Moderators servetas Posted April 15, 2013 Moderators Report Posted April 15, 2013 I just saw this website... Do you know anything about that? http://www.exploit-db.com/exploits/24960/ 7 Quote
Tom Posted April 15, 2013 Report Posted April 15, 2013 The reason I rewrote VAForum to begin with was because exploits were found, so I would guess you'll want to fix that one up soon before people start using it phpVMS on it's own is quite secure. As an alternative you can always use SimpleNews: https://github.com/tomsterritt/SimpleNews Quote
Administrators Nabeel Posted April 16, 2013 Administrators Report Posted April 16, 2013 Thanks for the heads up - I've contacted the addon's author. Remember - don't trust ANY input - cast values to the appropriate type (in this case, integer) and then escape everything that comes in Quote
Administrators simpilot Posted April 16, 2013 Administrators Report Posted April 16, 2013 The module has been updated on GitHub. The method that is used in this exploit example is also over a year old, the module was updated in March 2012 to normalize the functions within the phpVMS environment. If you are using the version that was updated in March of 2012 you only need to replace the PopUpNews.php and PopUpNewsData.class.php files, or make the edits to them. If you are using the older version that used the "$_GET" method I would suggest updating to the latest version. Commits can be found here -> https://github.com/DavidJClark/phpVMS-PopUpNews/commits/master Module can be found here -> https://github.com/DavidJClark/phpVMS-PopUpNews 2 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.