PDA

View Full Version : PhpDig - Urgent


Charter
01-14-2004, 02:29 PM
Re: PhpDig - VERSION 1.6.5 (non-patched) AND ALL PRIOR VERSIONS

FraMe from http://www.kernelpanik.org sent a Bug Report regarding remote command execution. Below you will find FraMe's code as modified by me.

!!! ADD THIS TO THE TOP OF THE CONFIG.PHP FILE NOW !!!

// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
exit();
}

if ((!isset($relative_script_path)) ||
(($relative_script_path != ".") &&
($relative_script_path != ".."))) {
// echo "\n\nPath $relative_script_path not recognized!\n\n";
exit();
}

// prevent requests for config.php
if (eregi("config.php",$_SERVER['SCRIPT_FILENAME']) ||
eregi("config.php",$_SERVER['REQUEST_URI'])) {
exit();
}

If you modified PhpDig paths, then see this (http://www.phpdig.net/showthread.php?threadid=396) thread.

Alternatively, you can download the patched 1.6.5 version here (http://www.phpdig.net/download.php?digfile=phpdig-1.6.5.zip) or UPGRADE to PhpDig version 1.8.0 here (http://www.phpdig.net/download.php?digfile=phpdig-1.8.0.zip).

No, I'm not going to explain any further, and nobody else should either. Just add the code. Thanks.