Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.

CVE-2014-8596 PHP-Fusion 7.02.07 – SQL Injection

Hi every one,

How to fix this vulnerability?

CVE-2014-8596 PHP-Fusion 7.02.07 – SQL Injection

Thanks advance,
Missing checks and a misplaced parenthesis. Sad.
Just wanted to mention that unless you have admins you don't trust with access to submissions and members or get targeted for exploitation in a very hard way at network level you should not worry.
To fix this:
  • open administration/submissions.php and add after/below require_once "../maincore.php"; this line

CodeDownload  
if (isset($_GET['submit_id']) && !isnum($_GET['submit_id'])) { $_GET['submit_id'] = 0; }


  • open administration/members.php and on line #31 replace this

CodeDownload  
$status = (isset($_GET['status']) && isnum($_GET['status'] && $_GET['status']) < 9 ? $_GET['status'] : 0);


with this
CodeDownload  
$status = (isset($_GET['status']) && isnum($_GET['status']) && $_GET['status'] < 9 ? $_GET['status'] : 0);



Just trust your admins and trust PHP-Fusions checkrights and aid which do their jobs nicely so no issue. :G
And if we don't?
You mean Don't trust your admins?
Nice fixes JoiNNN, thank you. Wanna git em?
The members.php one is OK but the other one no. It has to be properly fixed. Or even better, we change they way we check GETs from no on, when we have a page with GETs we check right at the top (as I did in submission.php fix) if a given GET is set and if the value is valid, if not add a fallback or in worse cases redirect. This way not only we don't have to check GETs every time we do IFs and ELSEs and worry about forgetting a check but will also make it so much easier to maintain.
Thank you so much JoiNNN
Thread Information
Author
Replies
8 posts
Views
6,829 times
Last Post
Last updated on 5 years ago
You can view all discussion threads in this forum.
You cannot set up a bounty in this discussion thread.
You can start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
Users who participated in discussion: Falk, Homdax, Craig, JoiNNN, alexai