Recently , it was brought our attention that there is a security vulnerability in the myBloggie 2.1.3 beta & prior. To address that problem, you are strongly advise to update your code immediately as per below to address critical security issue.
Find these line in the login.php
[edit = Updated code to prevent exploit 06 Oct 2005]
Code : if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
Add this below
Code :
// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
Results after change
Code : if (isset($_POST['username'])) {
$username=$_POST['username'];
} else $username="";
if (isset($_POST['passwd'])) {
$passwd = $_POST['passwd'];
} else $passwd = "";
// Security precaution - sean 06 Oct 2005
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
or you can download here patch file
Instruction : Download login.zip , unzip it, upload it to myBloggie root directory to replace login.php |
