Hello, all. I came across the following pastbin entry today, which
pointed out a public vulnerability in the databases list:
http://pastebin.com/dER2NYKr
I'm not sure what version of SP these sites are running, but you need
to fix this asap. To fix, go to subjects/databases.php and look for a
line that adds some additional information to the $page_title
variable. If you have something that looks like this line, with the
$_GET["letter"] variable being displayed without first being scrubbed
for malicious intent, you have a potential problem:
$page_title .= ": " . $_GET["letter"];
I'm not sure exactly what it looks like on your site, but for now, try
commenting this line out. You should be left with a generic "Database
List" page title.
If you want to see if this is an issue, cut and paste in your database
list url and add at the end
"><script>alert(1)</script>
if it makes a box pop up, you have a problem. If you're not sure what
to do, drop me a line off list.
This should not be an issue in 1.0.1, but you might have downloaded
the new version and kept your old subjects/databases.php file. I'll
send instruction later about how to safely include your selected
letter as part of the title.