Reviews/index.php Vulnerability fix

  Post new topicReply to topicPrintable Version
<< View previous topic View next topic >>
Share: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
#1   Reviews/index.php Vulnerability fix
Telli
Site Admin
Occupation: Self Employed
Age: 46
Gender: Male
Fav. Sports Team: Detroit Red Wings
Website:
Status: Offline
Joined: May 26, 2003
1.03 posts per day
Posts: 8089
Points: 494,475
   
Thanks to Raven at [ Register or login to view links on this board. ] for this find.





find 2 instances of where id=$id and change to where id = '$id'
In modules/Reviews/index.php



After looking i noticed about 4 instances of the above so look
carefully for

WHERE id=$id" and WHERE id=$id

change those to

WHERE id='$id'" and WHERE id='$id'

EDIT:

Also upon further investigation i noticed two instance of $id_del make sure those are sorrounded with hash marks too.

'$id_del'



If your using the CZEnhaced 7.0 it has been updated in the downloads if you want to just download it again and upload that modules/Reviews/index.php you can.

The other PHPNuke 7.0 standard in the downloads has also been updated.




_________________
The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he, who in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee. Ezekiel 25:17
Back to top Reply with quote
#2   re: Reviews/index.php Vulnerability fix
Recoil
CZ Addict
Recoil has been a member for over 20 year's 20 Year Member
usa.gif louisiana.gif
Occupation: Manager
Gender: Male
Fav. Sports Team: New Orleans
Website:
Status: Offline
Joined: Jan 17, 2004
0.06 posts per day
Posts: 427
Points: 8,650
   ICQ Number
Does this only affect 7.* ?



Back to top Reply with quote
#3   re: Reviews/index.php Vulnerability fix
Telli
Site Admin
Occupation: Self Employed
Age: 46
Gender: Male
Fav. Sports Team: Detroit Red Wings
Website:
Status: Offline
Joined: May 26, 2003
1.03 posts per day
Posts: 8089
Points: 494,475
   
Any version should have the fix applied.




_________________
The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he, who in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee. Ezekiel 25:17
Back to top Reply with quote
#4   re: Reviews/index.php Vulnerability fix
Recoil
CZ Addict
Recoil has been a member for over 20 year's 20 Year Member
usa.gif louisiana.gif
Occupation: Manager
Gender: Male
Fav. Sports Team: New Orleans
Website:
Status: Offline
Joined: Jan 17, 2004
0.06 posts per day
Posts: 427
Points: 8,650
   ICQ Number
Tanks Bro! qtank.gif



Back to top Reply with quote
#5   
motozen
CZ Super Newbie
motozen has been a member for over 20 year's 20 Year Member
Website:
Status: Offline
Joined: Mar 04, 2004
0.00 posts per day
Posts: 31
Points: 1,554
   
stupid question:

how is it possible to hack php? This "vulnerability" does what for hackers?




_________________
visit us at [ Register or login to view links on this board. ]
Back to top Reply with quote
#6   re: Reviews/index.php Vulnerability fix
Telli
Site Admin
Occupation: Self Employed
Age: 46
Gender: Male
Fav. Sports Team: Detroit Red Wings
Website:
Status: Offline
Joined: May 26, 2003
1.03 posts per day
Posts: 8089
Points: 494,475
   
intval '$id' keeps the hackers from running sql querys through http URL's




_________________
The path of the righteous man is beset on all sides by the inequities of the selfish and the tyranny of evil men. Blessed is he, who in the name of charity and good will, shepherds the weak through the valley of darkness, for he is truly his brother's keeper and the finder of lost children. And I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers. And you will know my name is the Lord when I lay my vengeance upon thee. Ezekiel 25:17
Back to top Reply with quote
#7   re: Reviews/index.php Vulnerability fix
Dobie
CZ Newbie
Dobie has been a member for over 20 year's 20 Year Member
Status: Offline
Joined: Apr 13, 2004
0.00 posts per day
Posts: 19
Points: 1,170
   
Done....thanks for this!



Back to top Reply with quote
#8   re: Reviews/index.php Vulnerability fix
samy
CZ Newbie
samy has been a member for over 20 year's 20 Year Member
Status: Offline
Joined: Sep 01, 2004
0.00 posts per day
Posts: 26
Points: 1,670
   
applied thx!



Back to top Reply with quote
#9   re: Reviews/index.php Vulnerability fix
Block123
CZ Newbie
Block123 has been a member for over 19 year's 19 Year Member
usa.gif texas.gif
Occupation: Telecom
Age: 53
Gender: Male
Fav. Sports Team: Denver Broncos
Status: Offline
Joined: Jul 07, 2005
0.00 posts per day
Posts: 23
Points: 972
   
I'm running Nuke 7.0

Two times this week my Index files for my forum admin area and my home page have been hacked. All the code in the file was erased with text left that said "TheHacker..."

Today I made the changes stated above to my reviews/index file. Do you think this will keep the jerk out or do I have another issue?



Back to top Reply with quote
Display posts from previous:      
Add To: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
<< View previous topic View next topic >>
Post new topicReply to topic

Jump to 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum