Community & Support
  Home  •  News  •  Community & Support Forum

Go Back   XZeroScripts Community & Support > General Forums > Announcements


Closed Thread
Thread Tools Search this Thread Display Modes
Old 12-28-2007, 02:31 PM   #1
X·Zero Developer
Davis.John's Avatar
Join Date: Oct 2007
Posts: 759
Davis.John is on a distinguished road
Default Important security patches for XZero Communtiy Classifieds

Thread closed as a newer version has been released.

A few security vulnerabilities had been identified with XZero Community Classifieds. We are releasing version 4.97 of the script with some quick fixes to the reported vulnerabilities. We strongly recommend all users to upgrade to the latest version to prevent any exploits.

The new version had been attached to this post. You must be registered and a Verified Customer to be able to download the file. Make sure that your forum registration email address matches the one that you used to register for purchasing the script as this is needed for us to promote you to the Verified Customer status.

It is also recommended to:
  • Change the passwords of your server accounts, mysql server and script admin area.
  • Turn register_globals Off on the server if it is On.
  • Turn magic_quotes_gpc On on the server if it is Off.
  • Take backups of your database and files on the server.
Please contact your hosting company for assistance on changing these settings.

Following are the details of the vulnerabilities patched:
  • Remote code execution vulnerability
    • Applies to versions < 4.96.
  • Local file inclusion vulnerability
    • Two instances of this vulnerability had been identified.
    • First one applies to versions < 4.96.
    • Second one can be exploited only if register_globals is On on your server.
  • SQL Injection vulnerability
    • Could be used to run arbitary SQL.
    • May not be possible to run malicious SQL.
Changed files from previous versions:

From version 4.96.3 - 4.96.6:
  • cancelpay.php (Changed in v4.97.1)
  • ads.php
  • edit.php
  • post.php
  • admin/
  • admin/ads.php
  • admin/
  • admin/
  • admin/editad.php
  • cron/cleanup.php
From version 4.96.2:
  • All files as for 4.96.6
  • ads.php
From version 4.96.1:
  • All files as for 4.96.2
  • showad.php
From version 4.96:
  • All files as for 4.96.1
  • mailad.php
Upgrade instructions for v4.96 or newer:
  • You may overwrite all the files except unless you have made any changes by yourself.
  • Copy the lines 298-301 in the new to your current config file.
    Note: If you have already copied over the config file, make sure that all the settings match your previous configuration, especially the database settings. Give special attention to the variable $tprefix. Make sure that its the same as that in your current config file.
  • For versions older that 4.96, you will have to merge other changes in the config file as well.
You might want to use a tool like WinMerge ( to merge the config file and also any other files that you have made any modifications to.

We are looking into any other possible vulnerabilities present in the script and will release additional patches if required. We are sorry for any inconvenience caused.

If you have any related information available please let us know.

All those who have upgraded to version 4.97, be sure to read this post:
Attached Files
File Type: zip (182.6 KB, 144 views)
Davis John
X·Zero Developer

Last edited by Davis.John; 12-29-2007 at 05:22 AM. Reason: Updated package to v4.97.1
Davis.John is offline  
Closed Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

All times are GMT -7. The time now is 04:11 PM.

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 2005-2017 Nesote Technologies Private Limited, All Rights Reserved.