Security update breaks sites that call the search function from another directory

pittster · 01-15-2004, 07:30 AM

Hey everyone,

If you use the function to display the results and add the following lines at the top of the script:

// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
exit();
}

and you are running the function from a directory other than the phpdig directory, your script will break.

Be sure to add "&&($relative_script_path != "../your_relative_script_path")" to the end of that if statement.

Charter · 01-15-2004, 08:29 AM

Hi. Yes, thanks. If you modified PhpDig paths, then you'll need to change/add to the if statement to fit your paths as pittster posted.

ZAP · 01-19-2004, 05:22 PM

Just a quick tip:

If you're having trouble figuring out the correct value to add for your $relative_script_path (as I was), you can first change the security patch code to the following:

// prevent remote command execution
if ((isset($relative_script_path)) &&
($relative_script_path != ".") &&
($relative_script_path != "..")) {
echo $relative_script_path; exit();
}

Do a search and you will see what the proper path should be. Then IMMEDIATELY delete the "echo $relative_script_path;" and add your custom path to the IF statement as explained above. Only do this if you're having trouble getting phpDig to work after you add this security patch and you're not sure what your $relative_script_path is.

In my case, I had installed phpDig so long ago that I no longer remembered what I'd customized...

Charter · 01-19-2004, 05:30 PM

Hi, thanks. Also, PhpDig version 1.8.0 is about to be released so if you want the same structure as was had before, you'll need to make the same such changes in the new version.

When verison 1.8.0 is released, it is highly recommended to update and, of course, watch these boards and, if you've registered, watch your email for security updates.

01-15-2004, 07:30 AM	#1
pittster Green Mole Join Date: Sep 2003 Posts: 2	Security update breaks sites that call the search function from another directory Hey everyone, If you use the function to display the results and add the following lines at the top of the script: // prevent remote command execution if ((isset($relative_script_path)) && ($relative_script_path != ".") && ($relative_script_path != "..")) { exit(); } and you are running the function from a directory other than the phpdig directory, your script will break. Be sure to add "&&($relative_script_path != "../your_relative_script_path")" to the end of that if statement.

01-15-2004, 08:29 AM	#2
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi. Yes, thanks. If you modified PhpDig paths, then you'll need to change/add to the if statement to fit your paths as pittster posted. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

01-19-2004, 05:30 PM	#4
Charter Head Mole Join Date: May 2003 Posts: 2,539	Hi, thanks. Also, PhpDig version 1.8.0 is about to be released so if you want the same structure as was had before, you'll need to make the same such changes in the new version. When verison 1.8.0 is released, it is highly recommended to update and, of course, watch these boards and, if you've registered, watch your email for security updates. __________________ Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Fatal error: Call to undefined function: mb_eregi()	drdrew42	Script Installation	1	12-04-2007 03:08 AM
Fatal error: Call to undefined function: odbc_connect()	NPeart1	Coding & Tutorials	0	12-20-2005 08:21 AM
Call to undefined function: mb_eregi()	PHPfranky	Troubleshooting	0	12-03-2005 07:40 AM
Call to undefined function: is_executable()	switch	Troubleshooting	3	03-13-2004 09:13 AM
Fatal error: Call to undefined function: is_executable()	lionel.cleran	Script Installation	1	03-09-2004 10:30 AM

01-19-2004, 05:22 PM	#3
ZAP Green Mole Join Date: Nov 2003 Posts: 7	Just a quick tip: If you're having trouble figuring out the correct value to add for your $relative_script_path (as I was), you can first change the security patch code to the following: // prevent remote command execution if ((isset($relative_script_path)) && ($relative_script_path != ".") && ($relative_script_path != "..")) { echo $relative_script_path; exit(); } Do a search and you will see what the proper path should be. Then IMMEDIATELY delete the "echo $relative_script_path;" and add your custom path to the IF statement as explained above. Only do this if you're having trouble getting phpDig to work after you add this security patch and you're not sure what your $relative_script_path is. In my case, I had installed phpDig so long ago that I no longer remembered what I'd customized...