PEAK XOOPS - Re: Protecting xoopsgallery hack

Top > XOOPS Modules >Protector >XoopsGallery vulnerablity

Re: Protecting xoopsgallery hack

List posts in the topic

Re: Protecting xoopsgallery hack

msg# 1.2

depth:: 1

Previous post - Next post | Parent - Children.1 | Posted on 2008/1/9 13:05

rgriff59

Posts: 1

I don't use the affected version of xoopsgallery, but here is a hack that catches the POC. Add these lines just before the final "}" in TRUST PATH modules/protector/include/postcheck_functions.php

// xoopsgallery protection hack
if( isset($_GET['GALLERY_BASEDIR'])) {
  if((substr($_GET['GALLERY_BASEDIR'],0,5)=='http:') || 
    (substr($_GET['GALLERY_BASEDIR'],0,4)=='ftp:')) {
       die("xoopsgallery remote file include attack");
  }
}

Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.

Good luck,
-Richard

Votes:20 Average:5.50

Posts tree

Re: Protector (dharley, 2008/1/8 4:39)
- Re: Protector (GIJOE, 2008/1/8 4:59)
  - Re: Re: Protector (dharley, 2008/1/8 9:22)
- Re: Protecting xoopsgallery hack (rgriff59, 2008/1/9 13:05)
  - Re: Protecting xoopsgallery hack (GIJOE, 2008/1/9 17:26)
- Re: Re: Protector (GIJOE, 2008/1/12 5:03)

Lost Password?

Register now!