Dragonfly CMS v9 ⇒ Security v9 :: Archives ⇒ [Fixed] DragonflyCMS 9.0.6.1 Security Fixes :: Archived (page 2) ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity v9

Archived ⇒ [Fixed] DragonflyCMS 9.0.6.1 Security Fixes


Yes those 4 files will patch your system.

About the exploit:

coppermine OR error.php is used to send over a script.
The script CAN'T run on its own so it needs a file that has a bug.
install.php has such bug in the language selector.

If you properly deleted the install.php per the instructions said, then your system is not vulnerable.
Since both the readme and the installer say it, this exploit is actualy "low-risk". But since nobody does what they read or skip to read i've put it up as update notification.

The XSS exploit i discovered in linking.php is of a much more severe security issue. Therefore the update notification is fully in its right.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


DJMaze wrote
The XSS exploit i discovered in linking.php is of a much more severe security issue. Therefore the update notification is fully in its right.


OK, I did follow the install instructions and removed install.php. However I'm not clear if the linking.php issue mentioned above is seperate? My update notification just talks about removing the install, with no mention of an XSS exploit in linking.php.

install.php security exploitRecently someone found a security exploit in install.php.
Always be shure you deleted install.php.
Fixes available at dragonflycms.org/Forum...html#98034

Posted on February 10, 2006


So can someone clarify that if I don't have install.php I'm safe from everything discussed here including the linking.php XSS exploit?

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0


install.php security exploitRecently someone found a security exploit in install.php.
Always be shure you deleted install.php.
Fixes available at dragonflycms.org/Forum...html#98034

Posted on February 12, 2006


I also have this message. but I don't have instll.php..

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
PHP4


The message is just an advisory goran. Everyone running 9.0.6.1 gets it.

Cheers,

Ronin
Ronin Technologies
Dragonfly Google Maps Module

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Ubuntu 14.04 / 2.4.7 / 5.5.37 / 5.5.9 / 9.4.0.0

All times are UTC