View Single Post
Old 12-28-2007, 02:31 PM   #1
Davis.John
X·Zero Developer
 
Davis.John's Avatar
 
Join Date: Oct 2007
Posts: 746
Davis.John is on a distinguished road
Default Important security patches for XZero Communtiy Classifieds

Thread closed as a newer version has been released.
_________________________________________________

A few security vulnerabilities had been identified with XZero Community Classifieds. We are releasing version 4.97 of the script with some quick fixes to the reported vulnerabilities. We strongly recommend all users to upgrade to the latest version to prevent any exploits.

The new version had been attached to this post. You must be registered and a Verified Customer to be able to download the file. Make sure that your forum registration email address matches the one that you used to register for purchasing the script as this is needed for us to promote you to the Verified Customer status.

It is also recommended to:
  • Change the passwords of your server accounts, mysql server and script admin area.
  • Turn register_globals Off on the server if it is On.
  • Turn magic_quotes_gpc On on the server if it is Off.
  • Take backups of your database and files on the server.
Please contact your hosting company for assistance on changing these settings.

Following are the details of the vulnerabilities patched:
  • Remote code execution vulnerability
    • Applies to versions < 4.96.
  • Local file inclusion vulnerability
    • Two instances of this vulnerability had been identified.
    • First one applies to versions < 4.96.
    • Second one can be exploited only if register_globals is On on your server.
  • SQL Injection vulnerability
    • Could be used to run arbitary SQL.
    • May not be possible to run malicious SQL.
Changed files from previous versions:

From version 4.96.3 - 4.96.6:
  • cancelpay.php (Changed in v4.97.1)
  • common.inc.php
  • config.inc.php
  • initvars.inc.php
  • ads.php
  • edit.php
  • post.php
  • admin/admin.inc.php
  • admin/ads.php
  • admin/afooter.inc.php
  • admin/aheader.inc.php
  • admin/editad.php
  • cron/cleanup.php
From version 4.96.2:
  • All files as for 4.96.6
  • ads.php
From version 4.96.1:
  • All files as for 4.96.2
  • showad.php
From version 4.96:
  • All files as for 4.96.1
  • mailad.php
  • search.inc.php
Upgrade instructions for v4.96 or newer:
  • You may overwrite all the files except config.inc.php unless you have made any changes by yourself.
  • Copy the lines 298-301 in the new config.inc.php to your current config file.
    Note: If you have already copied over the config file, make sure that all the settings match your previous configuration, especially the database settings. Give special attention to the variable $tprefix. Make sure that its the same as that in your current config file.
  • For versions older that 4.96, you will have to merge other changes in the config file as well.
You might want to use a tool like WinMerge (http://www.winmerge.org/) to merge the config file and also any other files that you have made any modifications to.

We are looking into any other possible vulnerabilities present in the script and will release additional patches if required. We are sorry for any inconvenience caused.

If you have any related information available please let us know.

Note:
All those who have upgraded to version 4.97, be sure to read this post:
http://www.xzeroscripts.com/forum/sh...=1550#post1550
Attached Files
File Type: zip xzclf-4.97.1.zip (182.6 KB, 144 views)
__________________
Davis John
X·Zero Developer

Last edited by Davis.John; 12-29-2007 at 05:22 AM. Reason: Updated package to v4.97.1
Davis.John is offline