Important security patches for XZero Communtiy Classifieds

[Davis.John]

Thread closed as a newer version has been released.
_________________________________________________

A few security vulnerabilities had been identified with XZero Community Classifieds. We are releasing version 4.97 of the script with some quick fixes to the reported vulnerabilities. We strongly recommend all users to upgrade to the latest version to prevent any exploits.

The new version had been attached to this post. You must be registered and a Verified Customer to be able to download the file. Make sure that your forum registration email address matches the one that you used to register for purchasing the script as this is needed for us to promote you to the Verified Customer status.

It is also recommended to:

• Change the passwords of your server accounts, mysql server and script admin area.
• Turn register_globals Off on the server if it is On.
• Turn magic_quotes_gpc On on the server if it is Off.
• Take backups of your database and files on the server.

Please contact your hosting company for assistance on changing these settings.

Following are the details of the vulnerabilities patched:

• Remote code execution vulnerability
  • Applies to versions < 4.96.
• Local file inclusion vulnerability
  • Two instances of this vulnerability had been identified.
  • First one applies to versions < 4.96.
  • Second one can be exploited only if register_globals is On on your server.
• SQL Injection vulnerability
  • Could be used to run arbitary SQL.
  • May not be possible to run malicious SQL.

Changed files from previous versions:

From version 4.96.3 - 4.96.6:

• cancelpay.php (Changed in v4.97.1)
• common.inc.php
• config.inc.php
• initvars.inc.php
• ads.php
• edit.php
• post.php
• admin/admin.inc.php
• admin/ads.php
• admin/afooter.inc.php
• admin/aheader.inc.php
• admin/editad.php
• cron/cleanup.php

From version 4.96.2:

• All files as for 4.96.6
• ads.php

From version 4.96.1:

• All files as for 4.96.2
• showad.php

From version 4.96:

• All files as for 4.96.1
• mailad.php
• search.inc.php

Upgrade instructions for v4.96 or newer:

• You may overwrite all the files except config.inc.php unless you have made any changes by yourself.
• Copy the lines 298-301 in the new config.inc.php to your current config file.
  Note: If you have already copied over the config file, make sure that all the settings match your previous configuration, especially the database settings. Give special attention to the variable $tprefix. Make sure that its the same as that in your current config file.
• For versions older that 4.96, you will have to merge other changes in the config file as well.

You might want to use a tool like WinMerge (http://www.winmerge.org/) to merge the config file and also any other files that you have made any modifications to.

We are looking into any other possible vulnerabilities present in the script and will release additional patches if required. We are sorry for any inconvenience caused.

If you have any related information available please let us know.

Note:
All those who have upgraded to version 4.97, be sure to read this post:
http://www.xzeroscripts.com/forum/sh...=1550#post1550