Security Fix: frame.php

[757jterrell]

With the cooperation of Scott Klarr (http://diffusionstudios.com/) we are pleased to release this security update:

This will prevent people from uploading free credits into your  ads.

Go to your frame.php file, line 19 to 23 and add what is in bold:

include("header.php");

$id = mysql_real_escape_string($_REQUEST['id']);

$sql = $Db1->query("SELECT * FROM $type WHERE id='$id'");

[Claudeski]

Thanks for the additional fix but even with this I'm still getting link ads both created and modified.

[757jterrell]

can I ask what version of the script you are using?? it may help us identify what the problem is.

[Claudeski]

I'm still using MRV3.

[757jterrell]

Have you done these things already?

http://auroraadmintraining.info/index.php/topic,152.0.html

[Claudeski]

Have you done these things already?

http://auroraadmintraining.info/index.php/topic,152.0.html

My config.php had a permission of 0666 instead of 0777 or 0664 but has now been changed, could this have been the problem?. Otherwise, all those holes have been fixed.

[757jterrell]

Yes that would do it, permission 0666 allows people to access and write to your database. Change it to 0644 ASAP.

[Claudeski]

Yes that would do it, permission 0666 allows people to access and write to your database. Change it to 0644 ASAP.

Yep already changed. Thanks for the help.

[syaikhoni]

ok thaks