PHPLD 2.x Security Problem


Posted

October 19, 2006

Comments

(0)

I received an email this morning about a serious security flaw in phpLD 2.x. The flaw allows webmasters to submit html tags in the description and name fields. The problem is easily fixed using php’s strip_tags() function. Here is the fix, courtesy of After 5 Web Design:

  1. Open:
    submit.php
  2. Find:
    $data[‘LAST_CHECKED’] = gmdate(‘Y-m-d H:i:s’);
    $data[‘DATE_ADDED’] = gmdate(‘Y-m-d H:i:s’);
    $data[‘DATE_MODIFIED’] = gmdate(‘Y-m-d H:i:s’);
  3. Add:
    $data[‘DESCRIPTION’] = strip_tags($data[‘DESCRIPTION’]);
    $data[‘TITLE’] = strip_tags($data[‘TITLE’]);
    $data[‘OWNER_NAME’] = strip_tags($data[‘OWNER_NAME’]);

Simple. Now that this is out in the open, you should expect spammers to try and expolit it. So I suggest you patch this up as soon as possible. I know Tim from After 5 Web Design has notified the phpLD team, and a patch should be out soon.


No Comments

Leave a reply