The problem: Carrying SQL injection, in the case of ignoring the site administrator notices to Admin Panel, the including of server unsecured settings register_globals, as well as the possibility of bypass CAPTCHA security code when registration.

Error applied to versions: 9.7 and all earlier versions

The level of danger: High using the included setting register_globals, not the implementation of recommendations on how to disable this setting in the server settings. Installing the patch still required for all as patch fixes a possible bypass captcha and other problems.

To fix the problem, download and copy to your server patch: http://dle-news.ru/files/dle97_path.zip, this patch is for script version 9.7. Distribution version 9.7 updated that downloaded from dle-news.ru was updated with this patch.

For users who use an earlier version of the script to make these changes manually in the script file:

1. Open the /engine/modules/sitelogin.php and find:

$dle_login_hash = "";

Below add:
$_TIME = time () + ($config['date_adjust'] * 60);
In the same file, find:

		if( $member_id['user_id'] ) {

Below add:

			session_regenerate_id();

In the same file, find:

		$member_id = $db->super_query( "SELECT * FROM " . USERPREFIX . "_users WHERE user_id='" . intval( $_COOKIE['dle_user_id'] ) . "'" );

Below add:

			session_regenerate_id();

2. Open the

/engine/init.php

and find:

	if (in_array ( $_POST['dlenewssortby'], $allowed_sort )) {

Replace with:

	if (in_array($_POST['dlenewssortby'], $allowed_sort) AND stripos($find_sort, "dle_sort_") === 0) {

3. Open the engine/modules/functions.php and find:

	global $tpl;

Below add:

	if (!class_exists('dle_template')) {
	    return;
	}