Page 1 of 1

Strange output in browser

Posted: Wed Feb 28, 2007 4:12 pm
by Dave2000
On a php page, i have a shoutbox. I refreshed the page to find the below where new messages are displayed for the shoutbox. I refreshed again and it was gone. I have checked my SQL database and it doesn't seem to have been inserted. Does anyone know what this is? A hack atempt? A server malfunction? I am thinking maybe the later as it distorted some of the table layout, which is not part of the shoutbox :? But i am really not sure...
[quote]47k������…ãjÒ÷Ö¹«t«¨“���"ÍåE/ÍåEÿÿÿÿÌåE�����`.���http://peekvid.com/client/images/tab-tv-o.gif�HTTP/1.0 200 OK Connection: keep-alive Content-Type: image/gif ETag: "-3918567750599691631" Accept-Ranges: bytes Last-Modified: Wed, 28 Feb 2007 18:38:20 GMT Content-Length: 779 Date: Wed, 28 Feb 2007 18:42:42 GMT Server: lighttpd/1.4.11 GIF89av�$�Ä��í÷âÚïÅñùé¹á’éõÜÈç¨Öí¾·à

Posted: Wed Feb 28, 2007 10:11 pm
by feyd
Are the legible parts of that generated from your server?

At least part of that is binary image data (the parts at and after "GIF89a")

Posted: Thu Mar 01, 2007 2:27 am
by Dave2000
feyd wrote:Are the legible parts of that generated from your server?
Hello feyd. I am not entirely sure. I have never before seen http://peekvid.com/ and the server i use is not lighttpd/1.4.11 . I use Apache server. However the server is GMT time and the time, 18:38:20 GMT, (as far as i can remember) looks about right for the time when this happened.

Posted: Thu Mar 01, 2007 4:36 am
by dhrosti
Maybes its trying to render everything as a GIF image because of the "Content-type: image/gif" bit at the top???

Posted: Thu Mar 01, 2007 8:46 am
by feyd
Shears wrote:Hello feyd. I am not entirely sure. I have never before seen http://peekvid.com/ and the server i use is not lighttpd/1.4.11 . I use Apache server. However the server is GMT time and the time, 18:38:20 GMT, (as far as i can remember) looks about right for the time when this happened.
It would sound like you have had an injection of some sort then. Post the code of your script(s) and we can go from there.

Posted: Thu Mar 01, 2007 10:18 pm
by Dave2000
Here it is...

Code: Select all

function shoutbox_shout($message) 
{
	global $userid, $gmttime;
	
	$result = db_query("SELECT shoutbox_ban FROM user_options WHERE userid = '$userid'");
	$row = mysql_fetch_assoc($result);
	$shoutbox_ban = $row['shoutbox_ban'];
	if ( $shoutbox_ban == 1 || $shoutbox_ban > $gmttime ) 
	{
		$main .= 'You have been banned from using the shoutbox.'; 
	}
	else 
	{
		$result = db_query("SELECT message FROM shoutbox WHERE poster_id = '$userid' AND user_del != '1' AND $gmttime-time < 60*20 ORDER BY id DESC");
		if ( mysql_num_rows($result) >= 15 ) 
		{ 
			$main .= 'You cannot post more than 15 times in 20 minutes.'; 
		}
		else 
		{ 
			if ( mysql_num_rows($result) != 0 ) { $last_message = mysql_result($result, '0', 'message'); }
			
			$message = trim($message);
			
			$result = mysql_query("SELECT message FROM shoutbox WHERE poster_id = '$userid' AND user_del != '1' AND m_del != '1' ORDER BY id DESC LIMIT 0,1");
			$row = mysql_fetch_assoc($result);
			$last_message = $row['message'];
			
			$last_message = html_entity_decode($last_message, ENT_QUOTES);
			
			if ( strtolower($last_message) == strtolower($message) ) 
			{
				$main .= 'No double posting!';
			}
			elseif ($message == '') 
			{
				// do nothing
			}
			else
			{
				$message = substr($message, 0, 130);
				$message = htmlentities($message, ENT_QUOTES);
				$message = str_replace ( '(', '(', $message);
				$message = str_replace ( ')', ')', $message);
				db_query("INSERT INTO shoutbox (id, poster_id, message, time) VALUES ('', '$userid', '$message', '$gmttime')");
			}
		}
	}
}
Thanks. Remember, as i said, nothing of the error in my first post appeared to have been added to the database...

Posted: Fri Mar 02, 2007 12:25 am
by feyd
It's not possible to tell where this happened without seeing far more code.

Even then, you need to go in and attempt to detect where the output for this information is happening.