Thread: PhpDig - Urgent
View Single Post
Old 01-14-2004, 02:29 PM   #1
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
PhpDig - Urgent

Re: PhpDig - VERSION 1.6.5 (non-patched) AND ALL PRIOR VERSIONS

FraMe from http://www.kernelpanik.org sent a Bug Report regarding remote command execution. Below you will find FraMe's code as modified by me.

!!! ADD THIS TO THE TOP OF THE CONFIG.PHP FILE NOW !!!
PHP Code:
// prevent remote command execution
if ((isset($relative_script_path)) &&
(
$relative_script_path != ".") &&
(
$relative_script_path != "..")) {
exit();
}

if ((!isset(
$relative_script_path)) || 
((
$relative_script_path != ".") && 
(
$relative_script_path != ".."))) {
  
// echo "\n\nPath $relative_script_path not recognized!\n\n";
  
exit();
}

// prevent requests for config.php
if (eregi("config.php",$_SERVER['SCRIPT_FILENAME']) ||
eregi("config.php",$_SERVER['REQUEST_URI'])) {
exit();

If you modified PhpDig paths, then see this thread.

Alternatively, you can download the patched 1.6.5 version here or UPGRADE to PhpDig version 1.8.0 here.

No, I'm not going to explain any further, and nobody else should either. Just add the code. Thanks.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline