XOOPS Web Application System (https://xoops.org)
Powered by You!
Netquery 3.11 - Vulnerability Bugfix
Category : Modules
| Published by RVirtue on 02-Aug-2005 17:08
A scripting vulnerability has been reported due to inadequate "sanitizing" of user input for certain Netquery v3.1 local execution operations. Additional details are provided in
Secunia Product Note 5439 and in
Secunia Advisory 16216This issue has been addressed in ALL editions of Netquery v3.11 currently available from
http://virtech.org/tools/ and
users are strongly encouraged to update their installations to this latest version.
The Netquery v3.11 bugfix is especially important for those sites where Netquery's local ping and/or local traceroute operations are enabled. For those who may prefer manual application of their own patch, user input for both of those operations is now fully "sanitized" the by using the following function:
function sanitizeSysString($string, $min = '', $max = '')
{
$pattern = '/(;|||`|>|<|&|^|"|'."n|r|'".'|{|}|[|]|)|()/i';
$string = preg_replace($pattern, '', $string);
$string = '"'.preg_replace('/$/', '\$', $string).'"';
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return $string;
}
Netquery links:
Downloads |
Manual |
Live Demo |
Forums