05/23/07 07:00pm  

David Slater

Anonymous
hey all
my sites where hacked and the system admin requested that I refer to http://xforce.iss.net/xforce/xfdb/27469 (a link from 2006)
is there a fix? one of these sites is running 1.4.1??? (I am updating my other one from 1.3.1 (ya ya I know old . . .)

DAVE
 05/23/07 09:06pm  
Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
That attack is only feasible if register globals is on. Also, $_CONF['path'] is never referenced by the code before it is overwritten in config.php. So while this attack is potentially a problem it would be impossible to exploit without other security holes allowing the user to upload arbitrary files to arbitrary directories.

Looking through the list of files, all of them have code that prevents them from being loaded directly from a browser. So that also stops this attack cold:
Text Formatted Code
if (strpos ($_SERVER['PHP_SELF'], 'functions.inc') !== false) {
    die ('This file can not be used on its own.');
}

 05/24/07 01:58am  
Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Quote by: David Slater

my sites where hacked and the system admin requested that I refer to http://xforce.iss.net/xforce/xfdb/27469 (a link from 2006)


This has long been fixed and only applied to sites that didn't follow the installation instructions anyway (plus have register_globals = on, as Joe pointed out).