Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.
A

CVE-2014-8596 PHP-Fusion 7.02.07 – SQL Injection

by alexai, Last updated on 4 years ago in Security Issues & Announcements - 8
Hi every one,

How to fix this vulnerability?

CVE-2014-8596 PHP-Fusion 7.02.07 – SQL Injection

Thanks advance,
Sorry, i can speak English a little
Missing checks and a misplaced parenthesis. Sad.
Just wanted to mention that unless you have admins you don't trust with access to submissions and members or get targeted for exploitation in a very hard way at network level you should not worry.
To fix this:
  • open administration/submissions.php and add after/below require_once "../maincore.php"; this line

if (isset($_GET['submit_id']) && !isnum($_GET['submit_id'])) { $_GET['submit_id'] = 0; }

  • open administration/members.php and on line #31 replace this

$status = (isset($_GET['status']) && isnum($_GET['status'] && $_GET['status']) < 9 ? $_GET['status'] : 0);

with this
$status = (isset($_GET['status']) && isnum($_GET['status']) && $_GET['status'] < 9 ? $_GET['status'] : 0);


Just trust your admins and trust PHP-Fusions checkrights and aid which do their jobs nicely so no issue. :G
And if we don't?
Need help? Having trouble?
» View our Documentation for guides, functions and more - including the Getting Started section!
» Attach Log Files and Screenshots when reporting issues
» Name and Organize your content correctly for best results - use good grammar

Who the hell thought "erectus" was a good species name for our ancestors?
You mean Don't trust your admins?
Nice fixes JoiNNN, thank you. Wanna git em?
Need help?, Having trouble?
• View our Documentation for Guides, Standards and Functions
• Name and Organize your content correctly in the corresponding Forums for best support results
• Attaching Log Files and Screenshots when reporting issues will help
• Please read and comply with the Code of Conduct

(¯`·._.·(¯`°·._.·°º*[ Project Manager ]*º°·._.·°´¯)·._.·´¯)
The members.php one is OK but the other one no. It has to be properly fixed. Or even better, we change they way we check GETs from no on, when we have a page with GETs we check right at the top (as I did in submission.php fix) if a given GET is set and if the value is valid, if not add a fallback or in worse cases redirect. This way not only we don't have to check GETs every time we do IFs and ELSEs and worry about forgetting a check but will also make it so much easier to maintain.
Thank you so much JoiNNN
Sorry, i can speak English a little
You can view all discussion threads in this forum.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
Users who participated in discussion: Homdax, Falk, Craig, JoiNNN, alexai