QSF Portal
Files Forum Members Search Help SVN Repository Sites Using QSFP
Login
User Name:

Password:



Register
Forgot your password?
Recent Posts
Template missing: ADMIN_MEMBER_DELETE
Aug 30, 2010, 9:45 pm
By Kline
Making Messes
Aug 5, 2010, 8:46 pm
By Conner
Personal CSS substitution
Aug 5, 2010, 7:00 pm
By Conner
No preview on post edits?
Aug 5, 2010, 11:17 am
By Conner
Video BBCode Buttons
Aug 3, 2010, 11:12 am
By Conner
Recent Uploads
QSF Portal 1.5
Author: QSF Portal Team
Submitted by: Samson
Ashlander 3 for QSFP 1.4.6
Author: Samson
Submitted by: Samson
QSF Portal 1.4.6
Author: QSF Portal Team
Submitted by: Samson
Ashlander 3 for QSFP 1.4.5
Author: Samson
Submitted by: Samson
QSF Portal 1.4.5
Author: QSF Portal Team
Submitted by: Samson
Top Posters
Samson (315)
Conner (152)
Vladaar (41)
Kayle (40)
KazRo (30)
Top Uploaders
Samson (28)
Conner (2)
Vladaar (1)
Users Online
CommonCrawl, Yahoo!, Yandex

Members: 0
Guests: 1
Stats
Files
Topics
Posts
Members
Newest Member 31
197
873
59
norby500
Affiliates
Arthmoor Quicksilver Forums
View our reviews on Hot Scripts
Security Update: QSF Portal 1.4.2 Released
Posted by: Samson Sep 29, 2007, 6:03 pm
A serious security problem was discovered in the error reporting library. All users are urged to update immediately.

The error reporting library has a serious flaw which was not known of. If there is an error while connecting to the database, such as the following:

mysql_connect() [function.mysql-connect]: Can't create a new thread (errno 11); if you are not out of available memory, you can consult the manual for a possible OS-dependent bug


The database password information will be revealed, which can lead to a complete compromise of the database if an attacker has access to the database server, either through a local account on the same machine, or remotely in the case of hosts who still allow remote DB connections.

The changed files for this update: http://www.qsfportal.com/index.php?a=files&s=viewfile&fid=36
No skin or DB queries were needed, so it is not necessary to run the upgrade script for this update.

Changes for 1.4.2:

Bugs addressed:

* SECURITY: The error reporting library will reveal database security info when an error connecting to the database is displayed.
* The RSS reader needs to define a user agent due to restrictions in place at qsfportal.com
       
Comments:
Posted by: Conner On Oct 12, 2007, 3:59 pm
Samson said:

No skin or DB queries were needed, so it is not necessary to run the upgrade script for this update.

Does this also apply to an upgrade to 1.4.2 from 1.4.0?
       

Posted by: Samson On Oct 12, 2007, 4:29 pm
No, that only applies to upgrading from 1.4.1 to 1.4.2. I should have been more clear about that.
       

Posted by: Conner On Oct 12, 2007, 5:17 pm
Darn, I was hoping.. oh well.. back to making dif files and fixing my personal edits after running the installer then. *sigh*
       

Posted by: Devenon On Oct 17, 2007, 3:36 pm
I hear ya conner. I'll have to do the same.
       

Posted by: Samson On Oct 17, 2007, 10:17 pm
Heh. Sorry guys. Maybe once the skinning system is using a set of "safe to overwrite" templates this won't be such a problem.