058-016 - Acronym Mod v0.9.5 Remote SQL Injection

Posts: 489 Location: Sabadell

Sun 07 Jan, 2007 02:27

Subject: 058-016 - Acronym Mod v0.9.5 Remote SQL Injection

Hi all,

The Acronym Mod which is included in phpBB XS 2 Build 058b is Vulnerable and should be fixed ASAP.
Please make these codechanges in the file /adm/admin_acronyms.php

OPEN admin_acronyms.php

FIND

Code: [Download] [Hide] [Select]

$acronym_id = ( isset($_GET['id']) ) ? $_GET['id'] : 0;

REPLACE WITH

Code: [Download] [Hide] [Select]

$acronym_id = ( isset($_GET['id']) ) ? intval($_GET['id']) : 0;

FIND

Code: [Download] [Hide] [Select]

$acronym_id = ( isset($_POST['id']) ) ? $_POST['id'] : 0;

REPLACE WITH

Code: [Download] [Hide] [Select]

$acronym_id = ( isset($_POST['id']) ) ? intval($_POST['id']) : 0;

FIND

Code: [Download] [Hide] [Select]

$acronym_id = ( isset($_POST['id']) ) ? $_POST['id'] : $_GET['id'];

REPLACE WITH

Code: [Download] [Hide] [Select]

			$acronym_id = ( isset($_POST['id']) ) ? intval($_POST['id']) : intval($_GET['id']);

Thanks MG to FIX.

Greets

Profile PM Website MSN Skype

This topic is locked: you cannot edit posts or make replies.

Page 1 of 1

You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events

This is a "Lo-Fi" version of our main content. To view the full version with more information, formatting and images, please click here.

Powered by Icy Phoenix based on phpBB
Generation Time: 0.1868s (PHP: 9% SQL: 91%)
SQL queries: 10 - Debug Off - GZIP Enabled

Icy Phoenix

Icy Phoenix - Powering Communities

058-016 - Acronym Mod v0.9.5 Remote SQL Injection