View Full Version : PhpDig - Serious

02-23-2004, 11:27 AM
Hi. If you use PHPDIG_ADM_AUTH in the config.php file, rather than say htaccess, to protect the admin directory, then it is possible for someone to directly access the spider.php file via a browser.

To fix this in versions 1.6.5 and 1.8.0 do the following.

In spider.php find the following code and add the line indicated:

else {
//include "$relative_script_path/libs/auth.php";
$run_mode = 'http';
$br = "<br />\n";
$hr = "<hr />\n";
$s_yes = "<img src='yes.gif' width='10' height='10' border='0' align='middle' alt='' />";
$s_no = "<img src='no.gif' width='10' height='10' border='0' align='middle' alt='' />";
$s_link = " <a href='@url' target='_blank'>@url</a> ";
$relative_script_path = '..';
include "$relative_script_path/includes/config.php";
include "$relative_script_path/libs/auth.php"; // add this line here

Remember to remove any "word" wrapping in the above code.

If you are using a version earlier than 1.6.5, then you will need to get a later version and apply the above patch.

If you download (http://www.phpdig.net/navigation.php?action=download) version 1.6.5 or 1.8.0 after the date of this post, the above patch has already been applied.