Topic: [BUG][EXPLOIT] ipban
Name: ipban exploit fix
Author: FI-DD
CuteNews Compatibility: 1.3.6 - * (no incompatibility reported yet)
Description: Notes by FUNimations: There seems to be a exploit in CuteNews that can only be abused by admin users. Though i don't understand how this exploit works, FI-DD believes that the following should fix the problem.
(lKj): This flaw (among others) is already fixed in UTF-8 CuteNews. No altering files necessary!
Discussion Topic: <strike>here</strike>
Instructions:
In inc/ipban.mdu find this:
if(!$add_ip){ msg("error","Error !!!","The IP can not be blank", "$PHP_SELF?mod=ipban"); }
and add below:
elseif(!preg_match("/^[0-9*]{1,3}\.[0-9*]{1,3}\.[0-9*]{1,3}\.[0-9*]{1,3}$/", $add_ip)){
die("That's not a valid IP.");
}