 |
|
|
|
|
|
|
|
|
|
|||||||
 |
|
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
2005-09-03, 07:38 PM
|
#1 |
|
a.k.a. Sparky
Join Date: Sep 2004
Location: West Palm Beach, FL, USA
Posts: 2,396
|
Autolinks exploit, affects even the current 2.1
For those of you running autolinks, there is a recent exploit that allows them to do a remote include and launch a DOS attack from your website. The problem is pretty much based on poor sanitization of data in al_initialize.php
put this in your .htaccess in the same directory where al_initialize.php exists. Code:
RewriteEngine on RewriteRule al_initialize.php - [F]
__________________
SnapReplay.com a different way to share photos - iPhone & Android |
|
|
|
2005-09-10, 07:05 PM
|
#2 |
|
Internet! Is that thing still around?
Join Date: May 2004
Posts: 4
|
here is another fix I found on another board...
in al_initialize.php you can replace if( strstr($alpath,"http://") || strstr($alpath,"https://") ) exit( "Invalid \$alpath variable" ); with if( strstr($alpath,"http://") || strstr($alpath,"https://") || strstr($alpath, "ftp://")) exit( "Invalid \$alpath variable" ); this line will appear twice, update it. log files are filled with [01-Sep-2005 23:06:33] PHP Warning: fgets(): supplied argument is not a valid stream resource in ftp://test:test@216.55.149.173/Asho...l_functions.php on line 798 |
|
|
|
|
|
|
Linear Mode
