Problem in Autotheme admin area...

Hangin' Around Joined: Mar 30, 2004 Posts: 34

Whenever trying to access the "commands" section of Autothemes, Sentinel throws an email at me and I get redirected. Just thought I'd let you know.

The URL is: admin.php?module=AutoTheme&op=cmdedit

Posted: Tue Jul 20, 2004 4:24 pm

Hate to ask but is that the only url with cmd in it?

Posted: Tue Jul 20, 2004 4:36 pm

Anyway I briefly tested this exclusion it seemed to work.
Under // Check for XSS attack replace the existing if statement with this only if your using autotheme.

Code:




if (eregi("http\:\/\/", $name) OR (eregi("cmd",$querystring) AND !eregi("&cmd",$querystring) AND !eregi("cmdedit",$querystring)) OR (eregi("exec",$querystring) AND !eregi("execu",$querystring)) OR eregi("concat",$querystring)) {

Posted: Tue Jul 20, 2004 5:50 pm

My site will still be as safe as it was?

Posted: Wed Jul 21, 2004 1:40 pm

Honestly I'm not sure thats why I said to only use if on autotheme. But yeah it will still catch cmd or cmd= ect...

Posted: Sun Aug 08, 2004 7:50 am

With the new version of Sentinel this fix no longer works, because that section of code seems to no longer exist in sentinel.php. Neutral

Anyone got another solution?

Posted: Sun Aug 08, 2004 8:37 am

Its still there about line 213 under // Check for XSS attack

Posted: Sun Aug 08, 2004 2:25 pm

Well I'm stupid. Shocked

-_-'

Sorry.