11
Northern
Re: XoopsGallery Easly Hacked
  • 2008/1/13 0:13

  • Northern

  • Just can't stay away

  • Posts: 420

  • Since: 2004/12/26


Quote:

pjeutr wrote:
Try adding the following at the top of init_basic.php
Seems to work for me, dunno why it should be possible that the base base can be a url.

// Hack prevention.
if (!empty($_REQUEST["GALLERY_BASEDIR"])) {
error_log("Security violation\n" .$_REQUEST["GALLERY_BASEDIR"]);
exit;
}


Ill give this a try in a 4 year old established site and see what happens. sence its attacked on a daly basis.


@ Billy

Moving to a new galley setup would be the best idea, but some people have grown acustom to there setup, and some times those setps,gallerys can contain well over a few gigs in picutes, lol time and money they wish not to spend on a transfer, money they wish to invest into makeing the cerrent setup work.

@ BS

Ill check these out, from what ive been reading 2.1B4 doesnt have this isue. so im looking for this version to test out.

@ all

Please go to the following link and read it.
http://www.securityfocus.com/bid/27155

this isue has been noted by others,meaning little time till it becomes a large problem. to find a fix or repair is in high demand.


Marc

12
josespi
Re: XoopsGallery Easly Hacked
  • 2008/1/17 21:56

  • josespi

  • Just popping in

  • Posts: 31

  • Since: 2004/11/29


Hi:

I am Jose Espinoza (josespi) and for some time I took the project leadership xoopsgallery.

The report vulnerability of xoopsgallery 1.3.3.9 came together with the notification to the administrator of the server that our site was being used for a site of pishing who had inserted files in folders templates_c for their crimes.

The administrator of the server close the site xoopsgallery.org, while performing the tasks of cleaning. Therefore I have no access.

As the version 1.3.3.9 seemed stable enough, I concentrated on the development of version 2.1 and now I donĀ“t have further access to backup that I have the vulnerable version for an update.

I also hope, as soon as possible, opening a space in sourceforge for xoopsgallery, and launch the upgrade.

Thanks

13
michaellee
Re: XoopsGallery Easly Hacked
  • 2008/1/28 8:06

  • michaellee

  • Just popping in

  • Posts: 2

  • Since: 2004/12/23


I encountered this problem too. I'm using a version 1.3.3.
I think to fix the issue, the extact() in init_basic (in my version, it is init.php) should be modified to include the option EXTR_SKIP. By this way, parameter from URL cannot overwrite program's internal variable (especially GALLERY_BASEDIR).

On my version, i need to modify init.php and check_init.php. You may search all PHP file to locate the "extract(" and then change it.

Quote:

From:

extract($HTTP_GET_VARS);
extract($HTTP_POST_VARS);
extract($HTTP_COOKIE_VARS);

To:

extract($HTTP_GET_VARS,EXTR_SKIP);
extract($HTTP_POST_VARS,EXTR_SKIP);
extract($HTTP_COOKIE_VARS,EXTR_SKIP);


Hope this help

14
Anonymous
Re: XoopsGallery Easly Hacked
  • 2008/1/28 9:40

  • Anonymous

  • Posts: 0

  • Since:


Quote:
bubuche93 wrote:

is XOOPS gallery the same as xcgallery?


Absolutely, definitely and most categorically.....NO!!!

If users are looking for stable, secure and well featured gallery module than they should, IMHO at the present time, look at both xcgallery and extgallery.

Both are really good but have different features - choose the one that suits your needs best.

15
btesec
Re: XoopsGallery Easly Hacked
  • 2008/1/28 15:36

  • btesec

  • Friend of XOOPS

  • Posts: 623

  • Since: 2007/2/20


Well we have to consider that people's needs may vary

Login

Who's Online

491 user(s) are online (362 user(s) are browsing Support Forums)


Members: 0


Guests: 491


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits