Ravens PHP Scripts

UPDATE! New SQL Injection Issues In Nuke!
Date: Tuesday, February 10, 2004 @ 16:23:34 CST
Topic: Security

Admin Note: I have updated the code. Chatserv and I have spent several hours testing this. Let me know if you find any holes in my present solution.

Without posting the details, there are a couple new SQL Injection exploits out there. I recommend the following code be placed at the beginning of modules/Reviews/index.php and modules/News/friend.php

$test = rawurldecode($_SERVER["QUERY_STRING"]);
if (strstr($test,'%3c')||strstr($test,'<')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
}

If you don't have a copy of my hackattempt.php file, download it! Alternatively you could redirect them to index.php but then you don't get an email advising you of the hack attempt.

For more on the exploits, click on Read More ...

  • http://www.securityfocus.com/archive/1/353201/2004-02-07/2004-02-13/0
  • http://www.securityfocus.com/archive/1/353188/2004-02-07/2004-02-13/0
  • http://www.secunia.com/advisories/10830/






This article comes from Ravens PHP Scripts
https://www.ravenphpscripts.com

The URL for this story is:
https://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=270