Recently discovered security issue may bring the SQL injection, it all happens because the $cook variable in bb_cookie.php is not verified.
It all will work (as usually) if PHP setting register_globals is set to ON, additionally magic_quotes_gpc set to OFF.
Quick fix is to add 'cook' value to the $unset array which appears at the very top of index.php and bb_admin.php files. For example if you have
$unset=array('logged_admin','isMod',........);
add to the end 'cook' value separating it by comma.
$unset=array('logged_admin','isMod',........, 'cook');
Credit goes to mr. Stefan Esser who kindly discussed this issue privately with us not reporting it to public. Thank you. |
