Welcome Guest. Please Login or Register  


You are here: Index > AEF Group > News and Announcements > Topic : Security Patch For AEF 1.0.8


News:

Group Message
Hello Guest,

Welcome to the AEF Board. AEF is getting better and better and is also becoming more popular.
Take a few seconds to Register, its free, and it inspires us to work harder and improve on whatever we can improve on.
Give us some feedback, and tell your buddies about AEF!

Thanks,
The AEF Team



Threaded Mode | Print  

 Security Patch For AEF 1.0.8, XSS exploit has been removed (3 Replies, Read 23349 times)
SAFAD
Group: Administrator
Post Group: Elite Member
Posts: 279
Status:
Hello Everyone,

This is a patch for a security exploit that has been in AEF 1.0.8. To ensure your board is more safe, please apply this patch as soon as possible.

Note:
When 1.0.9 is released, the upgrader will assume this patch has already been applied, so when 1.0.9 is released, you must have this patch applied for the upgrader to work properly.

Open the file "/main/calendar.php" and replace: (OR: Download the attachment and replace it with the current calendar.php in /main/)
Code
/////////////////////////////
// Define the necessary VARS
/////////////////////////////

$birthdays = array();

$events = array();

if(isset($_GET['date']) && trim($_GET['date'])!=="" && is_numeric(trim($_GET['date'])) && strlen(trim($_GET['date'])) == 8){

$date = (int) inputsec(htmlizer(trim($_GET['date'])));

$year = substr($date, 0, 4);

$month = substr($date, 4, 2);

$day =  substr($date, 6, 2);

//Check the Year and Month
if(!($year > 1969 && $year < 2038 && $month > 0 && $month <= 12 && $day > 0 && $day <= 31)){

$date = 0;

}

}


by this
Code
/////////////////////////////
// Define the necessary VARS
/////////////////////////////

$birthdays = array();

$events = array();
//patch for the XSS exploit By SAFAD
$date = (int) inputsec(htmlizer(trim(htmlentities($_GET['date']))));
//End of the patch
if(isset($date) && trim($date)!=="" && is_numeric(trim($date)) && strlen(trim($date)) == 8){//there is small modification here to make the patch works

$date = (int) inputsec(htmlizer(trim($_GET['date'])));

$year = substr($date, 0, 4);

$month = substr($date, 4, 2);

$day =  substr($date, 6, 2);

//Check the Year and Month
if(!($year > 1969 && $year < 2038 && $month > 0 && $month <= 12 && $day > 0 && $day <= 31)){

$date = 0;

}

}

Please patch as soon as possible

We will release AEF 1.0.9 soon

Best Regards
The AEF team.

Edited by Alex : May 19, 2010, 6:39 pm

-----------------------
Best Regards
Sadaoui "SAFAD" Abderrahim - Lead Developer
My Blog
IP: --   

Security Patch For AEF 1.0.8
alkutob
Group: Member
Post Group: Newbie
Posts: 38
Status:

I love AEFarabic
Security Patch done

Thank you



-----------------------


Board Image
IP: --   

Security Patch For AEF 1.0.8
esaenz22
Group: Member
Post Group: Newbie
Posts: 4
Status:
thanks for the patch ...
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Members who read this topic
, pulkit, jlhaslip, alkutob, Alex, Miracl, Buster, VasiliyRS, zucaman, rlshosting, SAFAD, esaenz22, Tyrius, Danbau, simonbalol, JPeterPan, haylau, Ottonall, Sammael, nexgenforum


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is August 16, 2018, 2:23 pm.

  Powered By AEF 1.1.0 Preview © 2007-2011 AEF Group. All rights reservedQueries: 13  |  Page Created In:0.045