1. Security patches for versions 9.7 and below

Security patches for versions 9.7 and below

  |   3
Security patches for versions 9.7 and below

The problem: Carrying SQL injection, in the case of ignoring the site administrator notices to Admin Panel, the including of server unsecured settings register_globals, as well as the possibility of bypass CAPTCHA security code when registration.

Error applied to versions: 9.7 and all earlier versions

The level of danger: High using the included setting register_globals, not the implementation of recommendations on how to disable this setting in the server settings. Installing the patch still required for all as patch fixes a possible bypass captcha and other problems.

To fix the problem, download and copy to your server patch: http://dle-news.ru/files/dle97_path.zip, this patch is for script version 9.7. Distribution version 9.7 updated that downloaded from dle-news.ru was updated with this patch.

For users who use an earlier version of the script to make these changes manually in the script file:

1. Open the /engine/modules/sitelogin.php and find:
$dle_login_hash = "";

Below add:
$_TIME = time () + ($config['date_adjust'] * 60);
In the same file, find:
		if( $member_id['user_id'] ) {

Below add:

In the same file, find:
		$member_id = $db->super_query( "SELECT * FROM " . USERPREFIX . "_users WHERE user_id='" . intval( $_COOKIE['dle_user_id'] ) . "'" );

Below add:

2. Open the
and find:
	if (in_array ( $_POST['dlenewssortby'], $allowed_sort )) {

Replace with:
	if (in_array($_POST['dlenewssortby'], $allowed_sort) AND stripos($find_sort, "dle_sort_") === 0) {

3. Open the engine/modules/functions.php and find:
	global $tpl;

Below add:
	if (!class_exists('dle_template')) {
Dear visitor, you are browsing our website as Guest.
We strongly recommend you to register and login to view hidden contents.



Comments 3

Commented By snovop on December 4, 2012 (11:27 am)
thanks ! fellow

N/A 10Forum topics : 4Forum replies : 7Forum likes : 0
Commented By kevinhd on December 30, 2012 (5:03 am)
My site has been successfully attacked by SQL injection

N/A 18Forum topics : 6Forum replies : 10Forum likes : 0
Commented By spamhater on January 2, 2013 (7:47 pm)
how did you identify it as mysql injection? do you have spoiled code in your website somewhere?
24 386Forum topics : 12Forum replies : 950Forum likes : 130

Love is a symbol of eternity. It wipes out all sense of time, destroying all memory of a beginning and all fear of an end!
Great achievement is usually born of great sacrifice, and is never the result of selfishness...Without continual growth and progress, such words as improvement, achievement, and success have no meaning.
Information!Would you like to leave your comment? Please Login to your account to leave comments. Don't have an account? You can create a free account now.
DLEStarter Notice!Please note...The script you see here is as of "no warranty ", the script is commercial software, the script are provided for education purposes only, please get the valid license and legal copy of script for productive websites, DLEStarter.com is not partner or affiliated with SoftNews Media Group (dle-news.ru), DLEStarter is not responsible for any issue(s) or damage(s) that may cause your website or your host providers, so use script with your own risk...Thank you.