PhpDig.net

PhpDig.net (http://www.phpdig.net/forum/index.php)
-   Feedback & News (http://www.phpdig.net/forum/forumdisplay.php?f=25)
-   -   PhpDig - Urgent (http://www.phpdig.net/forum/showthread.php?t=393)

Charter 01-14-2004 02:29 PM

PhpDig - Urgent
 
Re: PhpDig - VERSION 1.6.5 (non-patched) AND ALL PRIOR VERSIONS

FraMe from http://www.kernelpanik.org sent a Bug Report regarding remote command execution. Below you will find FraMe's code as modified by me.

!!! ADD THIS TO THE TOP OF THE CONFIG.PHP FILE NOW !!!
PHP Code:

// prevent remote command execution
if ((isset($relative_script_path)) &&
(
$relative_script_path != ".") &&
(
$relative_script_path != "..")) {
exit();
}

if ((!isset(
$relative_script_path)) || 
((
$relative_script_path != ".") && 
(
$relative_script_path != ".."))) {
  
// echo "\n\nPath $relative_script_path not recognized!\n\n";
  
exit();
}

// prevent requests for config.php
if (eregi("config.php",$_SERVER['SCRIPT_FILENAME']) ||
eregi("config.php",$_SERVER['REQUEST_URI'])) {
exit();


If you modified PhpDig paths, then see this thread.

Alternatively, you can download the patched 1.6.5 version here or UPGRADE to PhpDig version 1.8.0 here.

No, I'm not going to explain any further, and nobody else should either. Just add the code. Thanks.


All times are GMT -8. The time now is 07:37 PM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.