You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 299 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Security: Downloads & Web Links vulnerability Patch
Bug FixesRecently a sql injection vulnerability has been reported that relates to the Downloads and Web Links modules where an admin account can be created by passing a sql line through the $cid variable, i have patched both modules not only to block this code to be passed through the $cid variable but on all similar variables as well, patch your websites.
Download for PHP-Nuke 6.5-6.9
Download for PHP-Nuke 6.0

Admin Note: To those that already downloaded the patch please download again, another check was added.
Posted on Thursday, October 09 @ 13:22:50 CEST by [RETIRED]chatserv
 
Related Links
· More about Bug Fixes
· News by [RETIRED]chatserv


Most read story about Bug Fixes:
Downloads & Web Links vulnerability Patch

Article Rating
Average Score: 3.4
Votes: 5


Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Associated Topics

Bug FixesDownloadsPHP-NukeSecurity

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Downloads & Web Links vulnerability Patch (Score: 1)
by Mickp on Monday, October 13 @ 07:22:23 CEST
(User Info | Send a Message) http://www.your-poetry.com
I also need a just the change log for this, as my files have been individually customised to suit each of the sites i set up, I cannot just simply replace the files, can someone let us all know what we have to change, rather than just saying replace the entire file :(

Thanks

Mick



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by wizkid on Sunday, October 12 @ 18:58:18 CEST
(User Info | Send a Message)
A much quicker and cleaner approach to securing these problem files would be to implement code JUST BEFORE the switch functions (or near the top of each module) to do the same but GLOBALLY for all variables.

Example: (in Web_Links/index.php)
if (isset($ratinglid) && isset ($ratinguser) && isset ($rating)) {
$ret = addrating($ratinglid, $ratinguser, $rating, $ratinghost_name, $ratingcomments);
}

// Secure the module
$lid = intval($lid);
$cid = intval($cid);
/*
... rest of variable cleanup ... Since you know here before you call any functions you clean up all variables. EVERY module should have such code, or create a better way to pass variables to each module.
*/

switch($l_op) {

case "menu":
menu($mainlink);
break;

case "AddLink":




Re: Downloads & Web Links vulnerability Patch (Score: 1)
by manunkind1 on Saturday, October 11 @ 19:12:44 CEST
(User Info | Send a Message) http://www.pcsympathy.com
What code was changed?

Keep in mind that most people have these 2 pages hacked up, and cannot simply replace the files.



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by Vchat20 on Friday, October 10 @ 04:38:57 CEST
(User Info | Send a Message) http://www.pokeradio.com/
do I need this for 7.0 ?



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by luchtzak on Friday, October 10 @ 16:03:35 CEST
(User Info | Send a Message) http://www.luchtzak.be
Thanks for the update!!



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by VinDSL on Friday, October 10 @ 03:24:15 CEST
(User Info | Send a Message) http://www.lenon.com/
Woo hoo! Drama!

I'm sorry, but this reminds me of swimming in the ocean. Anyone ever done this before - surrounded by kelp, with the taste of salt water stinging your nostrils and so forth? You know there are sharks and eels out there, just waiting to eat you, but you figure, "What are the chances on them getting me," right???

At what point do we quit being afraid of our shadows and realize that danger lurks around every corner, no matter what we do?

What's my point? I dunno. You tell me... :)



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by Mesum on Thursday, October 09 @ 14:29:04 CEST
(User Info | Send a Message) http://www.desitribe.com
Both of those modules above I am using are not the core ones Downloads from NukeStyles and Web_Links from PAL (who claims to have a complete rewrite of this module), should I still apply the patch?
Is there a readme file just to make changes?



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by moogles on Thursday, October 09 @ 16:12:35 CEST
(User Info | Send a Message)
Warning: setlocale(): Passing locale category name as string is deprecated. Use the LC_* -constants instead.

6.0

PHP 4.3.2
I fixed it up, but the distribution should have that fixed :P



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by Zona-Software on Thursday, July 15 @ 21:10:43 CEST
(User Info | Send a Message) http://www.zona-software.com
This vulknerability is basic in many nuke's



Re: Downloads & Web Links vulnerability Patch (Score: 1)
by mikeshields on Tuesday, November 09 @ 20:23:54 CET
(User Info | Send a Message) http://www.shepro.org
Thanks for the update :-))


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.193 Seconds - 221 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::