PEAK XOOPS - Re: Protecting xoopsgallery hack 
TOP
>
Forum
>
XOOPS Modules
>
Protector
>
XoopsGallery vulnerablity
>
Re: Protecting xoopsgallery hack
Re: Protecting xoopsgallery hack
Re: Protecting xoopsgallery hack
msg# 1.2.1
- depth:
- 2
GIJOE
Posts: 4110
Posts: 4110
I read
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=62321&forum=4&post_id=281125
and
http://packetstormsecurity.org/0801-exploits/xoopsgal-rfi.txt
Quote:No. It looks not enough.
LFI still exists even with your patch.
You have to add some lines into mainfile.php instead of Protector, at least.
And I have to say "stop using such an organic vulnerable module right now".
This warning will continue until all of stupid code like "extract($_GET);" are eliminated in the module.
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=62321&forum=4&post_id=281125
and
http://packetstormsecurity.org/0801-exploits/xoopsgal-rfi.txt
Quote:
rgriff59 wrotes:
Since xoopsgallery.org is offline, I have no way to check on the status or possibility of a proper fix, but maybe this will help you stay up long enough to find and implement a better solution.
LFI still exists even with your patch.
You have to add some lines into mainfile.php instead of Protector, at least.
if( isset($_GET['GALLERY_BASEDIR'])) {
die("xoopsgallery remote file include attack");
}
And I have to say "stop using such an organic vulnerable module right now".
This warning will continue until all of stupid code like "extract($_GET);" are eliminated in the module.
Votes:17
Average:4.12
Posts tree
-
Re: Protector
(dharley, 2008/1/8 4:39)
-
Re: Protector
(GIJOE, 2008/1/8 4:59)
-
Re: Re: Protector
(dharley, 2008/1/8 9:22)
-
-
Re: Protecting xoopsgallery hack
(rgriff59, 2008/1/9 13:05)
-
Re: Protecting xoopsgallery hack
(GIJOE, 2008/1/9 17:26)
-
-
Re: Re: Protector
(GIJOE, 2008/1/12 5:03)
-
Login