[thelist] [Fwd: !! IMPORTANT: CalPro exploit !!]

Norman Bunn norman.bunn at craftedsolutions.com
Tue Apr 5 13:22:08 CDT 2005 

For those of you using CalPro from snailsource.

Norman

-------- Original Message --------
Subject: 	!! IMPORTANT: CalPro exploit !!
Date: 	Tue, 05 Apr 2005 16:39:13 0
From: 	<forum at snailsource.com>
Reply-To: 	<forum at snailsource.com>
To: 	<forum at snailsource.com>



!!THIS IS VITALLY IMPORTANT SO READY IT NOW!!


An exploit has been discovered in CalPro that provides a route for SQL to be injected via the $category variable.

I am working on a full fix to determine the scale of the problem but the immediate way to kill the exploit is as follows:

Open cal_main.inc

Find: 

$session_default = -50;


After, Add:

$category = intval($category);



The exploit itself is used to determine the password hash for any user account in the phpbb2 database so you should also primarily update ANY admin account passwords and then advise your forum users to update theirs as well... 

Obviously only do this once you've applied the fix above and uploaded the corrected file.

As I've said I am in the process of taking a more detailed look at my code to see if there are any further exploits and will release an updated version of CalPro ASAP...

 

More worryingly this exploit makes it obvious that someone was stupid enough to share or pirate CalPro code to someone who takes delight in looking for exploit code. This hurts everyone, including yourselves so just don't do it!

More information will be provided via the CalPro forum as I develop it.

Martin


~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The preceding message was sent to you by an admin from "SnailSource.com". 
Any problems with this message, please contact:

forum at snailsource.com

Include this full email (particularly the headers).



-- 
---

Norman W. Bunn
norman.bunn at craftedsolutions.com
803.405.1008
----------------------------------------------
www.CraftedSolutions.com
Crafted Solutions, Inc.
Web Design & Development
Web Site Hosting & Custom Solutions
"Get the results the Internet promises;
 get the 'Net Result' from Crafted Solutions!"
----------------------------------------------

More information about the thelist mailing list