| Author |
 Topic  |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
 Posted - 04 December 2007 : 07:35:53
|
Active.asp has a security related bug fix. Where now you have lines# 123-130:
if Request.Form("AllRead") = "Y" then
'## The redundant line below is necessary, don't delete it.
Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
lastDate = Session(strCookieURL & "last_here_date")
UpdateLastHereDate Request.Form("BuildTime"),strDBNTUserName
ActiveSince = ""
end if
Replace it by
if Request.Form("AllRead") = "Y" then
lastDate = ChkString(Request.Form("BuildTime"),"SQLString")
'## The redundant line below is necessary, don't delete it.
session(strCookieURL & "last_here_date") = lastDate
Session(strCookieURL & "last_here_date") = lastDate
UpdateLastHereDate lastDate,strDBNTUserName
ActiveSince = ""
end if< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
Edited by - AnonJr on 17 March 2009 19:15:42 |
|
|
borge
Junior Member
Norway
185 Posts |
Posted - 04 December 2007 : 11:41:12
|
| The new fix i slightly different from the Dec. 1 version, some lines have been moved, is that of any importance?< |
borge |
 |
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 04 December 2007 : 12:33:04
|
| The only unimportant line here is the commented one. All the other lines should appear in the order they appear now, which is the order in which they appeared in an update to the original fix, posted a bit afterwards.< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
|
|
TastyNutz
Junior Member
USA
251 Posts |
Posted - 05 December 2007 : 09:51:13
|
| This exploit also effects anyone using the "Unanswered Topics" MOD by OneWayMule. In which case, the above changes should also be made to unanswered.asp.< |
PowerQuad Disability Support Forum |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 05 December 2007 : 11:08:42
|
| Good catch. It probably effects any MODs based on the active.asp page.< |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 05 December 2007 : 11:36:32
|
To avoid confusion, can somebody start a new topic detailing the list of mods that need this fix along with the exact changes required?
< |
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
Podge
Support Moderator
Ireland
3775 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 05 December 2007 : 12:25:35
|
| we are only concerned with the base Snitz code, maintaining MODS and other versions of Snitz is not our responsibility< |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 11 December 2007 : 17:18:32
|
We can probably be a bit more restrictive with the fix and test for a number, which the lastDate needs to be, to avoid an attempted hack to result in setting a bad M_LASTHEREDATE value. So, the fix can be:
Where now you have lines# 123-130:
if Request.Form("AllRead") = "Y" then
'## The redundant line below is necessary, don't delete it.
Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
Session(strCookieURL & "last_here_date") = Request.Form("BuildTime")
lastDate = Session(strCookieURL & "last_here_date")
UpdateLastHereDate Request.Form("BuildTime"),strDBNTUserName
ActiveSince = ""
end if
Replace it by
if Request.Form("AllRead") = "Y" then
lastDate = Request.Form("BuildTime")
If (Not IsNumeric(lastDate)) or (lastDate = "") then
lastDate = DateToStr(strForumTimeAdjust)
End If
'## The redundant line below is necessary, don't delete it.
session(strCookieURL & "last_here_date") = lastDate
Session(strCookieURL & "last_here_date") = lastDate
UpdateLastHereDate lastDate,strDBNTUserName
ActiveSince = ""
end if
< |
Snitz 3.4 Readme | Like the support? Support Snitz too |
|
|
| |
Topic |
|
Forum Locked
Topic Locked
