Pekka
1st of June 2005 (Wed), 16:59
In all current EE installations, due to a possibility of "mysql injection" attack, please change line 8 in file slashwork.php
print mysql_error();
with
//print mysql_error();
This will void possible textual result of injection attack. EE 1.22 users are adviced to upgrade to EE 1.5RC4 and apply above fix. In next EE version all database errors are logged in editor only.
Thanks for Bernhard Mueller from http://www.sec-consult.com for reporting me this security advisory.
I have attached the fixed slashwork.php file for EE 1.5RC4:
print mysql_error();
with
//print mysql_error();
This will void possible textual result of injection attack. EE 1.22 users are adviced to upgrade to EE 1.5RC4 and apply above fix. In next EE version all database errors are logged in editor only.
Thanks for Bernhard Mueller from http://www.sec-consult.com for reporting me this security advisory.
I have attached the fixed slashwork.php file for EE 1.5RC4: