Image Handler 4 (for v1.5.x) Support Thread

[mydanilo]

mc12345678, your are correct. It shows the error image instead of my additional image. I shall check if the new IH handles my file names differently. I don't think I have screwed up picture file names but I will double check later and post result.

[mydanilo]

I've uploaded now the IH4 version of the tpl_main_page.php again so you can see the behavior. Take spaces out of this link.
http://www. mydanilo.com /zen15/index.php?main_page=product_info&cPath=53&products_id=741

[DivaVocals]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

[mydanilo]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

This code works. My additional images popup now show up. Don't know about XSS issue tho.

[DivaVocals]

This code works. My additional images popup now show up. Don't know about XSS issue tho.

I wasn't looking for confirmation whether the code works.. I already know it works I tested it on all the sites where I was having the issue with the additional images that you reported..

I need confirmation if it resolves the XSS vulnerability.. so I suggest strongly that you NOT use this code until such a time as someone confirms this fix is correct and SAFE to use..

[DivaVocals]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' . zen_image(strip_tags($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>';
?>
</div>
</body>

DO NOT USE THIS CODE UNTIL IT IS VERIFIED AS SAFE!!!

That said here's an alternate..

Code:

<?php
/**mod Image Handler 4.1
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
  echo '<a href="javascript:window.close()">' . zen_image(htmlspecialchars($_GET['products_image_large_additional']), $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) . '</a>'  
?>
</div>
</body>

[mydanilo]

@DivaVocals sorry I was not aware until now that you acknowledged that this is an issue on your/other sites too. I thought this was just me that has the problem at this point. So we had a general mod issue here, huh. Good to know at least that my other mods and recent changes did not affect this behavior. Thank you for all the work with IMH4. Great to have this back.

[DrByte]

Dunno if this is CORRECT or resolves the XSS issues that was the inciting reason why IH4 was updated to begin with.. This code works, but I need someone to validate if it resolves the XSS issue that was identified in IH4 v4.1.

Code:

<?php
/**mod Image Handler 4.3.2
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
    echo '<a href="javascript:window.close()">' .  zen_image(strip_tags($_GET['products_image_large_additional']),  $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) .  '</a>';
?>
</div>
</body>

DO NOT USE THIS CODE UNTIL IT IS VERIFIED AS SAFE!!!

That said here's an alternate..

Code:

<?php
/**mod Image Handler 4.1
 * Override Template for common/tpl_main_page.php
 *
 * @package templateSystem
 * @copyright Copyright 2005-2006 Tim Kroeger
 * @copyright Copyright 2003-2005 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: tpl_main_page.php,v 2.0 Rev 8 2010-05-31 23:46:5 DerManoMann Exp $
 */
?>
<body id="popupAdditionalImage" class="centeredContent" onload="resize();">
<div>
<?php
  echo '<a href="javascript:window.close()">' .  zen_image(htmlspecialchars($_GET['products_image_large_additional']),  $products_values->fields['products_name'] . ' ' . TEXT_CLOSE_WINDOW) .  '</a>'  
?>
</div>
</body>

While either of those approaches will prevent the abuse of rogue HTML characters from causing trouble (XSS), it doesn't prevent the risks of specifying a path to a file that exists outside expected image folder locations (CSRF). ie: one could just manually change the image filename on the URL from images/large/IMG123.jpg to includes/templates/template_default/images/down_for_maintenance.gif ... or something dangerous like ../../../../../../etc/passwords to attempt to access files entirely outside of the website and into the core operating system.
That said, attempts to access ../../../etc/passwords would fail to disclose the actual file contents to the browser because webservers won't output the contents of those files via an IMG tag.

But you *could* put a URL in there and use it to load a malicious image file from a COMPLETELY DIFFERENT SERVER, and have it run the rogue code in your browser, and thus infect your computer, taint your browser cache, start rogue sessions someplace, steal your cookie data, and trick you into disclosing admin or other password credentials.
Consider this:

http://example.com/index.php?main_pa.../test_demo.jpg
While that produces an image of 0 height or 0 width because the file can't be located on the local server, it does still set the src= value to the external URL because IH isn't verifying that the file exists on the local server, and is just allowing any random file to be loaded into that IMG tag, regardless of whether that file is malicious or not.

That's why the original ZC code at least runs file_exists() on $_GET['products_image_large_additional'] to make sure the file is present locally.

I'd suggest that if the previous code "change" is causing problems with finding the correct image and thus triggering the NoPicture response, that something's wrong with what's being passed as the image URL when the popup link is generated. So that's in the IH additional_images module or the template, not in the popup code which is where you were looking in the code questions you posted about today.

[DivaVocals]

While either of those approaches will prevent the abuse of rogue HTML characters from causing trouble (XSS), it doesn't prevent the risks of specifying a path to a file that exists outside expected image folder locations (CSRF). ie: one could just manually change the image filename on the URL from images/large/IMG123.jpg to includes/templates/template_default/images/down_for_maintenance.gif ... or something dangerous like ../../../../../../etc/passwords to attempt to access files entirely outside of the website and into the core operating system.
That said, attempts to access ../../../etc/passwords would fail to disclose the actual file contents to the browser because webservers won't output the contents of those files via an IMG tag.

But you *could* put a URL in there and use it to load a malicious image file from a COMPLETELY DIFFERENT SERVER, and have it run the rogue code in your browser, and thus infect your computer, taint your browser cache, start rogue sessions someplace, steal your cookie data, and trick you into disclosing admin or other password credentials.
Consider this:

http://example.com/index.php?main_pa.../test_demo.jpg
While that produces an image of 0 height or 0 width because the file can't be located on the local server, it does still set the src= value to the external URL because IH isn't verifying that the file exists on the local server, and is just allowing any random file to be loaded into that IMG tag, regardless of whether that file is malicious or not.

That's why the original ZC code at least runs file_exists() on $_GET['products_image_large_additional'] to make sure the file is present locally.

I'd suggest that if the previous code "change" is causing problems with finding the correct image and thus triggering the NoPicture response, that something's wrong with what's being passed as the image URL when the popup link is generated. So that's in the IH additional_images module or the template, not in the popup code which is where you were looking in the code questions you posted about today.

Which makes this issue OFFICIALLY over my head to fix.. So I'm hoping that someone in the community who is following this thread can provide some insight.. Because I got nothing here..

Thanks Dr Byte for weighing in here..

[DivaVocals]

Which makes this issue OFFICIALLY over my head to fix.. So I'm hoping that someone in the community who is following this thread can provide some insight.. Because I got nothing here..

Thanks Dr Byte for weighing in here..

So I still don't know the fix, but I THINK I possibly have found the offending line that is causing the problem... (from includes/modules/YOUR_TEMPLATE/additional_images.php highlighted in red)

Code:

//  Begin Image Handler changes 1 of 2
//next line is commented out for Image Handler
//  $flag_has_large = file_exists($products_image_large);
    $flag_has_large = true;
//  End Image Handler changes 1 of 2
    $products_image_large = ($flag_has_large ? $products_image_large : $products_image_directory . $file);
    $flag_display_large = (IMAGE_ADDITIONAL_DISPLAY_LINK_EVEN_WHEN_NO_LARGE == 'Yes' || $flag_has_large);
    $base_image = $products_image_directory . $file;
    $thumb_slashes = zen_image(addslashes($base_image), addslashes($products_name), SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
//  Begin Image Handler changes 2 of 2
//  remove additional single quotes from image attributes (important!)
    $thumb_slashes = preg_replace("/([^\\\\])'/", '$1\\\'', $thumb_slashes);
//  End Image Handler changes 2 of 2

When I remove this IH line and un-comment the Zen Cart default, the popup works correctly, BUT it no longer pulls the image from the bmz_cache folder..