2006-08-25: Critical Issue, If you run with register_globals ON
| phpCOIN Main Site · Forum Guidelines |
 Help
 Search
 Members
 Calendar
|
|
Other phpCOIN Sites: [Live Demo] [Downloads] [Docs] [Bugs] [Wall of Shame] |
|
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
 |
Security AnnouncementsSecurity related public announcements by phpCOIN personnel. This forum can NOT be posted to by the public
  |
2006-08-25: Critical Issue, If you run with register_globals ON| cantex |
Posted: August 25, 2006 11:31 pm
|
||
 Chief Cook & Bottle Washer  Group: Archive Posts: 3,252 Member No.: 1 Joined: August 25, 2006  |
The June 2006 fix-file made a major mistake when fixing an issue. This error means that external files can be run on your webserver. Several of our sites fell victim today to this. In /coin_includes/session_set.php around line 54 are the lines
Note that the code line is commented out. UNCOMMENT THIS LINE and you will be safe. You will get the bug back, but it is a minor annoyance that will be better addressed in the next fix-file (or you can grab the fix from CVS You can also grab the changes/files/patch files from CVS Security Fix: Download new file or view diffs, or download patch file Double-Arrays: Download new file, or view diffs, or download patch file [edit 2006-08-31 by cantex] According to the security advisory sites, this is only an issue if you run your webserver with register_globals ON, against recommended practise. Nevertheless, I recommend that you make the suggested fix anyway.  -------------------- ================================================================
Please do not email or PM me with a question: 1: I handle over a thousand emails a day, so chances are yours would be buried in the pile. 2: All questions will only be answered in the support forums, so the answers will be useful to others. Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :) If you are trying to integrate posted sample code into your website, please take into account any changes in phpCOIN made after the code sample was posted. It is discouraging to spend hours answering questions or trying to track down an issue only to find that the user has a version of phpCOIN that makes the sample irrelevant |
||
|
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:
 |
|
Powered by Invision Power Board(U) v1.3.1 Final © 2003 IPS, Inc.