incidentally, there are a few other places where $_POST['fct'] & $_GET['fct'] are used in the core, we should look into those areas too.
wtravel - that looks rather good to me as well.
Vaughan's solution will work. Another solution to prevent this problem is to validate user input for $_POST['fct'] to see if the requested directory even exists. In order to do this a few lines should be added as well as a new constant to the language file(s):
File: modules/system/admin.php
Add after line: include_once XOOPS_ROOT_PATH.'/class/xoopsmodule.php'; (line 56?)
Quote:
Does impress have a security list that users can subscribe to?
News posted on ImpressCMS.
Quote:
Good idea Tom. Also the people here need to know of the patch as well.
http://www.securityfocus.com/bid/30330/info
Does impress have a security list that users can subscribe to?
I am subscribed to the drupal security list and the site emails me if there are issues. In fact i get a lot of emails from drupal about security issues. Although this is the main reason i don't use drupal anymore. To many patches... Seemed like twice or three times a week i half to update my drupal sites. Err...
Thank god for impress!
yes that's correct, as is_admin is checked before the script continues.
but non the less, it's a potential problem.
Trabis has posted over on xoops that only a webmaster could pull off this hack.
Xoops post dealing with this issue.
corrected a bug in my above post.. i missed a closing bracket off both the preg_replace functions.
Good idea Tom. Also the people here need to know of the patch as well.
http://www.securityfocus.com/bid/30330/info
Is anyone dealing with packaging a new version for 1.0?
Perhaps we should make this news also.
Thank you sir... That was fast! Thanks sato-san for bringing this to the community's attention!
it should do yes.
Man thank you for that patch. Will this patch work for 2.0.18 as well Vaughan?
hmmm and yep i think icms is vulnerable also from the looks of it.
we can protect from this though.
open modules/system/admin.php
find near beginning of file >
...modules/system/admin.php in XOOPS 2.0.18 1
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3296
Oh, yes, PHPMyadmin...
My customer got hosting from another company. They gave user & pass. Then changed them and I don't have them. I requested them to the customers, waiting for response. No Phpmyadmin, no FTP service, no nothing. I can't even install phpmyadmin by myself.
Plan is bakcup whole database, then bakcup damaged table, then attempt automatic repair
I don't know if a query can have that effect.
Have you tried the relevant phpmyadmin functions to examine the tables? (check, repair, analyze, optimize)
Something else to check is that the MySQL data files that contain the tables have the right permissions and owner. I've had odd errors when those attributes got messed up when copying the files from one computer to another.
Yep, that's the question.
I don't mean "drop" a table, or "remove data" of a table or anyhting like that. i mean error 1016: can't open file.
Sounss like a hardware failure, but is it possible to make this happen via software? I'm sure it's hardware failure, but I'll have to demonstrate it to a customer of mine.