ezUserManager - Website
 FREE domain sponsored by: MerchantMatrix.net!




  Home
  Download
  TODO
  FAQ
  Commercial
  Demo
  Forum
  Contact
  Translate

  NewsLetter

  Donate!


Visitors:
26679
since 8. Jul-05

Call me!

More info about the security-fix in v1.7

The 16th of May 2006, my host informed me that the demo-site on www.ezusermanager.com/demo/ had been used to run malicious code in the attempt of gaining unautorized access to the server.

I immediately started investigating the issue, and discovered a bug in ezusermanager_pwd_forgott.php enabling hackers to have externaly hosted PHP-script parsed localy on the server IF register_globals was set to ON on the server.
As of PHP 4.2.0 register_globals was set to "off" by default, but still some servers have this set to "on".

To fix this, the bug in ezusermanager_pwd_forgott.php was fixed and to improve security even more, a line was added to the .htaccess-file in the root folder to set register_globals=off for all files and directories within the ezUserManager-folder.
NOTE: Not all hosts support this kind of "override" of the register_globals-setting.

I sincerly apologize for any trouble caused to You by this security-flaw and if you have any questions about this, please do not hesitate to contact me. .

Best regards,
Sven-Ove @ 02:43am, 17th May 2006

Update - 03:20am, 17th May 2006:
It seems that v1.6 is the ONLY version affected, versions lower than v1.6 does not have this security-issue.

Update - 12:27pm, 22th May 2006
After doing some more research, it seems older versions are affected after all, so please update to the latest version ASAP!

Copyright 2004-2007
Sven-Ove Bjerkan

Visit HotScripts.com for more PHP-scripts!