+ Reply to Thread
Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 42

Thread: Security update [MUST HAVE]

  1. #21
    Dont think so as many have customized their scripts.

    Btw. how many fixes will follow?

  2. #22
    Quote Originally Posted by Pawel Steinborn View Post
    Btw. how many fixes will follow?
    I understand that in the section
    The other minor vulnerabilities, which will not affect stability and security of your site, will be posted later in this thread.
    from http://www.flynax.com/forum/showthre...ull=1#post6548 there are/will be some links for rlAccount.class.php, rlListings.class.php, rlCategories.class.php, rlSearch.class.php, rlPlan.class.php
    And these are the fixes.

  3. #23
    /libs/system.lib.php

    Find the code: (~ line 65)
    PHP Code:
    Only registered members can view the code
    and replace to:
    PHP Code:
    Only registered members can view the code
    |php2 has been added

    Other than that happy coding...
    Flynax Technical Department

  4. #24
    Master
    Join Date
    Apr 2012
    Location
    Germany
    Posts
    421
    Hi @ all

    I think and hope that this security updates are only a beginning.
    I would suggest the team still following.
    Check out all the forms. Especially the search forms and implement for all input fields a filter for metacharacters!
    It starts with the registration form and ends with the contact form.
    XSS attacks is there a potentially dangerous attack point.

    //Steffen
    Last edited by Steffen Buschkemper; September 13, 2013 at 05:32 AM.

  5. #25
    Master
    Join Date
    Apr 2012
    Location
    Germany
    Posts
    421
    I have checked the script with Acunetix Web Vulnerability Scanner.
    Therefore, the above recommendation.

    Also following was a result of the check:

    Cookie name: "PHPSESSID"
    - If possible, you should set the HTTPOnly flag for this cookie.
    - If possible, you should set the Secure flag for this cookie.

    //Steffen
    Last edited by Steffen Buschkemper; September 13, 2013 at 06:00 AM.

  6. #26

    Lightbulb Possible SQL Injection and FIX for it [rlListings.class.php]

    Open the file /includes/classes/rlListings.class.php
    You should add the code that is highlighted in bold green.
    (!) Before you change the files, back up the files to be modified.


    [line: ~583]
    Code:
    Only registered members can view the code.

    [line: ~618]
    Code:
    Only registered members can view the code.

    [line: ~781]
    Code:
    Only registered members can view the code.

    [line: ~1272]
    Code:
    Only registered members can view the code.

    [line: ~1477]
    Code:
    Only registered members can view the code.

    [line: ~1558]
    Code:
    Only registered members can view the code.

    [line: ~1695]
    Code:
    Only registered members can view the code.

    [line: ~1784]
    Code:
    Only registered members can view the code.

    [line: ~2027]
    Code:
    Only registered members can view the code.

    [line: ~2134]
    Code:
    Only registered members can view the code.

    [line: ~2205]
    Code:
    Only registered members can view the code.

    [line: ~3444]
    Code:
    Only registered members can view the code.
    to be continue...

    Other than that happy coding...
    Flynax Technical Department

  7. #27

    Lightbulb Possible SQL Injection and FIX for it [rlCategories.class.php]

    Open the file /includes/classes/rlCategories.class.php
    You should add the code that is highlighted in bold green.
    (!) Before you change the files, back up the files to be modified.

    [line: ~170]
    Code:
    Only registered members can view the code.

    [line: ~489]
    Code:
    Only registered members can view the code.

    [line: ~589]
    Code:
    Only registered members can view the code.

    [line: ~1298]
    Code:
    Only registered members can view the code.

    [line: ~1351]
    Code:
    Only registered members can view the code.

    [line: ~1459]
    Code:
    Only registered members can view the code.

    [line: ~1492]
    Code:
    Only registered members can view the code.

    [line: ~1527]
    Code:
    Only registered members can view the code.

    [line: ~1617]
    Code:
    Only registered members can view the code.

    [line: ~1868]
    Code:
    Only registered members can view the code.

    [line: ~2001]
    Code:
    Only registered members can view the code.
    to be continue...

    Other than that happy coding...
    Flynax Technical Department

  8. #28
    Senior Member
    Join Date
    Jun 2013
    Location
    Vietnam
    Posts
    157
    Done
    Thanks for the security update.

    Nguyen
    Nguyen Dat Tai
    Mobile: +84.909933020
    Web: www.dangbanxe.com

  9. #29
    Quote Originally Posted by Exe View Post
    [line: ~781]
    Code:
    Only registered members can view the code.
    in my original rlListings.class.php file
    Code:
    Only registered members can view the code.
    is on the line 875 and on the line 914-915 there is only
    Code:
    Only registered members can view the code.
    and not
    Code:
    Only registered members can view the code.
    [line: ~2027]
    Code:
    Only registered members can view the code.
    On the line 2121 I have
    Code:
    Only registered members can view the code.
    and not
    Code:
    Only registered members can view the code.

  10. #30
    A few words on the future..

    [line:
    ~781], [line: ~2027], etc..
    This is approximate lines...
    Of course they may be different; as well as the code itself.


    Matthias
    Quote Originally Posted by Exe View Post
    You should add the code that is highlighted in bold green.

    Other than that happy coding...
    Flynax Technical Department

+ Reply to Thread