Greenguy's Board

Greenguy's Board (http://www.greenguysboard.com/board/index.php)
-   General Business Knowledge (http://www.greenguysboard.com/board/forumdisplay.php?f=10)
-   -   Autolinks exploit, affects even the current 2.1 (http://www.greenguysboard.com/board/showthread.php?t=23651)

cd34 2005-09-03 07:38 PM
Autolinks exploit, affects even the current 2.1
 
For those of you running autolinks, there is a recent exploit that allows them to do a remote include and launch a DOS attack from your website. The problem is pretty much based on poor sanitization of data in al_initialize.php

put this in your .htaccess in the same directory where al_initialize.php exists.

Code:
RewriteEngine on
RewriteRule al_initialize.php - [F]

Monterey 2005-09-10 07:05 PM
here is another fix I found on another board...

in al_initialize.php

you can replace
if( strstr($alpath,"http://") || strstr($alpath,"https://") ) exit( "Invalid \$alpath variable" );


with
if( strstr($alpath,"http://") || strstr($alpath,"https://") || strstr($alpath, "ftp://")) exit( "Invalid \$alpath variable" );

this line will appear twice, update it.

log files are filled with

[01-Sep-2005 23:06:33] PHP Warning: fgets(): supplied argument is not a valid stream resource in ftp://test:test@216.55.149.173/Asho...l_functions.php on line 798


All times are GMT -4. The time now is 05:36 PM.

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
© Greenguy Marketing Inc