OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
vALDEUx_at_aol.com
Date: Thu Nov 28 2002 - 11:50:50 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    PRODUCT : PORTAILPHP
            http://www.yoopla.net/portailphp/
            A nice PHP CMS

    PROBLEM : XSS
            SQL INJECTION
            in /mod_search/index.php
            read it for more details :)

    SOLUTION : Download patch from http://www.phpsecure.org
            or manually add this lines at beginning of /mod_search/index.php :
                    /* XSS AND SQL HOLES PATCHED BY WWW.PHPSECURE.ORG */
                    $rech = str_replace("'",'',$rech); // protection anti SQL injection
                    $BD_Tab_docs = str_replace('`','',$BD_Tab_docs); // idem
                    $BD_Tab_file = str_replace('`','',$BD_Tab_file); // idem
                    $BD_Tab_liens = str_replace('`','',$BD_Tab_liens); // idem
                    $BD_Tab_faq = str_replace('`','',$BD_Tab_faq); // idem
                    $chemin = htmlentities($chemin); // anti XSS
                    $App_Theme = htmlentities($App_Theme); // idem
                    $Rub_Search = htmlentities($Rub_Search); // idem
                    $Rub_News = htmlentities($Rub_News); // idem
                    $Rub_File = htmlentities($Rub_File); // idem
                    $Rub_Liens = htmlentities($Rub_Liens); // idem
                    $Rub_Faq = htmlentities($Rub_Faq); // idem
                    /* END OF SECURITY PATCH */
            or wait for an official release ... at your own risks.

    CREDITS : http://www.phpsecure.org :)