A few moments ago this was brought to my attention. A mistake in the validation code of the input Parameters in the file players-detail.php made an SQL Injection bug possible.
Details about this security flaw can be found here:
http://www.securityfocus.com/bid/30212/info
(DO NOT USE THE FIXED RECOMMEND IN THE EXPLOIT THERE, IT WILL BREAK FUNCTIONALITY HALF OF THE PLAYER DETAILS)
Affected Versions are:
UltraStats 0.2.136
UltraStats 0.2.140
UltraStats 0.2.142
In order to fix this issue manually please process these steps, or replace your players-detail.php with the attached one here. Please spread this information to all admins you know, who use UltraStats.
1. Open players-detail.php and search for:
Code:
is_numeric($content['playerguid']) &&
( $content['playerguid'] > 4294967296 && $content['playerguid'] <= 0 )
2. Replace with this code:
Code:
!is_numeric($content['playerguid'])
||
( $content['playerguid'] > 4294967296 && $content['playerguid'] <= 0 )
ATTENTION: I will update the UltraStats setup to a newer version in the next few days, as a few other things will be fixed along with this release.
