Re: [SM-USERS] SECURITY: 1.4.12 Package Compromise ISSUE=9272, PROJ=30

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> > Modifications seemed to be
> > based around a PHP global variable which we cannot track down.
>
> Actually I don't understand what this means...  What do you mean "cannot track down"?

It means that we couldn't find any reference to it in a doc or
anywhere else online.  However, we have since become aware of how this
variable might be created.

> What diff do you see between the compromised version and
> the one that is there now? I see only a comment diff in one file.

it was a small block of code that checks for a $_SERVER var.  If that
var was present, it would redefine SM_PATH.  Under normal
circumstances, this would never be executed, but we have since learned
how to make it execute.

Please upgrade to 1.4.13. :-)