From: Matthew McNaney <matt@tu...> - 2006-03-27 21:07:41
To tell the truth, I am not sure there is a security risk.
Here is the warning: (thanks Kenneth)
Of course the details of the hack are not listed nor has anyone
contacted us about it, but recently they have appeared on security
lists. Heck, I don't even know what 'friends.php' is.
Here is article.php:
$sid = $_REQUEST['sid'];
$module = 'announce';
Ok so it changes the $sid to a global variable $sid;
Look at mod.php.
I won't cut and paste, but basically the $module variable goes into a
switch. Nothing is run through the database.
It goes into the announce case and builds a new address. The old id is
compared to its upgrade array and the new id is added to the address.
Finally the new address is sent to the header function and the browser
is sent to the new url.
If the $sid variable had some db injection in it, it should get cleaned
out on the reroute by the Announce module.
Now there may be something I am missing but so far I don't see any
possible hack. Just to be sure though, I put up a notice to just delete
On Mon, 2006-03-27 at 09:29 -0500, Verdon Vaillancourt wrote:
> I had a couple questions about the recent security warning in regards
> to article.php and friend.php.
> 1) article.php is still in the .10.2 distro... just trash it?
> 2) what sort of risk are these files? I still have a few sites running
> .8.x code with both these files. These sites are unlikely to be updated
> in the near future. Does the risk extend beyond the individual site, or
> is it a larger risk to the server?
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> Phpwebsite-developers mailing list
Electronic Student Services
Appalachian State University