Thread: Blog Exploit

There is/was an exploit in Blog where another users blog (any users) could be deleted / changed / updated.

This was fixed in GPLdate rev 45.

You can see a diff here - or the entire file.

GPLdate is coming along well - consider checking it out for testing.

Smoge

do i change my current blog.php for the one on this page?

You could... or use the diff.

Note - in the release mentioned - I opened up the blogs for all to see - you may want to uncomment:

Code:

// allow access to blogs for now - this needs to be looked at more - I just opened it up.
//if ( !( $logged['admin'] = member_auth( 1, false ) ) )
//    if ( !( $logged['member'] = member_auth( 0, false ) ) )
//        if ( !( $logged['aff'] = member_auth( 2, false )) )
//            $logged['moderator'] = member_auth( 3, false );

if you only want logged in users to be able to read blogs.

Smoge

thanks i just updated it.

there is a bug in your blog script: when you add a record, it shows 0 date of entry.

This is an Dolphin 5.3 bug that we did not fix yet in GPLdate - it exists in the Dolphin 5.3 code.

We just did a proposed fix for the exploit.

You can check here for a discussion about the 0 time stamp issue. There maybe one on ModMySite also.

Smoge

Originally Posted by M@rix

there is a bug in your blog script: when you add a record, it shows 0 date of entry.