4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: kai on December 07, 2010, 10:45:56 AM

Title: [1.7 - 1.7.9] Security fix for path disclosure in paging.php
Post by: kai on December 07, 2010, 10:45:56 AM

A minor security vulnerability has  been found which leads to path disclosure.

To  fix this:

In includes/paging.php

find

$this->page = $page;
$this->perpage = $perpage;
$this->num_rows_all = $num_rows_all;

if (!isset($this->page) || !intval($this->page)) {
  $this->page = 1;
}
if (!$this->num_rows_all) {

and replace with

$this->page = intval($page);
$this->perpage = intval($perpage);
$this->num_rows_all = intval($num_rows_all);

if ($this->page <= 0) {
  $this->page = 1;
}
if ($this->perpage <= 0) {
  $this->perpage = 1;
}
if ($this->num_rows_all <= 0) {

Title: Re: [1.7 - 1.7.9] Security fix for path disclosure in paging.php
Post by: x23piracy on December 07, 2010, 05:03:43 PM

Hi,

im using V@no's Universal Paging Class V1.1.1 and i cannot find that line in it.
Is that bug also existing in that paging.php?

Universal Paging Class 1.1.1: http://www.4homepages.de/forum/index.php?topic=6926.0 (http://www.4homepages.de/forum/index.php?topic=6926.0)


Greetz X23

Title: Re: [1.7 - 1.7.9] Security fix for path disclosure in paging.php
Post by: Tino23 on December 17, 2010, 05:44:37 PM

Schau mal in Zeile 60 dort steht die Zeile.

Title: Re: [1.7 - 1.7.9] Security fix for path disclosure in paging.php
Post by: x23piracy on December 17, 2010, 05:49:46 PM

Hi,

Quote from: Tino23 on December 17, 2010, 05:44:37 PM

Schau mal in Zeile 60 dort steht die Zeile.

ja mitlerweile weil V@no auf 1.1.2 aktualisiert hat, im File davor 1.1.1 fehlte das.


Gruß Jens

Title: Re: [1.7 - 1.7.9] Security fix for path disclosure in paging.php
Post by: Sunny C. on December 23, 2010, 05:43:33 PM

The paging.php is find in includes/