This page contains very important security issues & related fixes. Please apply these fixes to your installation as soon as possible.
1.
2.
| SP070806 | |
|---|
|
|
| | Description | Malicious codes can be inserted via GET parameters. |
|
| |
| | Versions affected | Version 4.05 and below |
|
| | Version fixed | Version 4.06 (Aug. 06. 2007) |
|
| |
| | Patch Method #1 | for Version 4.0 - 4.05 (if you have not modified include/globals.php file) |
|
|
- Download patch file sp070806.zip
- Unzip the file.
- You will get one file - globals.php
- Upload globals.php to realtor747/include/ directory
- This process replaces currently installed realtor747/include/globals.php with a new one
|
| |
| | Patch Method #2 | for any version up tp 4.05 |
|
|
- Open realtor747/include/globals.php
- Go to the end of the file.
It looks like:
...
debug( $out );
/* vim: set expandtab sw=4 ts=4 sts=4: */
- Copy and paste the following code just after "debug( $out );" line
Patch Code
function
check_param_integer( $p )
{
if ( defined( $p ) ) {
$v = constant( $p );
if ( ( $v != NULL ) && !is_numeric( $v ) ) {
die( "Error. '$p' is not an integer. '$p' is '$v'." );
}
} else {
$v = isset( $_GET[ $p ] )? $_GET[ $p ] : NULL;
if ( ( $v != NULL ) && !is_numeric( $v ) ) {
die( "Error. _GET[ '$p' ] is not an integer. _GET[ '$p' ] is '$v'." );
}
}
}
check_param_integer( 'G_LISTING_ID' );
check_param_integer( 'G_CATEGORY_ID' );
check_param_integer( 'G_PAGE_ID' );
check_param_integer( 'G_ATTR_ID' );
check_param_integer( 'G_FEATURE_ID' );
check_param_integer( 'G_AREA_ID' );
check_param_integer( 'G_SERVICE_ID' );
check_param_integer( 'G_ABOUT_ID' );
check_param_integer( 'G_IMAGE_ID' );
check_param_integer( 'G_TOUR_ID' );
check_param_integer( 'G_DOCUMENT_ID' );
check_param_integer( 'G_AGENT_ID' );
check_param_integer( 'G_LL_PAGE_ID' );
check_param_integer( 'G_AL_PAGE_ID' );
check_param_integer( 'sr_category' );
check_param_integer( 'sr_area' );
check_param_integer( 'sr_bedroom' );
check_param_integer( 'sr_bathroom' );
check_param_integer( 'sr_price_from' );
check_param_integer( 'sr_price_to' );
check_param_integer( 'sr_page_size' );
|
| |
| | Verification | Check if the patch has been applied properly |
|
|
- Check your home page with "pageid=1"
- realtor_747_installation/index.php?pageid=1
- ex. http://it747.com/realtor747/demo/brochure4/index.php?pageid=1
* This page should be displayed properly.
- Check your home page with "pageid=invalid_string"
- realtor_747_installation/index.php?pageid=invalid_string
- ex. http://it747.com/realtor747/demo/brochure4/index.php?pageid=invalid_string
* This page should display an error message like below and stop proceeding.
Error. 'G_PAGE_ID' is not an integer. 'G_PAGE_ID' is 'invalid_string'.
|
