Topic: Cannot comment. Gives me error
O
Dear CuteNews Users! Please feel free to contact us via our new Feedback Form and please send information about bugs to our bug tracker.
You are not logged in. Please login or register.
CutePHP Forums → Problem Solving / Help & Support → Cannot comment. Gives me error
O
Cutenews uses the id parameter. You cannot use it with your own naviagtion scriot; You'll have to use another parameter name
Dear User!
Please try the following code:
<?php
// Velox Letum ©2005
// http://www.nanoshock.net
// elementation@gmail.com
$x = $HTTP_GET_VARS['x'];
if (empty($x)) {
$x = "home";
}
if ($x == "index") {
die("You cannot execute this page");
}
if( file_exists($x . ".php") === TRUE) {
include("$x.php");
} else {
$number = 5;
include('show_news.php');
}
?>
You should use the "x" parameter instead of id.
Please also check where the file "show_news.php" is placed on your server. In case you face "not found `show_news.php`" , you should specify the correct path to this script.
Please do not hesitate to contact us again if we can be of any further help.
Is it me or is the an echo in here...?
[quote name='Support_Team' post='154702' date='May 22 2012, 01:50 AM']Dear User!
O
[
I am the author of this particular snippit of code -- from CodingForums PHP forums over 7 years ago.
Do not use it. Anyone can exploit it to gain access to the contents of any PHP file on your filesystem.
I am shocked that the so-called Support Team didn't scold you for the use of this script.
At the very least, you need to sanitize the variable $x to remove any "." or "..", as well as ensuring that it's a file you truly do want included.
Thank you for your reply, Xorlev.
You are absolutely right in that the given script can be vulnerable. The thing is that we didn't want to change the logic of the user script, aiming to keep it understandable. There is no room for doubt that all the users need to use verification of each incoming parameter; for instance, in this case it would be better to do this way:
$x = $HTTP_GET_VARS['x'];
if (empty($x)) {
$x = "home";
}
$allow = array('home', 'about', 'more', ... );
if ( !in_array($x, $allow) ) die("You cannot execute this page");
To improve security, we also advise that you use suhosin
CutePHP Forums → Problem Solving / Help & Support → Cannot comment. Gives me error
Powered by PunBB, supported by Informer Technologies, Inc.
The pun_antispam official extension is installed. Copyright © 2003–2009 PunBB.