Inviato April 1, 2010 A minor flaw has been discovered in IP.Board 3.0.5 that would allow an attacker to view images in any arbitrary directory on the server. Exploiting this flaw would not allow the attacker to upload code or download files, other than images, from your server. Additionally, to utilize the exploit requires that the attacker know the path to the directory the images are stored in. This issue was first reported to our tracker by Cryptovirus. IP.Board 3.0.5 Simply download the attached file, expand and upload the file over the copy on your server 3.0.5_3.31.2010.zip (10.45K) : 1032 If you are running an earlier version of IP.Board 3.0 or you would like to manually patch your installation, you may do so by modifying admin/sources/classes/member/memberFunctions.php. Look for the following line of code //$catName = IPSText::alphanumericalClean( $catName ); // Commented out because alphanumericalClean removes spaces Change this line of code to $catName = IPSText::alphanumericalClean( $catName, ' ' ); Save the file and upload to your server. The main download has been updated at the time of this announcement. View the full article Condividi questo messaggio Link di questo messaggio Condividi su altri siti
