PHP Security Breach
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
Current rating: 5.31 by 54 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(9,741 reads) 07-05-2008
· Fusion Security(15,356 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(14,148 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,596 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(14,094 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(14,862 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(14,882 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,606 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(18,481 reads) 10-19-2006
· Php Nuke 8.0 Patched(14,848 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.