1. The potential threat to DLE module Minify

The potential threat to DLE module Minify

  |   12
The potential threat to DLE module MinifyThe potential threat to DLE module Minify

High Security Breach for DLE 8.5 and newer versions including 10.0, you must update this patch


Problem : Security breach and lack of data filtering in a "Minify Module" for "file compression" which is part of DLE (https://code.google.com/p/minify/), which may allow for certain settings of the server software to read the contents of files.

Effective Versions : 8.5 - 10.0

Security Risk Level : HIGH

Solution:

Open /engine/classes/min/index.php and at the very beginning of the file, Find:
<?php
Add BELOW:
if (isset($_GET['f'])) { 
$_GET['f'] = str_replace(chr(0), '', (string)$_GET['f']);
}

We have updated the latest package on our download version of Datalife Engine 10.0 Final English as of August 12, 2013 - 2:30AM (USA Mountain Standard Time)
Dear visitor, you are browsing our website as Guest.
We strongly recommend you to register and login to view hidden contents.

Details

+20

Comments 12

MisterCaca
MisterCaca
Members
Commented By MisterCaca on August 14, 2013 (6:48 pm)
Thanks for the warning!
N/A 18Forum topics : 25Forum replies : 86Forum likes : 1
Folku
Folku
Members
Commented By Folku on August 23, 2013 (11:52 pm)
thanks for the update
N/A 9Forum topics : 6Forum replies : 21Forum likes : 0
NeoMaxx
NeoMaxx
Members
Commented By NeoMaxx on August 29, 2013 (9:02 am)
Thanks you the team
N/A 1Forum topics : 0Forum replies : 0Forum likes : 0
thehamzan6
thehamzan6
Members
Commented By thehamzan6 on November 9, 2013 (7:45 pm)
Is this vulnerability also part of the newest version, 10.1?
N/A 8Forum topics : 1Forum replies : 4Forum likes : 0
spamhater
spamhater
DLE TEAM
Commented By spamhater on November 9, 2013 (9:38 pm)
Quote: thehamzan6
Is this vulnerability also part of the newest version, 10.1?

no
24 386Forum topics : 12Forum replies : 950Forum likes : 130

Love is a symbol of eternity. It wipes out all sense of time, destroying all memory of a beginning and all fear of an end!
Great achievement is usually born of great sacrifice, and is never the result of selfishness...Without continual growth and progress, such words as improvement, achievement, and success have no meaning.
wizardbg
wizardbg
Members
Commented By wizardbg on January 2, 2014 (3:26 am)
I keep getting CHMOD errors see pic here : http://kateart.byethost15.com/?di=D3MW, i edited the permissions and next day i got the errors again, how do i fix?
N/A 17Forum topics : 2Forum replies : 6Forum likes : 0
yorismith
yorismith
Moderators
Commented By yorismith on January 2, 2014 (9:22 am)
You have to set chmod from 644 to 444 using FTP client software...

If you can't make change hrtaccess chmod via ftp client software then it means your host set default htaccess to 644 for security reason, in this case only way you can make change is login to your hosting account via control panel like cPanel and go to File Manager and make change there.
32 288Forum topics : 2Forum replies : 699Forum likes : 117

- Nothing comes free...
- A generous heart, kind speech, and compassion are the things which renew humanity
wizardbg
wizardbg
Members
Commented By wizardbg on January 4, 2014 (6:10 am)
I tried both ways ftp and file manager , cmod stays 644 i should write the host i guess , is this really a security threat?
N/A 17Forum topics : 2Forum replies : 6Forum likes : 0
yorismith
yorismith
Moderators
Commented By yorismith on January 4, 2014 (6:57 am)
no, not really...the chmod is not security thread, it's for htaccess can be read or write, 644 is write/read/read but if you set to 444 then it's read/read/read..this feature was added in DLE 9.5...so if you can't set chmod either way then only way you can do is contact your host provider, if they can't set it to 444 then it's not the end of the world but it's really most recommend by dle because someone can overwrite your htaccess and cause the script on code injection...
32 288Forum topics : 2Forum replies : 699Forum likes : 117

- Nothing comes free...
- A generous heart, kind speech, and compassion are the things which renew humanity
wizardbg
wizardbg
Members
Commented By wizardbg on January 4, 2014 (3:07 pm)
All was looking fine , i was adding articles and now when i checked site i got 500 error and in error log
.htaccess: Invalid command 'php_value', perhaps misspelled or defined by a module not included in the server configuration

Last thing i did in cpanel is disable magic quotes gpc. Havent added any module or changed settings. Any idea what have gone wrong?
N/A 17Forum topics : 2Forum replies : 6Forum likes : 0
yorismith
yorismith
Moderators
Commented By yorismith on January 4, 2014 (4:18 pm)
maybe the command that added to htaccess is invalid command, so open htaccess and check the command...if I remember correctly, the command using htaccess is
php_flag magic_quotes_gpc off
However, this issue can occur if your host only allow changing the value in php.ini...so the best solution is consult with your host provider or server admin.
32 288Forum topics : 2Forum replies : 699Forum likes : 117

- Nothing comes free...
- A generous heart, kind speech, and compassion are the things which renew humanity
wizardbg
wizardbg
Members
Commented By wizardbg on January 4, 2014 (4:41 pm)
This could be server side problem or the account is in propagation i applied for 1 month trial.
p.s It was those php lines , i was edditing form the older ftp account so changes werent saved
N/A 17Forum topics : 2Forum replies : 6Forum likes : 0
Information!Would you like to leave your comment? Please Login to your account to leave comments. Don't have an account? You can create a free account now.
DLEStarter Notice!Please note...The script you see here is as of "no warranty ", the script is commercial software, the script are provided for education purposes only, please get the valid license and legal copy of script for productive websites, DLEStarter.com is not partner or affiliated with SoftNews Media Group (dle-news.ru), DLEStarter is not responsible for any issue(s) or damage(s) that may cause your website or your host providers, so use script with your own risk...Thank you.