PHP Security Breach
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Y! MyWeb
Share:
Sponsors:
I urge all our users to make the following change to viewtopic.php as a matter of urgency. Open viewtopic.php in any text editor. Find the following section of code:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
for($i = 0; $i < sizeof($words); $i++)
{
and replace with:
//
// Was a highlight request part of the URI?
//
$highlight_match = $highlight = '';
if (isset($HTTP_GET_VARS['highlight']))
{
// Split words and phrases
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
for($i = 0; $i < sizeof($words); $i++)
{
Note: Please inform as many people as possible about this issue. If you're a hosting provider please inform your customers if possible. Else we advise you implement some level of additional security if you run ensim or have PHP running cgi under suexec, etc.
If your hosted by Codezhost... no worries we have suexec shutdown and nothing can be called from it.
Article submitted by: Telli
Last Update: 12-05-2004
Category: Security
Current rating: 5.31 by 54 users
| Would you recommend this article to a friend? |
| Not a Chance | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Absolutely |
Related News Stories
(10,169 reads) 07-05-2008
· Fusion Security(15,674 reads) 06-02-2007
· NukeSentinel(tm)2.5.10 Critical Update(14,492 reads) 05-07-2007
· NukeSentinel(tm) 2.5.08 Maintainance Release(15,920 reads) 03-15-2007
· NukeSentinel(tm) 2.5.07 Reissued: Critical Update(14,406 reads) 03-02-2007
· NukeSentinel(tm) 2.5.06: Critical Update(15,184 reads) 01-23-2007
· NukeSentinel(tm) 2.5.05 released(15,174 reads) 12-24-2006
· NukeSentinel 2.5.04 released(14,918 reads) 11-03-2006
· NukeSentinel(tm) 2.5.03 Released(18,837 reads) 10-19-2006
· Php Nuke 8.0 Patched(15,194 reads) 10-01-2006
· ipBan Modification
Please register or sign-in to post comments.