4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
October 16, 2018, 12:22:18 AM

Login with username, password and session length
Search:     Advanced search
Check the new Tutorial subforum with helpfull guides and tutorials for modifications and tweaks.
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: «« « 1 2 3 [4] Print
Author Topic: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability  (Read 149525 times)
Jan
Administrator
4images Guru
*****
Offline Offline

Posts: 5024

Thank You
-Given: 0
-Receive: 32


View Profile WWW
« Reply #45 on: November 02, 2006, 10:15:42 AM »

The line that causes this error is in global.php, line 450.

Quote  [Expand]
output started at /homepages/blablabla/publik/global.php:450

Can you post whats in (or better in and around) this line.

Jan
Logged

Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
BitBull
Pre-Newbie

Offline Offline

Posts: 7

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #46 on: November 02, 2006, 10:32:01 AM »

 Shocked

Thats funny...

my global.php ends with line 438 already.  Question

here are the last lines of my global.php (426 to 438):
1
2
3
4
5
6
7
8
9
10
11
12
13
  $sql = "SELECT cat_id, COUNT(*) AS num_images
          FROM ".IMAGES_TABLE."
          WHERE image_active = 1
          GROUP BY cat_id";
  $result = $site_db->query($sql);

  while ($row = $site_db->fetch_array($result)) {
    $cat_cache[$row['cat_id']]['num_images'] = $row['num_images'];
  }
  $site_db->free_result();
} //end if GET_CACHES

?>

Just as a relation. The bugfix line lies between 166 to 169:
1
2
3
4
if (isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode'])) {
  $mode = (isset($HTTP_POST_VARS['mode'])) ? stripslashes(trim($HTTP_POST_VARS['mode'])) : stripslashes(trim($HTTP_GET_VARS['mode']));
  $mode = preg_replace("/[^a-z0-9]+/i", "", $mode);
}

regards

BitBull
Logged
Jan
Administrator
4images Guru
*****
Offline Offline

Posts: 5024

Thank You
-Given: 0
-Receive: 32


View Profile WWW
« Reply #47 on: November 02, 2006, 10:41:04 AM »

Are you sure that the global.php on your server is the same as the one on your harddisk?
Logged

Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
BitBull
Pre-Newbie

Offline Offline

Posts: 7

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #48 on: November 02, 2006, 11:20:01 AM »

I compared it again (took a copy from the server again where I've put the fixed file yesterday ...)

Yes, both are exactely the same

BUT Exclamation Exclamation Exclamation

Don't ask me why. I've had a look on my gallery just now ... the error messages are gone ...  Confused  seems that a miracle occured, doesn't it???

I am even able to log in again.   Mr. Green

So everything is OK. I will check it out tomorrow again ... I hope the bloody messages won't be back again.  Wink

Thanks Nicky an Jan for your time and support

So lets go on with daily business ... Laughing

regards

Tobi
Logged
Pages: «« « 1 2 3 [4] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.049 seconds with 19 queries.
Post your comments here