really dangerous bug!!!! to Charter
Plz, give me you'r email, i'll send you link to danger bug
|
or better send email to me on zaartix @no-spam@ yandex.ru
|
result of this bug - anyone can view content of any file.
for example this is a part of your http://www.phpdig.net/forum/sendmessage.php file: <?php include("//hide\\"); header("HTTP/1.1 301 Moved Permanently"); header("Location: http://www.phpdig.net/forum/"); exit(); /*======================================================================*\ || #################################################################### || || # vBulletin 3.0.3 - Licence Number L*1*2*6* in this code i've hide full path and license number |
Argh, noooooooooo... :cry:
In search.php find: PHP Code:
PHP Code:
|
no problems, man :)
|
Charter,
I've taken my phpDig down, so please send out a new mail when the bug is completly fixed and a fix is ready for download. :) Thanks! :) |
|
New Version 1.8.5
hi charter,
maybe you forgot these lines setting the "EXTR_SKIP" flag: admin/spider.php: extract(phpdigGetSiteFromUrl($id_connect,trim($url),$linksper,$linksper_fla g,$limit,$limit_flag,$usetable)); extract(phpdigTempFile($url_indexing,$result_test_http,$relative_script_pat h.'/admin/temp/')); admin/update.php: extract($a_result); extract($num_result); extract($this_exclude); libs/function_phpdig_form.php: extract($result); kind regards tomas |
Not every extract without the EXTR_SKIP is a problem.
|
Forum links to sites using phpdig
hi charter,
ok - the problem occurs only in arrays. for those who do not want to upgrade - is anything done with changing the flag to EXTR_SKIP? would you email me a partly pattern to search in apache-logs for a possible hack? please delete the forum entries with the links to members sites using phpdig because this would be the crackers-dream - getting a list where to have all this fun (knowing this my link-entry was phpdig-website ;-) thanx tomas |
The problem occurred for another reason, but that's all, no details. People need to upgrade or face possible exploits. To search your logs, just check for anyone accessing your important files. For example, grep on config.php and other important files and review the output for suspicious requests. You will know it if you see it. Also check for any file starting with a string of numbers, that file being writable or in a writable location. If you find such a file and it is not your content, review the file, then delete the file and again check your logs for any requests to the file. As for the PhpDig link entry set via the vB control panel, only admins or mods can see it.
|
All times are GMT -8. The time now is 11:16 PM. |
Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.