Hi Jens and list,
On Jan 19, 2007, at 10:41, Jens Meyer wrote:
> Hi Dave, hi all!
> Is it possible to publish a list of security-holes
The main problem in Pagetool was the way we made it work with
register globals off. I'm now going through all the code and using
the correct _GET or _POST variables, and validating the user supplied
data where required. There are a LOT of changes. Also all variable
should now be initialised before use, so Pagetool should run OK with
E_ALL error reporting.
Also pt_upload.php will become a fixed pt_upload.inc file and be
included from the rest of the script. If there's anyone out there
that needs to facility of the portability of pt_upload.php then I'll
look at that at a later date.
> (and fixes)
> additional to the complete update?
The CHANGELOG.txt with give a generalisation of the changes made. The
CVS repository will give a more detailed view of what was changed in
each file. There's a web interface to CVS at:
> I am using two Pagetool-installations which were modified at different
> places so it would be great to add "patches" manually.
Something like WinMerge from
should be able to compare your src/ directory and the new src/
directory and tell you what files have changed, and then what has
changed in each file. If you compare your src/ directory with the
standard src/ directory of the version of Pagetool that you modified,
that should tell you what files to take a closer look at. You could
then compare and merge your versions of these files with the new
On Mac there's FileMerge which is installed as part of the Developer
Tools. And Linux is definitely going to have a similar tool!
d a v e
> All the best,
> Dave Guerin schrieb:
>> Hi Arne and list,
>> On Jan 19, 2007, at 08:16, Arne Groh wrote:
>>> Dave Guerin wrote:
>>>> Hi all,
>>>> Jamie has discovered a security hole in the way Pagetool handles
>>>> uploads. Normally, we would wait to announce the security hole
>>>> we have a fix in place so you can patch your site, however,
>>>> since the
>>>> exploit has already been published on the web (and at least three
>>>> sites have been known to be hacked!), we wanted to warn everyone as
>>>> soon as possible.
>>>> For now - please remove your pt_upload.php file. It is located in:
>>>> This will disable your ability to upload files to your site via the
>>>> web interface. However, it will protect you against the
>>>> exploit. We
>>>> will publish a fixed pt_upload.php file shortly.
>>> dear list,
>>> is there a patch for pt_upload available somewhere?
>>> if so, please post the link...
>> Sorry for the delay, business and family committments got in the way
>> of Pagetool coding I'm afraid.
>> I have been working on an updated pt_upload over the last couple of
>> days, and fixing some other possible security holes in Pagetool. I'll
>> hopefully commit to CVS what I've done so far later on today,
>> although it's not all working yet. There is still a lot to do before
>> I'd be happy in releasing a new version with these updates however,
>> and someone else as well as me would need to test the whole of
>> Pagetool to check I haven't broken anything! I'll let the list know
>> when the code in CVS is in a working state for others to have a
>> look at.
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> opinions on IT & business topics through brief surveys - and earn cash
> Pagetool-devel mailing list