[bigguy]

After further analysis of Jamroom 3.2.x, it appears that the following file could be vulnerable to the Remote File Inclusion vulnerability that I thought was only in 3.3.x:

jamroom/include/plugins/jrBrowser/purchase.php

If you are running any version of Jamroom 3.2.x, and have the Jamroom Payment Pack installed, do the following:

- log into Jamroom as the Master Admin
- click on Jamroom Tools -> Server Check -> Click here for detailed PHP Information
- scroll down to the register_globals setting on the left - if the value says On then you need to DELETE the file:

jamroom/include/plugins/jrBrowser/purchase.php

OR

modify the file and change this:

Code

#----------------------------------------------------------------------- # $Id: purchase.php,v 1.1.2.3 2008-01-08 22:53:03 bigguy Exp $ #----------------------------------------------------------------------- require_once("{$jamroom['jm_dir']}/include/jamroom-payment.inc.php");

to this:

Code

#----------------------------------------------------------------------- # $Id: purchase.php,v 1.1.2.3 2008-01-08 22:53:03 bigguy Exp $ #----------------------------------------------------------------------- defined('IN_JAMROOM') or exit(); require_once("{$jamroom['jm_dir']}/include/jamroom-payment.inc.php");

That will protect your site from the attack.

This has been fixed in Jamroom 3.3.6, so updating to Jamroom 3.3.6 will also fix this issue.

If you have any questions, please let me know.

Thanks!

- Brian


_________________
Make sure and check out:
* The Jamroom FAQ
* The Jamroom Documentation