The following code is a security patch for the
the Quikstore.cgi, quikstore.pl versions of the program.
Versions:
1.0 - 2.10.xx
beta version 3.0 released in 1999
(This is not applicable to the 2001 3.0 release)
To install this patch, open the quikstore.cgi, or quikstore.pl
if you are using that version, in a TEXT ONLY editor. You can
use Windows "WordPad" as long as you are careful to save the
file as TEXT ONLY when you are done.
NOTE: Each subroutine is seperated by a pound sign and 70 "-"
characters like this:
#--------------------------------------------------------------------
so it will be easy for you to find the start and end of the
subroutine that requires the change below.
There are two parts to this update:
1. Update the quikstore.cgi file
2. Update the qs_main.cgi configuration file
# -------------------------------------------------------------------
# PART ONE - Update the quikstore.cgi file
# -------------------------------------------------------------------
1. Open the quikstore.cgi file and do a search
to find the following line:
"sub error_check_form_data" (without the quotes)
2. Highlight the entire error_check_form_data subroutine,
as described above and then cut/replace the
text with the subroutine text as listed below.
3. Save the file as TEXT ONLY. Be careful. Wordpad might rename the
file to quikstore.cgi.txt. Just rename it back to quikstore.cgi
after you save it.
The updated subroutine text is listed here. Just copy and paste
this over the existing sub error_check_form_data routine in your
quikstore.cgi.
# -------------------------------------------------------------------
sub error_check_form_data {
if($debug){ print "error_check_form_data \n"; }
my($pageToCheck) = @_;
# error_check_form_data is responsible for checking to
# make sure that only authorized pages are viewable using
# this application.
if(($pageToCheck eq "")&&($form_data{'page'} ne "")){
$pageToCheck = $form_data{'page'};
}
if($pageToCheck eq ""){
return 1;
}
# We start by assuming that the "page" value is valid.
my($valid_page) = 1;
# get rid of attempts to insert illegal characters
$pageToCheck =~ s/[\`\;\*\|\#\^\!\(\)\{\}]/ /gs;
# get rid of attempts to insert HTML tags
$pageToCheck =~ s///g; # server-side-includes
$pageToCheck =~ s/<([^>]|\n)*>//gs;
# If a referring URL was specified, for each valid referer, make
sure
# that a valid referring URL was passed to this script.
if($cf{'check_referer'} =~ /yes/i){
my($vReferer) = 0;
if ($ENV{'HTTP_REFERER'}) {
my($referer);
my(@referers);
if($cf{'valid_referers'} ne ""){
@referers = split(/,/,$cf{'valid_referers'});
}
else{
$referers[0] = $cf{'web_site_url'};
if($cf{'order_form_secure'} =~ /yes/i){
my(@secureURL) = split(/\//,$cf{'secure_script_url'});
pop(@secureURL);
$referers[1] = join("/",@secureURL);
}
}
foreach $referer (@referers) {
if($ENV{'HTTP_REFERER'} =~ /^$referer/i) {
$vReferer = 1;
last;
}
}
unless($vReferer){
$valid_page = 0;
}
}
}
# Now, if we get this far, we verify the file
# extensions to make sure they are valid.
if(($pageToCheck ne "")&&($valid_page)){
# Check the list of acceptable file extensions
my(@acceptable_files) = split(/\,/,$cf{'acceptable_filenames'});
my($extFound) = 0;
my($file_extension);
foreach $file_extension (@acceptable_files){
if($pageToCheck =~ /\.$file_extension/i){
$extFound = 1;
}
}
unless($extFound){
$valid_page = 0;
}
# If we still have a valid page, we now
# check the list of UNacceptable filenames
if($valid_page){
my(@invalid_extensions) = split(/\,/,$cf{'unacceptable_filenames'});
foreach $file_extension (@invalid_extensions){
if($pageToCheck =~ /$file_extension/ig){
$valid_page = 0;
last;
}
}
}
}
# If the $valid_page is set to false,
# send a warning and write to the error
# log if appropriate.
unless($valid_page){
print "Access Denied!\n";
print "\n";
print "$strings{'page_load_security_warning'}
";
print "\n";
&update_error_log("PAGE LOAD WARNING", __FILE__, __LINE__);
exit;
}
} # End sub error_check_form_data
# -------------------------------------------------------------------
# PART TWO - Update the qs_main.cgi configuration file
# -------------------------------------------------------------------
Part two adds/modifies a couple of new entries in the qs_main file. It
has two steps in it:
1. Just search for [ACCEPTABLE_FILES] and replace the section with the
updated section listed below:
# --------------------------------------------------------------
[ACCEPTABLE_FILES]
#
# Acceptable files is simply a list of the acceptable
# file names that can be displayed to the user when
# filtered (called) through the quikstore.cgi script.
#
acceptable_filenames=htm,html,shtml
#
# Unacceptable filenames are filenames or directories
# that are NOT allowed.
#
unacceptable_filenames=../,bin,cgi,ini,etc,passwd,log
#
# Valid referers only allows pages to be displayed
# from the urls listed below. If this is left blank,
# the system will try to use the web_site_url variable
# from above. If that one is blank, the system will
# attempt to get this value from the server.
#
valid_referers=
#
# Check referer allows you to turn the referer feature
# on and off. If this is on and someone links to one of
# your pages through the quikstore.pl like this:
# quikstore.pl?page=order.html it will error out. However,
# This also makes sure you only allow pages to be opened
# from links on your site.
#
check_referer=no
#
2. Add the web site url to the list of valid referers:
Also, while the program will use the current web site url as a
"valid referer" you should add YOUR web site url to this list of
valid_referers. You should also add your secure URL if you are
using one.
valid_referers=http://www.yoursite.com,https://secure.mysite.com
These entries MUST be in the "formal" URL format like this:
http://www.yoursite.com
Entries like this will NOT work:
www.yoursite.com or yoursite.com
That's it. Test your entire site and make sure it does not give you a
page load warning. If it does, then it could be one of the:
unacceptable_filenames=../../,bin,cgi,ini,etc,passwd,log
if the filename you are trying to view has one of the entries above
in the name, like this: "bikini.html" it will error out because one
of the uacceptable names is "ini". So, you may have to adjust this list
accordingly.