Update immediately! A serious directory traversal vulnerability has been discovered that affects all versions of Facelift. It could allow an attacker to retrieve plaintext versions of any file that PHP can read. This could include your WordPress database settings, for example. It is bad.
A patched version has already been made available at the facelift homepage. If you downloaded facelift in the last couple days and the zip file was either *2.0b3-B or 1.2.2 then you have the patched version. If not you should either update your Facelift installation or remove generate.php immediately.
To update your Facelift installation, please download an updated version. Overwrite the generate.php in your install with the patched version from the download. You can leave your config-flir.php and all other files alone. The problem only affects generate.php.
Many Facelift plugins are available for Drupal, Joomla, WordPress etc. I’ve already contacted as many of these authors as I could and most have already issued fixes.
The problem exists in generate.php and is due to a variable not being properly sanitized. Big thanks goes out of Johannes Herbst for discovering the problem.
If you are using one of the third-party plugins, please update your plugin immediately.
Manually Fix:
The problem can be fixed by changing one line in generate.php:
Facelift v1.2:
$FLIR['output'] = isset($FStyle['output']) ? ($FStyle['output']=='jpeg'?'jpg':$FStyle['output']) : 'auto';
Change To
switch ( $FStyle['output'] ) {
default: $FLIR['output'] = 'auto'; break;
case 'png': $FLIR['output'] = 'png'; break;
case 'gif': $FLIR['output'] = 'gif'; break;
}
Facelift v2.0b3
$FLIR['output'] = isset($FStyle['output']) ? $FStyle['output'] : 'png';
Change To
switch ( $FStyle['output'] ) {
default: $FLIR['output'] = 'auto'; break;
case 'png': $FLIR['output'] = 'png'; break;
case 'gif': $FLIR['output'] = 'gif'; break;
}
Hi,
Thanks for the fix!
Keep this real good work.
Your script is awesome.
Reply