ikonboard Arbitrary Command Execution Vulnerability

Solution:
This code was sent by Gijs Hollestelle <gijs@gewis.win.tue.nl> and is reportedly the official vendor fix to the problem code:

From register.cgi:

@params = $query->param;
foreach $param(@params) {
$theparam = $query->param($param);
$theparam = &unHTML("$theparam");
${$param} = $theparam;
}

Replace with:

for ('inmembername','password','emailaddress',
'showemail','homepage','aolname','icqnumber','location','interests',
'signature','timedifference','useravatar','action') {
next unless defined $_;
next if $_ eq 'SEND_MAIL';
$tp = $query->param($_);
$tp = &unHTML("$tp");
${$_} = $tp;
}



 

Privacy Statement
Copyright 2010, SecurityFocus