m0nty wrote:
u can set register globals off by using .htaccess

there's many threads and topics in these forums on how to do that ;)

but yes, it does mean that if magic_quotes GPC is ON then this exploit will not work :)

try

php_value allow_url_fopen off
php_flag register_globals off


and install XOOPS protector module too..

incidentally, it's been said for many years that programmers should write their code properly so that their scripts work with register globals turned off not just for security but for better programming technique. system administrators really oughta by now, disable register globals on all their servers..

smdcom wrote:
This is a suggested quick fix. Correct me if i'm wrong.

Add:

// paranoid sanitization -- only let the alphanumeric set through
$str_list = isset($_GET['list']) ? $_GET['list'] : 0; 
$list = preg_replace("/[^a-zA-Z0-9]/", "", $str_list);

Change (line 127):

$sql .= "WHERE title LIKE '" . [color=ff0000][b]$list[/b][/color] . "%' AND published > 0 AND 
            published <= " . time() . " AND (expired = 0 OR expired > " . time() . ") AND offline = 0 
            ORDER BY " . $orderby;

Jharis wrote:
Rhomal,
If your running X2.2 you might try docuwiki.

I haven't done much with it yet but have considered using it for users to design and build a gaming world with.

don (el paso)

brash wrote:
The Mambo devs split when the Mambo foundation was created and setup to grant Miro (parent company) control of development rather than the community. This was basically a pill that the Mambo community didn't want to swallow, so there was a very large scale split and Joomla was born. best of luck to them I say.