Moderators servetas Posted April 15, 2013 Moderators Report Share Posted April 15, 2013 I just saw this website... Do you know anything about that? http://www.exploit-db.com/exploits/24960/ 7 Quote Link to comment Share on other sites More sharing options...
Tom Posted April 15, 2013 Report Share Posted April 15, 2013 The reason I rewrote VAForum to begin with was because exploits were found, so I would guess you'll want to fix that one up soon before people start using it phpVMS on it's own is quite secure. As an alternative you can always use SimpleNews: https://github.com/tomsterritt/SimpleNews Quote Link to comment Share on other sites More sharing options...
Administrators Nabeel Posted April 16, 2013 Administrators Report Share Posted April 16, 2013 Thanks for the heads up - I've contacted the addon's author. Remember - don't trust ANY input - cast values to the appropriate type (in this case, integer) and then escape everything that comes in Quote Link to comment Share on other sites More sharing options...
Administrators simpilot Posted April 16, 2013 Administrators Report Share Posted April 16, 2013 The module has been updated on GitHub. The method that is used in this exploit example is also over a year old, the module was updated in March 2012 to normalize the functions within the phpVMS environment. If you are using the version that was updated in March of 2012 you only need to replace the PopUpNews.php and PopUpNewsData.class.php files, or make the edits to them. If you are using the older version that used the "$_GET" method I would suggest updating to the latest version. Commits can be found here -> https://github.com/DavidJClark/phpVMS-PopUpNews/commits/master Module can be found here -> https://github.com/DavidJClark/phpVMS-PopUpNews 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.