Security problems [IMPORTANT]

[pianista]

Hi,

I've seen that on exploit-db:

https://www.exploit-db.com/exploits/48574
https://www.exploit-db.com/exploits/48567

With this kind of injections, and anonymous user could retrieve data from MySQL (user, passwords...) and if the server have bad configuration, could lead to execute remote code... etc...

Someone has fixed this injections?
Thank you

Regards

[ParrotSim]

Here's a quick solution

First of all, test the files in a development/testing environment, not in production.

The zip contains a new file: "db_access.php". Put the same data you entered in "db_login.php" and that's it.

The reason for this quick fix is the problem of these vulnerabilities for access to the database via SQLInjection, so apply the solution as quickly as possible.

Using an SQLInjection attack the attacker can obtain the user data (including passwords) and would be prejudicial to users who use the same password on all sites (please NEVER do this)

Finally, if you find another security bug, don't be afraid to report it in the forum

[pianista]

Thank you. Finally I didn't use the patch, but I put modsecurity with fail2ban to avoid this kind of problems...

[etbandung]

work ! thanks mate