PHP Security Breach
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
Current rating: 5.31 by 54 users
Would you recommend this article to a friend? |
Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(9,187 reads) 07-05-2008
· Fusion Security(14,876 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(13,650 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,090 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(13,588 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(14,374 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(14,410 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,128 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(17,987 reads) 10-19-2006
· Php Nuke 8.0 Patched(14,362 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.