CVE-2014-8596 PHPFusion 7.02.07 – SQL Injection
Asked Modified Viewed 8,097 times
asked
Hi every one,
How to fix this vulnerability?
CVE-2014-8596 PHPFusion 7.02.07 – SQL Injection
Thanks advance,
How to fix this vulnerability?
CVE-2014-8596 PHPFusion 7.02.07 – SQL Injection
Thanks advance,
answered
Missing checks and a misplaced parenthesis. Sad.
Just wanted to mention that unless you have admins you don't trust with access to submissions and members or get targeted for exploitation in a very hard way at network level you should not worry.
To fix this:
[ulist=disc]open administration/submissions.php and add after/below require_once "../maincore.php"; this line[/ulist]
[ulist=disc]open administration/members.php and on line #31 replace this [/ulist]
with this
Just wanted to mention that unless you have admins you don't trust with access to submissions and members or get targeted for exploitation in a very hard way at network level you should not worry.
To fix this:
[ulist=disc]open administration/submissions.php and add after/below require_once "../maincore.php"; this line[/ulist]
Code Download source
if (isset($_GET['submit_id']) && !isnum($_GET['submit_id'])) { $_GET['submit_id'] = 0; }[ulist=disc]open administration/members.php and on line #31 replace this [/ulist]
Code Download source
$status = (isset($_GET['status']) && isnum($_GET['status'] && $_GET['status']) < 9 ? $_GET['status'] : 0);with this
Code Download source
$status = (isset($_GET['status']) && isnum($_GET['status']) && $_GET['status'] < 9 ? $_GET['status'] : 0);Edited by JoiNNN on 11-11-2014 10:45,
answered
Just trust your admins and trust PHPFusions checkrights and aid which do their jobs nicely so no issue. :G
answered
And if we don't?
answered
You mean Don't trust your admins?
Falk
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
Nice fixes JoiNNN, thank you. Wanna git em?
answered
The members.php one is OK but the other one no. It has to be properly fixed. Or even better, we change they way we check GETs from no on, when we have a page with GETs we check right at the top (as I did in submission.php fix) if a given GET is set and if the value is valid, if not add a fallback or in worse cases redirect. This way not only we don't have to check GETs every time we do IFs and ELSEs and worry about forgetting a check but will also make it so much easier to maintain.
Edited by JoiNNN on 12-11-2014 00:05,
answered
Thank you so much JoiNNN
Category Forum
Announcements & Security IssuesLabels
None yet
Statistics
- Views 0 views
- Posts 7 posts
- Votes 0 votes
- Topic users 5 members
5 participants
Falk 131
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
• View our Documentation for Guides, Standards and Functions
• Name and Organize your Topics and Content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Provide with an URL to live example if one exists
• Please read the How to Report an Error post
• Please read and comply with the Code of Conduct
(¯·._.·(¯°·._.·°º*[ Project Manager ]*º°·._.·°¯)·._.·¯)
- Super Admin, joined since
- Contributed 6,201 posts on the community forums.
- Started 639 threads in the forums
- Answered 11 questions
Homdax 10
- Fusioneer, joined since
- Contributed 2,246 posts on the community forums.
- Started 108 threads in the forums
Craig 14
- Fusioneer, joined since
- Contributed 4,462 posts on the community forums.
- Started 212 threads in the forums
JoiNNN 10
- Veteran Member, joined since
- Contributed 850 posts on the community forums.
- Started 100 threads in the forums
alexai 10
Sorry, i can speak English a little
- Newbie, joined since
- Contributed 4 posts on the community forums.
- Started 2 threads in the forums
- Started this discussions
Notifications
Track thread
You are not receiving notifications from this thread.
Related Questions