We have now updated all archives (for 2.0.7) as made available on the download page here. Therefore all new installations and upgrades will be immune.
We appologize to not have reacted earlier and for the bug in the redirection code introduced while fixing another security bug.
To fix this flaw please open search.php in any text editor and follow the following instructions:
FIND:
Code: Select all
$show_results = ( isset($HTTP_POST_VARS['show_results']) ) ? $HTTP_POST_VARS['show_results'] : 'posts';
Code: Select all
$show_results = ($show_results == 'topics') ? 'topics' : 'posts';
FIND:
Code: Select all
$store_vars = array('search_results', 'total_match_count', 'split_search', 'sort_by', 'sort_dir', 'show_results', 'return_chars');
Code: Select all
$search_results = '';
To fix the redirect problems:
Open login.php:
FIND:
Code: Select all
$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
Code: Select all
$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";
Code: Select all
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : '';
Code: Select all
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
FIND:
Code: Select all
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "";
Code: Select all
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
Code: Select all
$url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);
Code: Select all
$url = str_replace('&', '&', $url);
Code: Select all
$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
Code: Select all
$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";
For completeness, here the small fix for the correct row colour display at private messaging:
Open privmsg.php:
FIND:
Code: Select all
message_die(GENERAL_ERROR, 'Could not query private messages', '', __LINE__, __FILE__, $sql);
}
if ( $row = $db->sql_fetchrow($result) )
{
Code: Select all
$i = 0;
Code: Select all
$row_color = ( !($i % 2) ) ? $theme['td_color1'] : $theme['td_color2'];
$row_class = ( !($i % 2) ) ? $theme['td_class1'] : $theme['td_class2'];
Code: Select all
$i++;
Save and if necessary upload the changed files to your webserver replacing your existing versions.