Image Handler 4 (for v1.5.x) Support Thread

[mc12345678]

Ok I searched for posts by torvista, and the only code change suggested is the one that I said I did. The pop up is showing the "no image" image but not my additional image as it should.

Although Diva has reposted some good guidance, I am providing the following without seeing the issue first hand.

With the limited available information, it sounds like in a situation where you have multiple pictures, if you select the primary picture it shows properly; however, if you select the additional image then nothing shows. Have you reviewed the filename of the database (including extension) against the stored file, your .htaccess permissions, and the extensions expected by this plugin? I came across an issue once before where I had some files with an extension of JPG instead of jpg and I had limitations in my .htaccess to allow jpg but not JPG. when attempting to view the picture it would not show.

That said, you mentioned (right or wrong) that the "no image" image showed, this isn't the same "no image" image of not uploading an image for a product is it, but rather an "error" image associated with not being able to display the desired image, correct?

[DivaVocals]

Although Diva has reposted some good guidance, I am providing the following without seeing the issue first hand.

With the limited available information, it sounds like in a situation where you have multiple pictures, if you select the primary picture it shows properly; however, if you select the additional image then nothing shows. Have you reviewed the filename of the database (including extension) against the stored file, your .htaccess permissions, and the extensions expected by this plugin? I came across an issue once before where I had some files with an extension of JPG instead of jpg and I had limitations in my .htaccess to allow jpg but not JPG. when attempting to view the picture it would not show.

That said, you mentioned (right or wrong) that the "no image" image showed, this isn't the same "no image" image of not uploading an image for a product is it, but rather an "error" image associated with not being able to display the desired image, correct?

mydanilo confirmed for me that the new code for the additional images popup is not working correctly on a consistent basis.. The new code was tested.. It worked fine in my test store which is why I went ahead and submitted the update to Image Handler. However, I've recently done a brand new install for a new client and found that instead of the additional images displaying, the popup is displaying the "no image" product image instead of the proper additional images.. I further confirmed that the previous version of this file correctly displays the additional images in the popup.

I was able to repeat this same errant behavior in a site where I am doing a site makeover. As a part of that site makeover, I am updating all of the store add-ons including Image Handler.. Initially I MISSED that the issue was even occurring because this particular site also has a Colorbox module installed, and when the Colorbox module is active, the additional images show without any issues, but once I turn off the ColorBox, the behavior mydanilo is reporting occurs.

So there is an issue, but it appears that it is not an issue for all stores, and rolling back to the old version of the additional images files is not a good solution since there was a legitimate security issue with the old code.. All that said I DO NOT know how to fix this, and I would appreciate some SKILLED eyes from the community to take a look at the additional images popup code and see if they can spot the issue..

[mydanilo]

mc12345678, your are correct. It shows the error image instead of my additional image. I shall check if the new IH handles my file names differently. I don't think I have screwed up picture file names but I will double check later and post result.

[mydanilo]

I've uploaded now the IH4 version of the tpl_main_page.php again so you can see the behavior. Take spaces out of this link.
http://www. mydanilo.com /zen15/index.php?main_page=product_info&cPath=53&products_id=741

[DivaVocals]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

[mydanilo]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

This code works. My additional images popup now show up. Don't know about XSS issue tho.

[DivaVocals]

This code works. My additional images popup now show up. Don't know about XSS issue tho.

I wasn't looking for confirmation whether the code works.. I already know it works I tested it on all the sites where I was having the issue with the additional images that you reported..

I need confirmation if it resolves the XSS vulnerability.. so I suggest strongly that you NOT use this code until such a time as someone confirms this fix is correct and SAFE to use..

[DivaVocals]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

DO NOT USE THIS CODE UNTIL IT IS VERIFIED AS SAFE!!!

That said here's an alternate..

Code:

<?php
/**mod Image Handler 4.1
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
  echo '<a href="javascript:window.close()">' . zen_image(htmlspecialchars($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>'  
?>
</div>
</body>

[mydanilo]

@DivaVocals sorry I was not aware until now that you acknowledged that this is an issue on your/other sites too. I thought this was just me that has the problem at this point. So we had a general mod issue here, huh. Good to know at least that my other mods and recent changes did not affect this behavior. Thank you for all the work with IMH4. Great to have this back.

[DrByte]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' .  zen_image(strip_tags($_GET['products_image_large_additional']),  $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) .  '</a>';
?>
</div>
</body>

DO NOT USE THIS CODE UNTIL IT IS VERIFIED AS SAFE!!!

That said here's an alternate..

Code:

<?php
/**mod Image Handler 4.1
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
  echo '<a href="javascript:window.close()">' .  zen_image(htmlspecialchars($_GET['products_image_large_additional']),  $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) .  '</a>'  
?>
</div>
</body>

While either of those approaches will prevent the abuse of rogue HTML characters from causing trouble (XSS), it doesn't prevent the risks of specifying a path to a file that exists outside expected image folder locations (CSRF). ie: one could just manually change the image filename on the URL from images/large/IMG123.jpg to includes/templates/template_default/images/down_for_maintenance.gif ... or something dangerous like ../../../../../../etc/passwords to attempt to access files entirely outside of the website and into the core operating system.
That said, attempts to access ../../../etc/passwords would fail to disclose the actual file contents to the browser because webservers won't output the contents of those files via an IMG tag.

But you *could* put a URL in there and use it to load a malicious image file from a COMPLETELY DIFFERENT SERVER, and have it run the rogue code in your browser, and thus infect your computer, taint your browser cache, start rogue sessions someplace, steal your cookie data, and trick you into disclosing admin or other password credentials.
Consider this:

http://example.com/index.php?main_pa.../test_demo.jpg
While that produces an image of 0 height or 0 width because the file can't be located on the local server, it does still set the src= value to the external URL because IH isn't verifying that the file exists on the local server, and is just allowing any random file to be loaded into that IMG tag, regardless of whether that file is malicious or not.

That's why the original ZC code at least runs file_exists() on $_GET['products_image_large_additional'] to make sure the file is present locally.

I'd suggest that if the previous code "change" is causing problems with finding the correct image and thus triggering the NoPicture response, that something's wrong with what's being passed as the image URL when the popup link is generated. So that's in the IH additional_images module or the template, not in the popup code which is where you were looking in the code questions you posted about today.