| Author |
Message |
Raven
General
Joined: Mar 22, 2003
Posts: 5233
Location: USA
|
 Posted:
Mon Mar 24, 2003 9:55 am |
  |
Are you going to post the fix for all of us to secure our sites even more? |
|
|
    |
|
chatserv
General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
| Posted:
Mon Mar 24, 2003 10:01 am |
|
|
|
|
sixonetonoffun
Major
Joined: Jan 13, 2003
Posts: 892
|
| Posted:
Mon Mar 24, 2003 10:06 am |
|
|
|
|
Raven
General
Joined: Mar 22, 2003
Posts: 5233
Location: USA
|
| Posted:
Mon Mar 24, 2003 10:07 am |
|
| chatserv wrote: |
| http://nukecops.com/article104.html |
Ouch! So you just hadn't applied the fix (no offense intended - just understanding) |
|
|
|
|
Raven
General
Joined: Mar 22, 2003
Posts: 5233
Location: USA
|
| Posted:
Mon Mar 24, 2003 10:12 am |
|
| sixonetonoffun wrote: |
Would not hurt to add to your htaccess < If apache and you have access
php_flag magic_quotes_gpc on |
I NEVER set the global setting to 'ON'. I prefer to let the application handle it through addslashes() |
|
|
|
|
sixonetonoffun
Major
Joined: Jan 13, 2003
Posts: 892
|
| Posted:
Mon Mar 24, 2003 10:16 am |
|
I dunno what ZX applied or didn't but if you followed the events the original patch FB posted failed. The one chatserv revised and released today doesn't.
Remember this only fixes this specific vulnerability in the News. Nothing more. As frogman pointed out there may exist others like it. |
_________________
www.netflake.com
www.glowoptics.com |
|
|
|
chatserv
General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
| Posted:
Mon Mar 24, 2003 10:31 am |
|
I will be looking at some of the other exploits later on and FB told me he would be doing much the same thing, i imagine others are doing so as well so expect more to come out of this, as for the fix listed in the link i posted it was edited today as the previous fix failed. |
_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources |
|
|
|
Raven
General
Joined: Mar 22, 2003
Posts: 5233
Location: USA
|
| Posted:
Mon Mar 24, 2003 10:46 am |
|
| chatserv wrote: |
| I will be looking at some of the other exploits later on and FB told me he would be doing much the same thing, i imagine others are doing so as well so expect more to come out of this, as for the fix listed in the link i posted it was edited today as the previous fix failed. |
I think this is all that is needed, isn't it? I know it's splitting hairs but it will save a cycle or two . There is no way that the value can be other than 1-5, so the last 'if' test with the AND's is not needed - agree?
$score = intval($score);
if ($score) {
if ($score > 5) { $score = 5; }
if ($score < 1) { $score = 1; } |
|
|
|
|
chatserv
General
Joined: Jan 12, 2003
Posts: 3128
Location: Puerto Rico
|
| Posted:
Mon Mar 24, 2003 10:55 am |
|
Yes, i believe the integer value check of the $score variable should be enough but then again the rest of the code doesn't mess up anything and hence won't hurt having it there. |
_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources |
|
|
|
|
|
