Author Topic: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability  (Read 155803 times)

0 Members and 1 Guest are viewing this topic.

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability
« Reply #45 on: November 02, 2006, 10:15:42 AM »
The line that causes this error is in global.php, line 450.

Quote
output started at /homepages/blablabla/publik/global.php:450

Can you post whats in (or better in and around) this line.

Jan
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline BitBull

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability
« Reply #46 on: November 02, 2006, 10:32:01 AM »
 8O

Thats funny...

my global.php ends with line 438 already.  :?:

here are the last lines of my global.php (426 to 438):
Code: [Select]
  $sql = "SELECT cat_id, COUNT(*) AS num_images
          FROM ".IMAGES_TABLE."
          WHERE image_active = 1
          GROUP BY cat_id";
  $result = $site_db->query($sql);

  while ($row = $site_db->fetch_array($result)) {
    $cat_cache[$row['cat_id']]['num_images'] = $row['num_images'];
  }
  $site_db->free_result();
} //end if GET_CACHES

?>

Just as a relation. The bugfix line lies between 166 to 169:
Code: [Select]
if (isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode'])) {
  $mode = (isset($HTTP_POST_VARS['mode'])) ? stripslashes(trim($HTTP_POST_VARS['mode'])) : stripslashes(trim($HTTP_GET_VARS['mode']));
  $mode = preg_replace("/[^a-z0-9]+/i", "", $mode);
}

regards

BitBull

Offline Jan

  • Administrator
  • 4images Guru
  • *****
  • Posts: 5.024
    • View Profile
    • 4images - Image Gallery Management System
Re: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability
« Reply #47 on: November 02, 2006, 10:41:04 AM »
Are you sure that the global.php on your server is the same as the one on your harddisk?
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline BitBull

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7 - 1.7.3] Security fix for Cross-Site Scripting Vulnerability
« Reply #48 on: November 02, 2006, 11:20:01 AM »
I compared it again (took a copy from the server again where I've put the fixed file yesterday ...)

Yes, both are exactely the same

BUT :!: :!: :!:

Don't ask me why. I've had a look on my gallery just now ... the error messages are gone ...  :?  seems that a miracle occured, doesn't it???

I am even able to log in again.   :mrgreen:

So everything is OK. I will check it out tomorrow again ... I hope the bloody messages won't be back again.  :wink:

Thanks Nicky an Jan for your time and support

So lets go on with daily business ... :lol:

regards

Tobi

 

Post your comments here