MyBB Community Forums

Full Version: syndication.php - causing security issues
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hey,

I just did a scan with Acunetix on a friend's website I'm an admin on, as he asked me to, and it appears syndication.php is causing a lot of problems.

I'm not posting the URL, for obvious reasons.

Code execution (Unix):

[Image: 2ngbvqx.png]

Directory traversal (Unix)

[Image: 1ifiit.png]


Can someone please guide me as to what I should do? I can see the solutions there, but I'm not sure what exactly should be done to fix the issue.

There are some lower priority problems, but it's the high risk problems that need to be fixed first.

Thanks.

All user input that needs to be sanitised gets sanitised before it goes into any queries... the only user input here is a list of forums and what type of feed you want...
So, what's the solution to solve this problem?
You assume this test is even accurate... it says 'Your script should filter metacharacters from user input', but it already intval's the fids that you give before they go into the query...
does this test program show exactly which request it believes to cause a problem?

your screenshots only show a very generic description but no detail or info whatsoever.
(2010-12-27, 11:44 AM)MattRogowski Wrote: [ -> ]You assume this test is even accurate... it says 'Your script should filter metacharacters from user input', but it already intval's the fids that you give before they go into the query...

If I remove syndication.php, will that cause problems in other areas of the site?
Well, you won't be able to view the feeds, but I think you're getting overly worked up about a test that, as frostschutz said, gives no actual information on what it thinks is wrong.
(2010-12-27, 12:32 PM)MattRogowski Wrote: [ -> ]Well, you won't be able to generate the feed URLs, but I think you're getting overly worked up about a test that, as frostschutz said, gives no actual information on what it thinks is wrong.

Removed syndication.php, re running the scanner.

We didn't need it anyway.
Thats acunetix web vulnerability scanner none of the information from that program is ever accurate really you can scan the most secure site and it will find somthing every time Wink
try scanning with Nmap next time
For what it's worth, I read through syndication.php and all input seems to be sanitized properly... so if you can't provide something more concrete, this is a false alarm...
Pages: 1 2