Display Ratecard on website -API

stavros · **Posted:** Fri Apr 04, 2008 3:31 am

gineta wrote:

The error show is

Quote:

"WARNING POSsIBLE EXPLOIT"

Any idea I think is possible is sure there a dangerous vulnerability HERE

I'm pretty sure it's not A2Billing generating that message. What else on your system might be saying that?

xrg · **Posted:** Fri Apr 04, 2008 7:49 am

I suspect the PHP internals for the message.
Some scripting engine feels uncomfortable with the fact that request parameters include the list of fields that is later fed into the SQL.

Still, I believe, this is not as bad as it would seem: the 'getpost_ifset()' calls the 'sanitize_data' which strips enough special characters from these fields to cripple the exploit.

We might as well re-design the API in a safer way..

gineta · **Joined:** Tue Dec 04, 2007 12:05 am **Posts:** 295

starvos any time you have the reason and I apologize in my errors .

But this time I look the error is make only when I try to read the rates from the databases with the code is post here.

in my server there aren't other error o logs by now for any exploit and for security reasons this code is delete for ever of my server

this time I believe more in xrg

Quote:

I suspect the PHP internals for the message.
Some scripting engine feels uncomfortable with the fact that request parameters include the list of fields that is later fed into the SQL.

Still, I believe, this is not as bad as it would seem: the 'getpost_ifset()' calls the 'sanitize_data' which strips enough special characters from these fields to cripple the exploit.

We might as well re-design the API in a safer way..

ladca2003 · **Posted:** Fri Apr 04, 2008 11:45 pm

Got it to display when I changed to server with wrapper turned on and so on.

the deal now is that I'm using stavros php posted here (thank you) and I'm calling it with the following. You get the idea.

http://www.a2billing/api/display_rateca ... select=GBP

but it only works with the top part, when you select a country and search it will displays the first page for the country but not the others, it will not answer to clicking the letters for a country, it will not respond to next ect.

What am I missing here to get it to work. Any ideas, thanks.

gineta · **Joined:** Tue Dec 04, 2007 12:05 am **Posts:** 295

ladca2003 wrote:

Got it to display when I changed to server with wrapper turned on and so on.

the deal now is that I'm using stavros php posted here (thank you) and I'm calling it with the following. You get the idea.

http://www.a2billing/api/display_rateca ... select=GBP

but it only works with the top part, when you select a country and search it will displays the first page for the country but not the others, it will not answer to clicking the letters for a country, it will not respond to next ect.

What am I missing here to get it to work. Any ideas, thanks.

this is what I spoke before apache and also selinux block the script and make the warning exploit.
is only possible show what you are looking now.

ladca2003 · **Posted:** Fri Apr 04, 2008 11:55 pm

gineta I use centos 5.1 in this case but I have selinux and firewalls turned off. I dont know if that makes a difference.

gineta · **Joined:** Tue Dec 04, 2007 12:05 am **Posts:** 295

ladca2003 wrote:

gineta I use centos 5.1 in this case but I have selinux and firewalls turned off. I dont know if that makes a difference.

I put selinux off but the difference is in the policy and configuration you have in APACHE. Please look the security logs in your server

mr001 · **Joined:** Fri Nov 16, 2007 12:28 pm **Posts:** 74

I have a short question regarding the api.
How can I not display a rate when Destination and Rate/Min didnt change.

So instead of:
afghanistan mobile 009370 50.000 huf
afghanistan mobile 009375 50.000 huf
afghanistan mobile 009377 50.000 huf
afghanistan mobile 009378 50.000 huf
afghanistan mobile 009379 50.000 huf

Just
afghanistan mobile 009370 50.000 huf

zuuldibo · **Posted:** Wed Apr 09, 2008 12:34 pm

ladca2003 wrote:

Got it to display when I changed to server with wrapper turned on and so on.

the deal now is that I'm using stavros php posted here (thank you) and I'm calling it with the following. You get the idea.

http://www.a2billing/api/display_rateca ... select=GBP

but it only works with the top part, when you select a country and search it will displays the first page for the country but not the others, it will not answer to clicking the letters for a country, it will not respond to next ect.

What am I missing here to get it to work. Any ideas, thanks.

I have exactly the same problem so if anyone knows anything about it...

Stavros maybe

thanks

zuuldibo · **Posted:** Wed Apr 16, 2008 1:36 pm

Well, the problem is that when you do a search by prefix or country you cannot get out of the first page so I was looking at the code and I think you can fix this if you remove the lines 135 and 142 where it says :

Code:

$current_page=0;

It is working for me now...

ladca2003 · **Posted:** Wed Apr 16, 2008 1:52 pm

Yes Sir, that did it. file is display_ratecard.php.

Thank you so much.

Did you get your search by letters to work? I eliminated my letters from mine because I can't get them to work or better I don't know how to get them to work, it's not a big deal but I'll like to have it working.

zuuldibo · **Posted:** Thu Apr 17, 2008 9:03 am

ladca2003 wrote:

Did you get your search by letters to work? I eliminated my letters from mine because I can't get them to work or better I don't know how to get them to work, it's not a big deal but I'll like to have it working.

It is working, here is the code that I'm using for rates.php maybe it helps you.

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<?php include
("https://www.totalvoip.nl/a2billing/api/display_ratecard.php?".
"key=thekey".
"&page_url=https://www.totalvoip.nl/rates.php".
"&ratecardid=4".
"&field_to_display=t1.destination,t1.dialprefix,t1.rateinitial".
"&column_name=Destination,Prefix,Rate/Min".
"&browse_letter=yes".
"&field_type=,,money".
"&css_url=https://www.totalvoip.nl/drupal/sites/default/files/color/garland-d1e2d75f/style.css?4&".
$_SERVER['QUERY_STRING']);
?>
</body>
</html>

ladca2003 · **Posted:** Thu Apr 17, 2008 12:21 pm

Thanks zuuldibo for all the help. Yes the code works yet I guess my problem is in my css statement. You know how originaly the rate list shows yellow and white to distinguish between the output and be able to read a county better, well when I use your code everything is white but, everything works. When I get the colors then it partly works.

Thanks again it helps a lot because now I can narrow it better.

zuuldibo · **Posted:** Thu Apr 17, 2008 4:38 pm

I think the problem is that you are missing the & simbol in the last option before the $_SERVER['QUERY_STRING']); it should look something like this for the default css:

Code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<body>
<?php include
("https://yourdomain/a2billing/api/display_ratecard.php?".
"key=thekey".
"&page_url=https://yourdomain/rates.php".
"&ratecardid=4".
"&field_to_display=t1.destination,t1.dialprefix,t1.rateinitial".
"&column_name=Destination,Prefix,Rate/Min".
"&browse_letter=yes".
"&field_type=,,money&".
$_SERVER['QUERY_STRING']);
?>
</body>
</html>

The one after ,,money in this case I think could be the one you are missing.

Hope this helps, man.

regards
:wink:

ladca2003 · **Posted:** Thu Apr 17, 2008 4:48 pm

Perfect. Everything working as it should.

I pluged the & and took my css_url= statement out.

Thanks so much zuuldibo, appreciate it.

provided by Star2Billing S.L.

Display Ratecard on website -API

Who is online