phpWCMS open source web content management system

News

About phpwcms

Download

Documentation

Support

Development

Contact
Home > News 2011/01/02
This is the outdated phpwcms project site.
Something new is coming soon. Always keep in mind to check GitHub for the newest release.
Possible security problems reported
Patched release is on the way

A security problem was reported. Please visit phpwcms forum to get all information neccessary to fix this. Patched release is in preparation.

Please check these 2 points:
Use the new form generator (only available in release 1.2.x) - if you do so you can delete include/inc_act/act_formmailer.php
Delete directory phpwcms_code_snippets - is not used anywhere by phpwcms

Related information
http://www.heise.de/newsticker/meldung/72253
http://www.phpwcms.de/forum/viewtopic.php?p=63686

What you can do to make your release more secure

One of the main problems might be the possibility to inject phpwcms by using external PHP code. Here is a way to remove such code from all GET and POST vars.

Add the following lines of code to your index.php:

[Update] Before you add the function check if the function still exists in the code and replace it by the new, better ones. Otherwise a PHP error message might occur like:

Fatal error: Cannot redeclare remove_unsecure_rptags() 
(previously declared in /path/to/phpwcmsneu/index.php:309) 
in /path/to/phpwcmsneu/include/inc_lib/general.inc.php 
on line 879

function remove_unsecure_rptags($check) {
  $check = preg_replace('/{PHP:(.*?)}/i', '$1', $check);
  $check = preg_replace('/{PHPVAR:(.*?)}/si', '$1', $check);
  $check = preg_replace('/[PHP](.*?)[/PHP]/si', '$1', $check);
  $check = preg_replace('/{URL:(.*?)}/i', '$1', $check);
  $check = str_replace('[PHP]', '[ PHP ]', $check);
  $check = str_replace('[/PHP]', '[ /PHP ]', $check);
  $check = str_replace('{PHP:', '{ PHP :', $check);
  $check = str_replace('{PHPVAR:', '{ PHPVAR :', $check);
  $check = str_replace('{URL:', '{ URL :', $check);
  return $check;
}

function cleanupPOSTandGET() {
  if(isset($_POST) && count($_POST)) {
    foreach($_POST as $key => $value) {
      if(!is_array($_POST[$key])) {
        $_POST[$key] = remove_unsecure_rptags($value);
      }
    }
  }
  if(isset($_GET) && count($_GET)) {
    foreach($_GET as $key => $value) {
      $_GET[$key] = remove_unsecure_rptags($value);
    }
  }
}

You should check if both functions are still defined. If so - please update those existing functions by the new one.

Search for the line of code where the front.func.inc.php is included. Add the following line of code so that it looks like:

require_once ("include/inc_front/front.func.inc.php");
// add this new line of code
cleanupPOSTandGET();
    
Copyright © 2002-2008 Oliver Georgi · XML RSS · GitHub · SourceForge.net · Google Code