Kleine Bugfix in search.php
Geplaatst: 24 nov 2003, 21:48
We've been notified by Niels Teusink of a flaw in search.php. This, under the right circumstances with certain server versions be exploited to obtain password hashes. The chances of this being taken advantage of on wide scale are slim. However we recommend all existing users of phpBB 2.0.x make the (single line) change specified below.
We have now updated all archives (for 2.0.6) as made available on the download page here. Therefore all new installations and upgrades will be immune.
To fix this flaw please open search.php in any text editor. Find the following code (in the vanilla release of 2.0.6 this can be found around line 685):
Replace it with the following:
Bron: phpBB.com
Sorry voor het niet vertalen van de tekst.
We have now updated all archives (for 2.0.6) as made available on the download page here. Therefore all new installations and upgrades will be immune.
To fix this flaw please open search.php in any text editor. Find the following code (in the vanilla release of 2.0.6 this can be found around line 685):
Code: Selecteer alles
if ( intval($search_id) )
{
$sql = "SELECT search_array
FROM " . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '". $userdata['session_id'] . "'"; Code: Selecteer alles
$search_id = intval($search_id);
if ( $search_id )
{
$sql = "SELECT search_array
FROM " . SEARCH_TABLE . "
WHERE search_id = $search_id
AND session_id = '". $userdata['session_id'] . "'";Sorry voor het niet vertalen van de tekst.
