Monster Top List [Powered by Invision Power Board]

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/proc/loadavg) is not within the allowed path(s): (/home/monster/:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/monster/public_html/forums/sources/functions.php on line 2385
Monster Top List [Powered by Invision Power Board]

Printable Version of Topic
Click here to view this topic in its original format

Monster Top List > Company Announcements > Monster Top List Security Bulletin

Posted by: Rodney Apr 18 2006, 05:31 AM

MONSTER TOP LIST SECURITY BULLETIN
http://www.monstertoplist.com/
April 17th, 2006

This email contains important security-related information.
Please read it carefully.

---------- SECURITY INFORMATION ----------
Recently, a cross- site scripting (XSS) flaw was identified in Monster Top List 1.4. A new version of this software been released to combat this problem.

We advise all customers running Monster Top List versions up to and including 1.4 to upgrade or patch their MTL installations at their earliest convenience.

---------- HOW TO UPGRADE ----------

1) You can download the latest version of MTL by logging into the MTL Member Area at: http://www.monstertoplist.com

The only file you need to really upload is /sources/list.php

2) You can patch the necessary files on your server if you have modified your sources/list.php file.

The only change is line 309 in sources/list.php needs to be changed to

$global_data['user_error_message'] =
htmlspecialchars($mtl->input['user_error_message']);

3) We have also been notified of attacks through PHP register_globals; register_globals should be set OFF at the server level to prevent this kind of exploit.

It can be turned off in most cases by either putting
php_flag register_globals off
in the .htaccess file or if runnning in cgi mode by changing the setting to
register_globals = Off
in the php.ini file.

That said if you place the following in an .htaccess file that can be placed in the /sources/ directory, this should alleviate the problem if register_globals is left on:

Deny From All
Allow From None

---------------- YOUR LICENSE INFORMATION ----------------

If you have misplaced your customer password, you can request that it be re-sent to your registered email address using the following form:
http://www.monstertoplist.com/mtlorders/login.php

You can use this information to log into the members area:
http://www.monstertoplist.com/mtlorders/login.php

-------------------- CONTACT US --------------------------

Please do not respond to this post directly. We will not receive your response. Please use the links below.

Got an MTL Technical question? Contact support:
http://www.monstertoplist.com/support.html

For all other queries, please visit this page:
http://www.monstertoplist.com/support.html

----------------------------------------------------------

Posted by: Rodney Apr 20 2006, 10:42 AM

Additional thanks go to WNxWhiteWolf for offering this direct patch to the /sources/functions.php file.

With the above HTACCESS additions, your functions.php file will not be able to be accessed.

If your host does not allow htaccess overrides, you can also edit the functions.php file directly:

Find line 21 in functions.php:

CODE

require $root_path . "sources/func_output.php";

Add this code right above that line:

CODE

if(strpos($_SERVER['PHP_SELF'], "sources/functions.php") !== false) { die('this file should never be directly accessed from the web'); } $problems = array('http://', 'ftp://', 'www.', '.com', '.org','.info','.net', '?'); $root_path = str_replace($problems, '', $root_path);

So the finished two lines look like:

CODE

The updated code is also available in the current package in the members area.