Yetishare Script Hacked ? Need to fix ASAP

[mastern]

Hi all,

I receive this email from a user, he discovered something bad with Yetishare Script aboat download management process, the flaw lets everyone (all users, free,etc..) to direct download any files bypassing the waiting download page. The session protection doesn't do nothing. :twisted:

Moderator Edit: The topic title is an exaggeration, the script is not hacked, its something that can be fixed in either a main script update due shortly or a security update which could be released before then.

I have removed the content to protect the Yetishare script owners, I have also sent the content of this post to Adam directly.

If you have any concerns regarding this or any other issues, please use the contact form found here > http://www.mfscripts.com/contact.html

How to fix this ?

Regards,
Maverick

 

[adam]

Hi Maverick,

Thanks for pointing this out, thanks YSM for the info aswell.

I've taken a look this morning and it should now be resolved on our demo site. It should now restrict the download token to a specific ip address to limit it being shared. Please can you recheck on our demo site and let me know if you see any other issues.

The bug wasn't in the core code but part of the image/media viewer plugin. I'm patching these now and they'll be re-uploaded to the site in the next hour. I'll update this thread when they're available.

Thanks,
Adam.

 

[adam]

Ok the patched plugins are now available for download. You'll need to run these sql statements on your database for the new ip_address column:

Image Viewer:

ALTER TABLE `plugin_imageviewer_embed_token` ADD `ip_address` VARCHAR( 15 ) NULL;

Media Player:

ALTER TABLE `plugin_mediaplayer_embed_token` ADD `ip_address` VARCHAR( 15 ) NULL;

 

[mastern]

Hi Adam,

Thanks for the rapid answer & for the patch! I will get & test this.

Regards,
Maverick

 

[mastern]

Hi Adam,

As you say "It should now restrict the download token to a specific ip address to limit it being shared." Sure, this update resolves but not enough. Here is a new scenario : if the user is a Non/Free User, so he can mass download the file from the link download The two plugins don't respect the site download config for Non/free User.

Solution : I rewrite the script, based on file_download.php, and add inside the plugins the downloadtracker.

ORIGINAL CODE OF MEDIAPLAYER (includes/xxx_bottom.php) :

 require_once(DOC_ROOT . '/_footer.php');
    exit;
}
elseif ((isset($_REQUEST['dt'])) && (in_array(strtolower($file->extension), $ext)))
{    
    // embed file
    $rs = $file->download(true, true);
    exit;
}

MAVERICK CODE OF MEDIAPLAYER (includes/xxx_bottom.php) :

require_once(DOC_ROOT . '/_footer.php');
    exit;
}
elseif ((isset($_REQUEST['dt'])) && (isset($_REQUEST['df'])) && (in_array(strtolower($file->extension), $ext)))
{   
    //initiate db  
    $db = Database::getDatabase();      
	        
    // clear any expired download trackers
	downloadTracker::clearTimedOutDownloads();
	downloadTracker::purgeDownloadData();
	
	// free or non logged in users
	if (($Auth->loggedIn() === false) || ($Auth->level == 'free user'))
	{
		// make sure the user is permitted to download files of this size
		if ((int) SITE_CONFIG_FREE_USER_MAX_DOWNLOAD_FILESIZE > 0)
		{
			if ((int) SITE_CONFIG_FREE_USER_MAX_DOWNLOAD_FILESIZE < $file->fileSize)
			{
				$errorMsg = t("error_you_must_register_for_a_premium_account_for_filesize", "You must register for a premium account to download files of this size. Please use the links above to register or login.");
				redirect(getCoreSitePath() . "/error." . SITE_CONFIG_PAGE_EXTENSION . "?e=" . urlencode($errorMsg));
			}
		}
	
		// check if the user has reached the max permitted concurrent downloads
		if ((int) SITE_CONFIG_FREE_USER_MAX_DOWNLOAD_THREADS > 0)
		{
			$sQL          = "SELECT COUNT(download_tracker.id) AS total_threads ";
			$sQL .= "FROM download_tracker ";
			$sQL .= "WHERE download_tracker.status='downloading' AND download_tracker.ip_address = " . $db->quote(getUsersIPAddress()) . " ";
			$sQL .= "GROUP BY download_tracker.ip_address ";
			$totalThreads = (int) $db->getValue($sQL);
			if ($totalThreads >= (int) SITE_CONFIG_FREE_USER_MAX_DOWNLOAD_THREADS)
			{
				$errorMsg = t("error_you_have_reached_the_max_permitted_downloads", "You have reached the maximum concurrent downloads. Please wait for your existing downloads to complete or register for a premium account above.");
				redirect(getCoreSitePath() . "/error." . SITE_CONFIG_PAGE_EXTENSION . "?e=" . urlencode($errorMsg));
			}
		}
	
		// make sure the user is permitted to download
		if((int) SITE_CONFIG_FREE_USER_WAIT_BETWEEN_DOWNLOADS > 0)
		{
			$sQL  = "SELECT (UNIX_TIMESTAMP()-UNIX_TIMESTAMP(date_updated)) AS seconds ";
			$sQL .= "FROM download_tracker ";
			$sQL .= "WHERE download_tracker.status='finished' AND download_tracker.ip_address = " . $db->quote(getUsersIPAddress()) . " ";
			$sQL .= "ORDER BY download_tracker.date_updated DESC ";
			$longAgoSeconds = (int) $db->getValue($sQL);
			if(($longAgoSeconds > 0) && ($longAgoSeconds < (int) SITE_CONFIG_FREE_USER_WAIT_BETWEEN_DOWNLOADS))
			{
				$errorMsg = t("error_you_must_wait_between_downloads", "You must wait [[[WAITING_TIME_LABEL]]] between downloads. Please try again later or register for a premium account above to remove the restriction.", array('WAITING_TIME_LABEL'=>secsToHumanReadable(SITE_CONFIG_FREE_USER_WAIT_BETWEEN_DOWNLOADS)));
				redirect(getCoreSitePath() . "/error." . SITE_CONFIG_PAGE_EXTENSION . "?e=" . urlencode($errorMsg));
			}
		}
	}

    // download button to prevent flood or mass download, the admin/paid user don't have any limitation as any error message.
	if (!isset($errorMsg)) {
    $rs = $file->download(true, true);
    exit;
	}

}
elseif ((isset($_REQUEST['dt'])) && (in_array(strtolower($file->extension), $ext)))
{    
    // embed file
    $rs = $file->download(true, true);
    exit;
}

This code prevent a Non/Free user to respect the site "download configuration". We prevent a flood direct download. This work well for me. The same code must add in imageviewer plugin_xxx_bottom.php.

What do you say, have you a simple solution or you think it's right ?

Regards,
Maverick

 

[adam]

Hi,

Looks good to me. There's plans to make the whole download process more token based in the future so hopefully this will be managed in the same code as the other file downloads. For now it should cover it though.

Adam.