phpwcms <= 1.2.6

check this often to be informed about any security problem that was reported.
Post Reply
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

phpwcms <= 1.2.6

Post by Oliver Georgi »

I have found another problem for releases <= 1.2.6 where your system can be injected in case register_globals = On.

in login.php around line 45-63:

Code: Select all

....
if(isset($_POST['form_lang'])) {
	$_SESSION["wcs_user_lang"] = strtolower(substr(clean_slweg($_POST['form_lang']), 0, 2));
}
if(!isset($_SESSION["wcs_user_lang"])) {                   //<-----------{1}
	if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {
		$_SESSION["wcs_user_lang"] = strtolower( substr( $_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2 ) );
	} else {
		$_SESSION["wcs_user_lang"] = strtolower($phpwcms["default_lang"]);
	}
}
if(isset($BL[strtoupper($_SESSION["wcs_user_lang"])]) && file_exists('include/inc_lang/backend/'.$_SESSION["wcs_user_lang"].'/lang.inc.php')) {
	$lang_file_include = 'include/inc_lang/backend/'.$_SESSION["wcs_user_lang"].'/lang.inc.php';  //<-----------{2}
	$_SESSION["wcs_user_lang_custom"] = 1;
} else {
	$lang_file_include = 'include/inc_lang/backend/en/lang.inc.php';
	$_SESSION["wcs_user_lang"] 			= "en"; //by ono
	$_SESSION["wcs_user_lang_custom"] 	= 0;
}
require_once ($lang_file_include);        //<-----------{3}
Change line <-----------{2} to:

Code: Select all

$lang_file_include = 'include/inc_lang/backend/'.strtolower(substr($_SESSION["wcs_user_lang"], 0, 2)).'/lang.inc.php';
And please - set register_globals = Off.

But it's highly recommend to update your installation to current release!


Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply