4images Help / Hilfe > Bug Fixes & Patches

[1.7.1 / 1.7.2] Security fix for SQL injection in session.php

(1/7) > >>

Jan:
This is an important security fix.

Open includes/sessions.php and find the following line:


--- Code: ---$this->session_id = session_id();
--- End code ---

replace this line with the following code:


--- Code: ---$this->session_id = preg_replace('/[^a-z0-9]+/i', '', session_id());
--- End code ---

mawenzi:
Danke für das schnelle Fix ! Und nur für  1.7.1, 1.7.2 ... nicht 1.7 ?

DBCapricorn:
Always on it. Thanks for looking out for us. :)

ivan:
hello,
i have two this lines


--- Code: ---  function get_session_id() {
    if (SID == '') {
      $this->mode = "cookie";
    }

    $this->session_id = session_id();
  }

--- End code ---

and here


--- Code: ---    if (!isset($this->session_info['session_ip']) || (isset($this->session_info['session_ip']) && $this->session_info['session_ip'] != $this->user_ip))
    {
      session_regenerate_id();
      $this->session_id = session_id();
      return false;
    }
--- End code ---

both replace???

greets ivan

V@no:
the first one is enough ;)

Navigation

[0] Message Index

[#] Next page

Go to full version