Quote
JoiNNN wrote:
You can use the same method I've described here and redirect to index.php when accessing one of those pages.
[syntaxhighlighter brush=php,first-line=1,highlight=0,collapse=false,html-script=false]$url = htmlspecialchars($_SERVER['REQUEST_URI']);
$page = FUSION_SELF;
//Restricted pages
$restricted_pages = array("downloads.php", "weblinks.php");
//Check
if (!strpos($url, '/administration/') && in_array($page, $restricted_pages)) {
redirect(BASEDIR."index.php");
}[/syntaxhighlighter]
Add this code to a panel, or to theme.php, includes/header_includes.php; wherever you like.
NOTE: Is important if you put the code in a panel, that panel to be to left or right side only and preferably to be the first.
Quote
Lowerland wrote:
why is there still no patch for this ? .....
Quote
hen3ry wrote:
skpacman:
Thanks for your skepticism.
As I reconstruct this, on 22 February, a PF site manager reported that 2 of his sites were hacked and that he had seen hacker's sites describing the vulnerability, here:
http://www.php-fusion.co.uk/forum/viewthread.php?thread_id=30414#post_167491
Yes, that initial report might have been mistaken, and what he found on the net about the vulnerability might have been dis-information. The post itself could be complete dis-information.
The next post, that same day, was from someone self-identified as a PHPFusion Lead Developer. He responded that a new release, v7.02.05, would be forthcoming. This person is tagged as an admin, so presumably he is who he says he is.
Time for me to apologize: my previous post said that the vulnerability was "announced". The implication being that someone official did the announcing. I regret this implication. In fact, the Lead Developer did NOT confirm the existence of a vulnerability. Which was the best he could do, under the circumstances. How to balance free interchange of information on forums with the arguable value of keeping actual vulnerabilities quiet until a fix is available? No easy answer, I'm afraid.
I'll match your skepticism with my own: How do I know _your_ post isn't dis-information? <grin>
In the case of the site I manage, the pages weblinks.php and downloads.php are very low-priority, so I was not reluctant to disable them.
Category Forum
Announcements & Security IssuesLabels
None yet
Statistics
9 participants
Notifications
You are not receiving notifications from this thread.
Related Questions