fields except image.. So all is working so far except this prefix )

cheers

[mahalleday]

sorry for the misunderstanding.  Hopefully I can sort out the prefix issue asap.

[crnogorac081]

np, good thing is that is just a table prefix nothing else

cheers

[mahalleday]

Found and fixed the table error.  New files in top post.

[Hans]

Thanks but.. I can't see any difference, still the same error-messages.
Hans