A very small security update that should stop the recent round of hackings.
Just replace the files with the ones in this .zip.
Do NOT run install.php or upgrade.php again.
08/24/06 - Manual instructions
- in header.php add the following lines at line 39:
$output = "";
$adminloggedin = 0;
$level = 0;
$loggedin = 0;
unset($useruid);
unset($userpenname);
- In challenges.php replace the respond( ) function. (Sorry can't be more specific than that.)
- Also in challenges.php replace the security check section at the top.
The download is here.
😮 Ach - there's a problem with this patch. I don't know what, but when I updated my site with it ( http://bjfic.net/main/ ), suddenly anyone who was logged out and tried to login couldn't get an actual login screen. In fact, nothing relating to the user.php page seemed to show up (registration, recover lost password, etc.).
You won't be able to see it on my site, because I reverted back to the previous versions of both of the files that were updated with this patch, and doing so immediately fixed the problem.
Jen
"A trifling matter, and fussy of me, but we all have our little ways." - Eeyore, The House at Pooh Corner
Thanks for catching this Jen. I'm zipping up the fixed files now. The login has it's own special needs. 😛
Thanks for catching this Jen. I'm zipping up the fixed files now. The login has it's own special needs. 😛
Don't you just hate it when things have their own special needs? That's so annoying. 😉
Thanks for getting on this so fast, Tammy.
Jen
"A trifling matter, and fussy of me, but we all have our little ways." - Eeyore, The House at Pooh Corner
Alright. Try it now.
Alright. Try it now.
Works great! Thanks for all your hard work, Tammy. Not just on this patch, but on everything eFiction-related. It is much appreciated. 🙂
Jen
"A trifling matter, and fussy of me, but we all have our little ways." - Eeyore, The House at Pooh Corner
Sorry to do it, but I've made one more change to this upgrade. If you've already updated, grab the patch again and just update the header.php. Here is the addition:
- In header.php goto line 92 which is:
if($userdata['level']) $_SESSION['adminloggedin'] = 1;
Add directly below it:
else $_SESSION['adminloggedin'] = 0;
Thanks so much, Tammy. ^_^
There's just one little thing. There's a mispelling on line 63 of challenges.php. 'isset' is missing the 'e' and produces an error when you try to respond to a challenge.
I'm sorry, but due to my schedule, I am not available for commissions.
Alright. *in best TV announcer voice* One more time! 😛
Hey - better to patch multiple times and have it come out right than the alternative. Thanks again, Tammy!
Jen
"A trifling matter, and fussy of me, but we all have our little ways." - Eeyore, The House at Pooh Corner
^^; Sorry, Tammy
I'm sorry, but due to my schedule, I am not available for commissions.
Does this update affect 2.0 or 3.0 versions?
3.0 has not yet been released for anything other than testing purposes. If effects 2.0+ versions.
I'm confused by the instructions. What's in Tammy's original post for the first header.php instruction doesn't match up with what's in the manual instructions from the readme.txt in the zip file:
- in header.php add the following lines at line 39:
$output = "";
if(ini_get('register_globals')) {
foreach($_SESSION as $k => $v) {
unset($GLOBALS[$k]);
}
}
And that doesn't match up with what's in the header.php file in the zip file itself. At line 39 in the header.php file (from the zip patch), it says:
$output = "";
@include_once(_BASEDIR."config.php");
if(!isset($databasepath)) {
header("Location: install.php");
exit( );
}
I've already modified my header.php, so I can't just replace the file with what's in the zip. :/
If someone could let me know which set of instructions I should be following in modifying the header.php file, that'd be great.
Hi there - how do I go about getting rid of the hacked message on my site? What do I need to do in order to repair this?
Thanks for any help that anyone can provide...
