Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] admin/settings.php: SQL options leak through into a <select> tag
#1
When I remove the /settings.php file and make the directory read-only, the settings will be retrieved from the database.

Then I call /admin/settings.php?action=change

Later, the $options variable is used in the code without initializing it properly. Therefore, the first combo box contains items for the $options that had been used in the last SQL statement, in my case "title" and "ASC".

Some further questions:
* What is the settings.php good for at all? Is it just a cache?
* Why is the code using md5($debugmode) instead of checking the value directly?

Roland


Attached Files
.txt   mybb-admin-setttings.patch.txt (Size: 1.16 KB / Downloads: 351)


Messages In This Thread
[F] admin/settings.php: SQL options leak through into a <select> tag - by rillig - 2007-01-21, 10:37 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)