Re: PhpDig - VERSION 1.6.5 (non-patched) AND ALL PRIOR VERSIONS
FraMe from
http://www.kernelpanik.org sent a Bug Report regarding remote command execution. Below you will find FraMe's code as modified by me.
!!! ADD THIS TO THE TOP OF THE CONFIG.PHP FILE NOW !!!
PHP Code:
// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
exit();
}
if ((!isset($relative_script_path)) ||
(($relative_script_path != ".") &&
($relative_script_path != ".."))) {
// echo "\n\nPath $relative_script_path not recognized!\n\n";
exit();
}
// prevent requests for config.php
if (eregi("config.php",$_SERVER['SCRIPT_FILENAME']) ||
eregi("config.php",$_SERVER['REQUEST_URI'])) {
exit();
}
If you modified PhpDig paths, then see
this thread.
Alternatively, you can download the patched 1.6.5 version
here or UPGRADE to PhpDig version 1.8.0
here.
No, I'm not going to explain any further, and nobody else should either. Just add the code. Thanks.