PEAK XOOPS - SPAW 1.x vulnerability?

SPAW 1.x vulnerability?

Date 2007-01-25 06:25:56 | Category: XOOPS

http://blog.solmetra.com/2007/01/19/php-vulnerability-possibly-affecting-spaw-1x-installations/
It looks curious...
Old PHP enables variables after unset() if it runs with register_globals=on ...?

If you are applicatable such conditions and you use common/spaw (TinyD etc.), you'd better update common/spaw.

- Download the latest TinyD
- Overwrite common/spaw/dialogs/img_library.php

Anyway, you MUST turn register_globals off, and you should turn allow_url_fopen off.

Moreover, I recommend you to use common/fckeditor instead of common/spaw.

You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=398