Monster Top List Security Bulletin, Important MTL Update
| Purchase Monster Top List Services |
 Help
 Search
 Members
 Calendar
|
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
   |
Monster Top List Security Bulletin, Important MTL Update| Rodney |
Posted: Apr 18 2006, 05:31 AM
|
|
Member  Group: MTL Team Posts: 125 Member No.: 2,767 Joined: 30-March 03  |
MONSTER TOP LIST SECURITY BULLETIN
http://www.monstertoplist.com/ April 17th, 2006 This email contains important security-related information. Please read it carefully. ---------- SECURITY INFORMATION ---------- Recently, a cross- site scripting (XSS) flaw was identified in Monster Top List 1.4. A new version of this software been released to combat this problem. We advise all customers running Monster Top List versions up to and including 1.4 to upgrade or patch their MTL installations at their earliest convenience. ---------- HOW TO UPGRADE ---------- 1) You can download the latest version of MTL by logging into the MTL Member Area at: http://www.monstertoplist.com The only file you need to really upload is /sources/list.php 2) You can patch the necessary files on your server if you have modified your sources/list.php file. The only change is line 309 in sources/list.php needs to be changed to $global_data['user_error_message'] = htmlspecialchars($mtl->input['user_error_message']); 3) We have also been notified of attacks through PHP register_globals; register_globals should be set OFF at the server level to prevent this kind of exploit. It can be turned off in most cases by either putting php_flag register_globals off in the .htaccess file or if runnning in cgi mode by changing the setting to register_globals = Off in the php.ini file. That said if you place the following in an .htaccess file that can be placed in the /sources/ directory, this should alleviate the problem if register_globals is left on: Deny From All Allow From None ---------------- YOUR LICENSE INFORMATION ---------------- If you have misplaced your customer password, you can request that it be re-sent to your registered email address using the following form: http://www.monstertoplist.com/mtlorders/login.php You can use this information to log into the members area: http://www.monstertoplist.com/mtlorders/login.php -------------------- CONTACT US -------------------------- Please do not respond to this post directly. We will not receive your response. Please use the links below. Got an MTL Technical question? Contact support: http://www.monstertoplist.com/support.html For all other queries, please visit this page: http://www.monstertoplist.com/support.html ---------------------------------------------------------- -------------------- Rodney - MTL Site Admin
http://www.monstertoplist.com ____________________________________ > Need Support? | Found a Bug? |
 
|
| Rodney |
Posted: Apr 20 2006, 10:42 AM
|
||||||
|
Member Group: MTL Team Posts: 125 Member No.: 2,767 Joined: 30-March 03 |
Additional thanks go to WNxWhiteWolf for offering this direct patch to the /sources/functions.php file. With the above HTACCESS additions, your functions.php file will not be able to be accessed. If your host does not allow htaccess overrides, you can also edit the functions.php file directly: Find line 21 in functions.php:
Add this code right above that line:
So the finished two lines look like:
The updated code is also available in the current package in the members area. -------------------- Rodney - MTL Site Admin
http://www.monstertoplist.com ____________________________________ > Need Support? | Found a Bug? |
||||||
|
|
 |
|
