4images Help / Hilfe > Bug Fixes & Patches

[1.7 - 1.7.3] Security fix for SQL injection in global.php

(1/12) > >>

Jan:
This is an important security fix.

Replace the two lines in global.php (version 1.7.2 and 1.7.3) or search.php (all versions < 1.7.2):
Replace


--- Code: ---$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : urldecode(trim($HTTP_GET_VARS['search_keywords']));
--- End code ---

with


--- Code: ---$search_keywords = (isset($HTTP_POST_VARS['search_keywords'])) ? trim($HTTP_POST_VARS['search_keywords']) : trim($HTTP_GET_VARS['search_keywords']);
--- End code ---
Replace


--- Code: ---$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : urldecode(trim($HTTP_GET_VARS['search_user']));
--- End code ---

with


--- Code: ---$search_user = (isset($HTTP_POST_VARS['search_user'])) ? trim($HTTP_POST_VARS['search_user']) : trim($HTTP_GET_VARS['search_user']);
--- End code ---

mawenzi:
... thanks Jan ... and also thanks to Matt ...

Jan:
Eigentlich stehts bei 1.7.1 nicht on der global.php. Wenns bei Dir doch so ist, dann ersetze es in beiden Dateien.

securitydot:
Thanks

Fastian:
Thanks for keeping us up-to-date.
:)

Navigation

[0] Message Index

[#] Next page

Go to full version