| Author |
Message |
deltaray |
|
Post subject: Fix for players-detail.php SQL Vulnerability
 Posted: Jul 15, 2008 - 04:20 PM
|
|
Sitemast0r
Joined: Oct 22, 2005
Posts: 12339
Location: Terra - SOL System
Status: Offline
|
|
A few moments ago this was brought to my attention. A mistake in the validation code of the input Parameters in the file players-detail.php made an SQL Injection bug possible.
Details about this security flaw can be found here:
http://www.securityfocus.com/bid/30212/info
(DO NOT USE THE FIXED RECOMMEND IN THE EXPLOIT THERE, IT WILL BREAK FUNCTIONALITY HALF OF THE PLAYER DETAILS)
Affected Versions are:
UltraStats 0.2.136
UltraStats 0.2.140
UltraStats 0.2.142
In order to fix this issue manually please process these steps, or replace your players-detail.php with the attached one here. Please spread this information to all admins you know, who use UltraStats.
1. Open players-detail.php and search for:
Code: is_numeric($content['playerguid']) &&
( $content['playerguid'] > 4294967296 && $content['playerguid'] <= 0 )
2. Replace with this code:
Code: !is_numeric($content['playerguid'])
||
( $content['playerguid'] > 4294967296 && $content['playerguid'] <= 0 )
ATTENTION: I will update the UltraStats setup to a newer version in the next few days, as a few other things will be fixed along with this release. |
| Description: |
Fixed Exploit from:
http://www.securityfocus.com/bid/30212/exploit |
|
Download |
| Filename: |
players-detail-FIXED.rar |
| Filesize: |
4.72 KB |
| Downloaded: |
291 Time(s) |
_________________
 - For Support write into the forums pls ... btw u r a fag 
He Poops on you!
|
| |
|
|
|
 |
|
HarryRag |
|
|
Post subject: Fix for players-detail.php SQL Vulnerability
Posted: Jul 15, 2008 - 06:07 PM
|
|
Private
Joined: Dec 01, 2007
Posts: 13
Status: Offline
|
|
| thnx for the fast fix DeltaRay |
|
|
| |
|
|
|
|
|
Anzeigen |
|
|
Post subject: Google Ads
Posted:
|
|
Guest
Joined: Dec 01, 2007
Posts
Location
Status: Offline
|
|
|
|
|
|
|
eagleeye |
|
|
Post subject: Fix for players-detail.php SQL Vulnerability
Posted: Jul 16, 2008 - 06:12 PM
|
|
Lance Corporal
Joined: Jun 18, 2006
Posts: 57
Status: Offline
|
|
tnx for the support, will pass the word 
in 0.2.142 it's line 41 of the file. |
|
|
| |
|
|
|
|
|
Hunter |
|
 |
Post subject: Fix for players-detail.php SQL Vulnerability
Posted: Jul 17, 2008 - 01:02 AM
|
|
Corporal
Joined: Mar 10, 2006
Posts: 163
Status: Offline
|
|
| Ok nice, no not nice but ........ |
_________________
|
| |
|
|
|
|
|
|
|
|
Home
Forum
Downloads
News
Neueste Forum Posts
FAQ
Search
Register
Log in to check your private messages
Log in
Maximize
