[Fixed] DragonflyCMS 9.0.6.1 Security Fixes
| Autor |
Mesaj |
DJ Maze
Data înscrierii: Apr 19, 2004
Mesaje: 5668
Locaţie: http://tinyurl.com/5z8dmv
|
 Titlul subiectului: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote commands
Trimis: Sun Feb 12, 2006 4:20 am |
 |
Yes those 4 files will patch your system.
About the exploit:
coppermine OR error.php is used to send over a script.
The script CAN'T run on its own so it needs a file that has a bug.
install.php has such bug in the language selector.
If you properly deleted the install.php per the instructions said, then your system is not vulnerable.
Since both the readme and the installer say it, this exploit is actualy "low-risk". But since nobody does what they read or skip to read i've put it up as update notification.
The XSS exploit i discovered in linking.php is of a much more severe security issue. Therefore the update notification is fully in its right.
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 12 / 2.2.15 / 5.1.47 / 5.3.3 / CVS |
|
| Sus |
|
 |
Ronin
Data înscrierii: Jun 07, 2004
Mesaje: 476
Locaţie: Calgary, AB
|
Titlul subiectului: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm
Trimis: Sun Feb 12, 2006 8:50 pm |
|
DJMaze wrote:
The XSS exploit i discovered in linking.php is of a much more severe security issue. Therefore the update notification is fully in its right.
OK, I did follow the install instructions and removed install.php. However I'm not clear if the linking.php issue mentioned above is seperate? My update notification just talks about removing the install, with no mention of an XSS exploit in linking.php.
Quote:
install.php security exploitRecently someone found a security exploit in install.php.
Always be shure you deleted install.php.
Fixes available at dragonflycms.org/Forum...html#98034
Posted on February 10, 2006
So can someone clarify that if I don't have install.php I'm safe from everything discussed here including the linking.php XSS exploit?
_________________
Cheers,
Ronin
Ronin Technologies
Dragonfly Google Maps Module
Ronin's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Lunarpages Linux / 1.3.37 / 4.1.22-standard-log / 4.4.4 / 9.1.2.5 |
|
| Sus |
|
|
goran_wright
Data înscrierii: Nov 14, 2005
Mesaje: 7
Locaţie: Philippines
|
Titlul subiectului: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm
Trimis: Tue Feb 14, 2006 7:47 am |
|
Quote:
install.php security exploitRecently someone found a security exploit in install.php.
Always be shure you deleted install.php.
Fixes available at dragonflycms.org/Forum...html#98034
Posted on February 12, 2006
I also have this message. but I don't have instll.php..
goran_wright's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
PHP4 |
|
| Sus |
|
|
Ronin
Data înscrierii: Jun 07, 2004
Mesaje: 476
Locaţie: Calgary, AB
|
Titlul subiectului: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote commands
Trimis: Tue Feb 14, 2006 2:21 pm |
|
The message is just an advisory goran. Everyone running 9.0.6.1 gets it.
_________________
Cheers,
Ronin
Ronin Technologies
Dragonfly Google Maps Module
Ronin's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Lunarpages Linux / 1.3.37 / 4.1.22-standard-log / 4.4.4 / 9.1.2.5 |
|
| Sus |
|
|
|
Nu puteţi crea un subiect nou în acest forum
Nu puteţi răspunde în subiectele acestui forum
Nu puteţi modifica mesajele proprii din acest forum
Nu puteţi şterge mesajele proprii din acest forum
Nu puteţi vota în chestionarele din acest forum
Nu puteţi ataşa fişiere în acest forum
Nu puteţi descărca fişiere în acest forum
|
 |
User Info ![[x]](themes/dragonfly/images/minus.png "Show/hide content")  Bine aţi venit Anonymous
Last CVS commits
Languages
Community  Support for DragonflyCMS in a other languages:
• Deutsch
• Español
X-links
Preview theme
Each user can view the site with a different theme.
Themes marked with a * also change the forum look.
|
Întrebări frecvente
Căutare
Mesaje private
Login
