1 (edited by 2016-01-25 00:10:08)

Topic: Cannot comment. Gives me error

O

Re: Cannot comment. Gives me error

Cutenews uses the id parameter. You cannot use it with your own naviagtion scriot; You'll have to use another parameter name

Re: Cannot comment. Gives me error

Dear User!

Please try the following code:

<?php
// Velox Letum ©2005
// http://www.nanoshock.net
// elementation@gmail.com

$x = $HTTP_GET_VARS['x'];

if (empty($x)) {
$x = "home";
}

if ($x == "index") {
die("You cannot execute this page");
}

if( file_exists($x . ".php") === TRUE) {
include("$x.php");
} else {
$number = 5;
include('show_news.php');
}
?>


You should use the "x" parameter instead of id.

Please also check where the file "show_news.php" is placed on your server. In case you face "not found `show_news.php`" , you should specify the correct path to this script.

Please do not hesitate to contact us again if we can be of any further help.




Best regards,
CN Support team

Re: Cannot comment. Gives me error

Is it me or is the an echo in here...?

5 (edited by 2016-01-25 00:08:08)

Re: Cannot comment. Gives me error

[quote name='Support_Team' post='154702' date='May 22 2012, 01:50 AM']Dear User!

6 (edited by 2016-01-25 00:08:34)

Re: Cannot comment. Gives me error

O

7 (edited by 2016-01-25 00:09:00)

Re: Cannot comment. Gives me error

[

Re: Cannot comment. Gives me error

I am the author of this particular snippit of code -- from CodingForums PHP forums over 7 years ago.

Do not use it. Anyone can exploit it to gain access to the contents of any PHP file on your filesystem.

I am shocked that the so-called Support Team didn't scold you for the use of this script.

At the very least, you need to sanitize the variable $x to remove any "." or "..", as well as ensuring that it's a file you truly do want included.

9 (edited by 2012-06-05 13:20:45)

Re: Cannot comment. Gives me error

Thank you for your reply, Xorlev.

You are absolutely right in that the given script can be vulnerable. The thing is that we didn't want to change the logic of the user script, aiming to keep it understandable. There is no room for doubt that all the users need to use verification of each incoming parameter; for instance, in this case it would be better to do this way:

$x = $HTTP_GET_VARS['x'];
if (empty($x)) {
$x = "home";
}

$allow = array('home', 'about', 'more', ... );
if ( !in_array($x, $allow) ) die("You cannot execute this page");


To improve security, we also advise that you use suhosin

Best regards,
CN Support team