After 5 Web Design | October 19, 2006
We discovered a pretty serious flaw in the code for PHPLD. It turns out that you can submit HTML in the Description, Title, and Owner's Name fields. After briefly dreaming of how easily we could hack the 10,000+ installs of phpld to gain all the free links we wanted (even in paid directories!), we reported it to the boys at
PHP Link Directory. We not only reported where the vulnerability was, we also sent them the code that could be used to fix it. Unfortunately, they haven't yet patched the code available for download, nor have they posted any information on how to patch the script.
Fortunately, the fix is rather simple. Open your submit.php file in your favorite editor and find these lines (on or around line 125):
$data['LAST_CHECKED'] = gmdate('Y-m-d H:i:s');
$data['DATE_ADDED'] = gmdate('Y-m-d H:i:s');
$data['DATE_MODIFIED'] = gmdate('Y-m-d H:i:s');
Insert these three new lines of code after them:
$data['DESCRIPTION'] = strip_tags($data['DESCRIPTION']);
$data['TITLE'] = strip_tags($data['TITLE']);
$data['OWNER_NAME'] = strip_tags($data['OWNER_NAME']);
This code will strip all the html tags from the Description, Title, and Owner's Name fields (in case it wasn't obvious). As a caveat, it will also prevent your admin panel from being hidden by spammers who are currently submitting malformed html links that say crap like "My dear web designer, it is nice."
Digg this
Posted 3 years, 7 months ago on October 19, 2006
The trackback url for this post is http://www.after5webdesign.com/news/bblog/trackback.php/10/