// ======================================================================== Submitted by..: Chatserv Date..........: March 25/2003 File..........: /modules/News/index.php Description...: Security hole. Hacker can replace news content in using mySQL injection. Replace: function rate_article($sid, $score) { global $prefix, $dbi, $ratecookie, $sitename, $r_options; if ($score) { if (isset($ratecookie)) { $rcookie = base64_decode($ratecookie); $r_cookie = explode(":", $rcookie); } for ($i=0; $i < sizeof($r_cookie); $i++) { if ($r_cookie[$i] == $sid) { $a = 1; } } if ($a == 1) { Header("Location: modules.php?name=News&op=rate_complete&sid=$sid&rated=1"); } else { $result = sql_query("update ".$prefix."_stories set score=score+$score, ratings=ratings+1 where sid='$sid'", $dbi); $info = base64_encode("$rcookie$sid:"); setcookie("ratecookie","$info",time()+3600); Header("Location: modules.php?name=News&op=rate_complete&sid=$sid$r_options"); } } else { include("header.php"); title("$sitename: "._ARTICLERATING.""); OpenTable(); echo ""._DIDNTRATE."

" .""._GOBACK.""; CloseTable(); include("footer.php"); } } With: function rate_article($sid, $score) { global $prefix, $dbi, $ratecookie, $sitename, $r_options; $score = intval($score); if ($score) { if ($score > 5) { $score = 5; } if ($score < 1) { $score = 1; } if ($score != 1 AND $score != 2 AND $score != 3 AND $score != 4 AND $score != 5) { Header("Location: index.php"); die(); } if (isset($ratecookie)) { $rcookie = base64_decode($ratecookie); $r_cookie = explode(":", $rcookie); } for ($i=0; $i < sizeof($r_cookie); $i++) { if ($r_cookie[$i] == $sid) { $a = 1; } } if ($a == 1) { Header("Location: modules.php?name=News&op=rate_complete&sid=$sid&rated=1"); } else { $result = sql_query("update ".$prefix."_stories set score=score+$score, ratings=ratings+1 where sid='$sid'", $dbi); $info = base64_encode("$rcookie$sid:"); setcookie("ratecookie","$info",time()+3600); Header("Location: modules.php?name=News&op=rate_complete&sid=$sid$r_options"); } } else { include("header.php"); title("$sitename: "._ARTICLERATING.""); OpenTable(); echo ""._DIDNTRATE."

" .""._GOBACK.""; CloseTable(); include("footer.php"); } } // ======================================================================== // ========================================================================