Description: RoMaNcYxHaCkEr has reported a vulnerability in Ray, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Input passed to the "sIncPath" parameter in modules/global/inc/content.inc.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources. Successful exploitation requires that "register_globals" is enabled. The vulnerability is reported in version 3.5. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly verified. Provided and/or discovered by: RoMaNcYxHaCkEr
Source: http://secunia.com/advisories/30999/
add the fllowing code to your ray/modules/global/inc/content.inc.php
add it at the top above the 1st require once command
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
so it looks like this :
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
this see more
just for anyone that wants to know, i believe the first part can be placed in any file that has the "require_once($sIncPath..." in it.
this fix is for all versions of dolphin 5.6 to date
this fix will not affect anything within Dolphin, but if you have added google maps, then it would affect that, and other things you may have added that are not part of Dolphin and being called from outside your server
add it at the top above the 1st require once command
if see more
I have found another security issue. I am working on it. Soon I will post the solution here.
Parse error: syntax error, unexpected T_VARIABLE, expecting ',' or ';' in /homepages/8/*/htdocs/*/family/ray/modules/global/inc/content.inc.php on line 228
Any Ideas?