Possible Security Hole Fixed

The latest news can be found here.

Possible Security Hole Fixed

Postby Jeremy » 2007-02-12 12:26 am

There may be a security vulnerability in 5.1.2 on some servers: http://www.aardvarktopsitesphp.com/foru ... php?t=6144

If your MySQL user has FILE permissions, then you are vulnerable. To fix it, replace sources/in.php with this file: http://www.aardvarktopsitesphp.com/in.php.txt (renamed to in.php of course).

Please let me know if this causes any problems. If everything works well I will incorporate this into the default package as soon as possible. Thank you!

EDIT (Feb 15): I have put it in the default package, so anyone doing a new install has nothing to worry about.
Last edited by Jeremy on 2007-02-15 03:35 pm, edited 2 times in total.
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby Jeremy » 2007-02-12 04:44 pm

anybody?
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby funnygirl » 2007-02-12 07:44 pm

Hello Jeremy,

I'm trying my very best to understand the problem, but i'm not sure what you mean :?
You mean if there are files with chmod command 777?
That causes the auto autoregistars that happens with the new version?
Because indead i can't find them back in the apache logs when they register.
And indead again I've had a file (someone put on my server) that didn't belong on my server and couldn't delete it myself.

If that's the problem your talking about i would be glad to try out your in.php

indead spammers are regulair ru sites :?
When i'm totally wrong, that this isn't te problem, just delete this message :wink:

Regards,
funnygirl
funnygirl
Member
 
Posts: 22
Joined: 2006-10-18 05:20 pm

Postby whitesell » 2007-02-13 10:19 am

Hi Jeremy,

I updated to the new in.php and see no problems... will post again if anything shows up.
whitesell
Member
 
Posts: 12
Joined: 2004-02-18 08:14 pm

Postby Jeremy » 2007-02-13 11:41 am

funnygirl: no, it's mysql permissions, not file permissions.

thanks whitesell. if nobody has any problems by tomorrow, i will put it in the default release.
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby funnygirl » 2007-02-13 07:09 pm

Thanks Jeremy, now i understand what you mean.
I've tried the new in.php, but doesn't work with older members from the 4x version. (upgraded from 4.x)
If they vote from their site, they directly get the message you can't acces this file directly.
That's maybe because those older members are also in another table in the database named members and the new version name is sites?
And now i do understand the spam that's always on review and comment by the new members who came sinds i have upgraded, with lots of urls :?
funnygirl
Member
 
Posts: 22
Joined: 2006-10-18 05:20 pm

Postby funnygirl » 2007-02-13 07:39 pm

:roll: oeps, i've put the file into the wrong directory, in the main, had to be in sources, but there i've an error message if i try to vote on a site, /misc/session.php on line 41
Cannot modify header information - headers already sent by (output started at sitename.. topsites/sources/in.php:159) in /sitename../topsites/sources/misc/session.php on line 41
Code: Select all
 if ($cookie) {
      setcookie("atsphp_sid_{$type}", $sid);
    }

Don't have a clue how to fix that :wink:
funnygirl
Member
 
Posts: 22
Joined: 2006-10-18 05:20 pm

Postby bunnies_00 » 2007-02-13 07:47 pm

read my thread please
bunnies_00


Good Luck!
bunnies_00
Newbie
 
Posts: 2
Joined: 2007-02-13 07:35 pm

Re: Possible Security Hole - Please Help Test the Patch

Postby PPNSteve » 2007-02-14 03:24 am

Jeremy Scheff wrote:There may be a security vulnerability in 5.1.2 on some servers: http://www.aardvarktopsitesphp.com/foru ... php?t=6144

If your MySQL user has FILE permissions, then you are vulnerable. To fix it, replace sources/in.php with this file: http://www.aardvarktopsitesphp.com/in.php.txt (renamed to in.php of course).

Please let me know if this causes any problems. If everything works well I will incorporate this into the default package as soon as possible. Thank you!


so far no issues noted on my somewhat busy topsite.. seems to work just fine.
PPNSteve
Advanced Member
 
Posts: 39
Joined: 2003-07-05 12:25 pm
Location: Somewhere in Ilex Forest

Postby funnygirl » 2007-02-15 06:46 pm

Good evening

What else can i do Jeremy?
Is it caused maybe because the upgrade versions has an in.php in the maindirectory also?
funnygirl
Member
 
Posts: 22
Joined: 2006-10-18 05:20 pm

Postby Jeremy » 2007-02-16 06:18 pm

funnygirl: see if there are any blank lines at the top or bottom of in.php and delete them
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby funnygirl » 2007-02-16 07:55 pm

Your good, your very good!! :P
I'll would never find this out by myself, indead I had 2 blank lines at the bottom, looks that it works great now :P
Thanks again Jeremy, you'r realy good! :wink:
funnygirl
Member
 
Posts: 22
Joined: 2006-10-18 05:20 pm

Postby BMCK » 2007-02-17 08:51 am

Thanks for the security fix - good work...
BMCK
Newbie
 
Posts: 6
Joined: 2006-11-02 01:55 pm

Postby cybergamezone » 2007-02-17 02:05 pm

Works fine here.

ty
cybergamezone
Advanced Member
 
Posts: 102
Joined: 2004-10-07 07:17 pm
Location: Oregon

Postby boardhopper » 2007-02-17 02:26 pm

Seems to be working just fine here also. Thanks.
boardhopper
Advanced Member
 
Posts: 42
Joined: 2006-01-02 03:25 pm
Location: USA

Next

Return to News

Who is online

Users browsing this forum: No registered users and 4 guests

cron