|
|
|
|
| Newsletter |
|
|
| Spotlight |
|
RockAffairs
|
"The ability for Jamroom to be customized is what makes RockAffairs what it is. Getting the content you need on a page is simple, even for beginners. The admin interface is excellent, and you'll never need to touch the PHP code; Jamroom's inbuilt custom functions combined with Smarty give you everything you'll ever need. And if you do get stuck, customer support and a fantastic community always try to help. Visit RockAffairs, see Jamroom in action, then get it yourself. Rockaffairs *hearts* Jamroom!"
|
|
|
|
|
Remote File Inclusion vulnerability in Admin Browser plugins
|
Resolved
|
|
» Opener: bigguy
|
|
» Affects: Jamroom Core
|
|
» Priority: Urgent
|
|
» Created: 06/21/08 13:26
|
|
Issue Details
|
There is a critical Remote File Inclusion vulnerability in 2 of Jamroom's Admin Browser plugins:
jamroom/include/plugins/jrBrowser/payment.php
jamroom/include/plugins/jrBrowser/purchase.php
That can allow remote code to be executed within Jamroom. This has been fixed for Jamroom 3.3.6, and it is highly recommend that if you are running any version of Jamroom 3.3.x that you upgrade immediately.
Versions of Jamroom Prior to Jamroom 3.3.0 are not affected, nor are sites that have the PHP "register_globals" setting turned off.
If you are unable to update to Jamroom 3.3.6 at this time, an easy fix is to delete the 2 files:
jamroom/include/plugins/jrBrowser/payment.php
jamroom/include/plugins/jrBrowser/purchase.php
Which will make the "payments" and "purchases" section of the Admin Browser not work until you can update. |
|
» Owner: bigguy
|
|
» Updated: 06/21/08 13:57
|
|
» Due in Version: Jamroom Core 3.3.6
|
|
Issue Resolution
|
| This has been fixed in Jamroom 3.3.6 |
|
» Resolver: bigguy
|
|
» Resolved: 06/21/08 13:57
|
|
» Resolved In: Jamroom Core 3.3.6
|
|
