A
cross-site request forgery vulnerability in 4images 1.7 - 1.7.8 has been found.
To fix this please follow these 4 steps:
1.Download the
attached file
csrf_utils.php file and copy it into
includes/ folder of your 4images installation.
2.Open
global.php and search for the following line:
@include(ROOT_PATH.'config.php');and insert the following code ABOVE this line:
// Initialize CSRF protection configuration
$csrf_protection_enable = 1;
$csrf_protection_frontend = 1;
$csrf_protection_backend = 1;
$csrf_protection_expires = 7200;
$csrf_protection_name = '__csrf';
$csrf_protection_xhtml = 1;In the same file, search for the line:
include_once(ROOT_PATH.'includes/captcha_utils.php');and insert the following code BELOW this line:
//-----------------------------------------------------
//--- CSRF protection ---------------------------------
//-----------------------------------------------------
include_once(ROOT_PATH.'includes/csrf_utils.php');3.Open
includes/page_header.php and search for the following line (at the end for the file):
?>and insert the following code ABOVE this line:
if ($csrf_protection_enable && $csrf_protection_frontend) {
csrf_start(true);
}4.Open
admin/admin_global.php and search for the following line:
include_once(ROOT_PATH.'admin/admin_functions.php');and insert the following code BELOW this line:
if ($csrf_protection_enable && $csrf_protection_backend) {
csrf_start();
}Thanks to
Russ McRee for finding and reporting this vulnerability!