PHP Security Breach


Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
Share:
Sponsors:

I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{

and replace with:

//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{

Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.

If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.

Article submitted by: Telli
Last Update: 12-05-2004
Category: Security

Print | E-mail


Current rating: 5.31 by 54 users
Would you recommend this article to a friend?

Not a Chance 12345678910 Absolutely

Please register or sign-in to post comments.


Related News Stories

(9,841 reads) 07-05-2008
 · Fusion Security
(15,416 reads) 06-02-2007
 · NukeSentinel(tm)2.5.10 Critical Update
(14,216 reads) 05-07-2007
 · NukeSentinel(tm) 2.5.08 Maintainance Release
(15,668 reads) 03-15-2007
 · NukeSentinel(tm) 2.5.07 Reissued: Critical Update
(14,156 reads) 03-02-2007
 · NukeSentinel(tm) 2.5.06: Critical Update
(14,924 reads) 01-23-2007
 · NukeSentinel(tm) 2.5.05 released
(14,946 reads) 12-24-2006
 · NukeSentinel 2.5.04 released
(14,674 reads) 11-03-2006
 · NukeSentinel(tm) 2.5.03 Released
(18,547 reads) 10-19-2006
 · Php Nuke 8.0 Patched
(14,920 reads) 10-01-2006
 · ipBan Modification