security advisory for Pixie

0 views
Skip to first unread message

marcjohns

unread,
Jan 28, 2009, 3:31:17 PM1/28/09
to Pixie
Anyone aware that there is a security advisory floating around the
internet for Pixie? Here's the link:
http://www.secuobs.com/secumail/snsecumail/msg13929.shtml

My web development skills are not terribly advanced, so I don't fully
understand what the solution is. But I thought the Pixie community
should know about it, and was wondering if anyone is issuing a fix?

Keep up the great work - and thanks for showcasing my site a while
back!
Marc

Scott

unread,
Jan 29, 2009, 6:08:08 AM1/29/09
to Pixie
Hi Marc
From the advisory it would suggest that this particular exploit is for
Windows hosting only... although I am not 100% sure about that. I was
contacted recently with information similar to this, in summary:

1. Local File Include vulnerability found in script /admin/admin/
modules/mod_settings.php
2. Local File Include vulnerability found in script /admin/admin/
modules/mod_myaccount.php
Successful exploitation requires that "register_globals" is enabled.

As a temporary fix register_globals should be disabled, however both
of these have been fixed in 1.01. With news of this it is now my
priority to get this out to you all ASAP.

Scott

Scott

unread,
Jan 29, 2009, 7:49:06 AM1/29/09
to Pixie
Marc
Please download:

http://pixie-cms.googlecode.com/files/patch_exploit_7886.zip

Details are included in the file.

Will post to the pixie blog about this now.

Scott
Reply all
Reply to author
Forward
0 new messages