You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 424 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
SQL Injection Vulnerability!
SecurityRaven writes "Sites are being exposed even as I write this! This is still in 7.0 and 7.1. Check your modules/Reviews/index.php file for the following code. There should be 2 instances.

WHERE id=$id

If you have it, then you MUST modify it to

WHERE id='$id' .

Otherwise your admin passwords can be exposed. They are still encrypted, but depending on how serious someone was to get them, they might! please note that Chatserv's Patches have this fix in them.

Admin Note: An advisory to those using Nuke Cops PHP-Nuke Bundle, this has been fixed in 2003 already. "
Posted on Sunday, February 08 @ 14:38:08 CET by sting
 
Related Links
· Computer Cops
· More about Security
· News by sting


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Associated Topics

Bug FixesGeneral NewsModulesPHP-NukeSecurity

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: SQL Injection Vulnerability! (Score: 1)
by Ronin on Sunday, February 08 @ 17:27:08 CET
(User Info | Send a Message)
Any comments on how Nuke6.5 users (which I assume are still the greatest majority) should deal with the 15 occurrences of "id=$id" in this file?

Cheers,
Ronin



Re: SQL Injection Vulnerability! (Score: 1)
by Raven on Sunday, February 08 @ 17:38:50 CET
(User Info | Send a Message) http://ravenphpscripts.com
I actually submitted this to Nuke Cops last Wednesday! In the meantime, Chat and I have both posted suggested work-arounds/fixes. See my site [ravenphpscripts.com] for the news items and forum discussions.


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.115 Seconds - 178 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::