TP-Docs
HTML5 Icon HTML5 Icon HTML5 Icon
TP on Social Media

Recent

User

Welcome to TinyPortal. Please login or sign up.

Stats

Members
  • Total Members: 3,966
  • Latest: safir45
Stats
  • Total Posts: 195,991
  • Total Topics: 21,323
  • Online today: 545
  • Online ever: 8,223 (February 19, 2025, 04:35:35 AM)
Users Online
  • Users: 1
  • Guests: 277
  • Total: 278
  • @rjen

whizzy vulnerability

Started by caeos, April 06, 2007, 05:14:08 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1 2 All
User actions

caeos

April 06, 2007, 05:14:08 PM
is "tp" affected by this and can i delete the whizzy diretory without harm just in case?

Nokonium

#1
April 06, 2007, 06:02:03 PM
Do pardon what?

caeos

#2
April 06, 2007, 06:22:40 PM
http://www.frsirt.com/english/advisories/2007/1136

QuoteMultiple vulnerabilities have been identified in aBitWhizzy, which could be exploited by attackers to gain knowledge of sensitive information or execute arbitrary scripting code. These issues are due to input validation errors in the "whizzylink.php", "whizzypic.php", "whizzery/whizzypic.php" and "whizzery/whizzylink.php" scripts that do not validate the "d" parameter, which could be exploited by attackers to disclose the installation path and list the contents of arbitrary directories, or cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.[/unquote]

IchBin

#3
April 06, 2007, 08:24:58 PM
You should be able to delete the directory until you hear from Bloc about this. I'll forward this info to him so he can check on this.

caeos

#4
April 06, 2007, 08:32:18 PM
thank you, didnt really want my first actual post to be a scary one !

Dazed

#5
April 06, 2007, 08:50:09 PM
Quote from: IchBinâ„¢ on April 06, 2007, 08:24:58 PM
You should be able to delete the directory until you hear from Bloc about this. I'll forward this info to him so he can check on this.
IchBin I think Bloc mentioned this before upgrading to .983. I can't seem to find the post here now but I know it related to a text editor and, I believe, it is that one. Of Course I have no idea if it was fixed or not...

bloc

#6
April 07, 2007, 04:54:56 PM
Whizzywig had indeed issues with security in the Whizzypic.php. In TP 0.9.8 that file was changed to no longer using the "d" from the query. Instead it uses the SMF internal values. It cannot be run on its own either, like before.

So you can keep the whizzypic.php if you wish..or just remove it if you rather want to be 100% safe.

caeos

#7
April 07, 2007, 10:46:36 PM
thank you - i have already removed the directory after renaming it. i did get some hits on the whizzy alone so thought it would be best to just stay with the default editor.

hartiberlin

#8
November 27, 2007, 11:59:40 PM
For what is this whizzypic.php used ?
Can I savely delete it ?
I found some poker.html files in the
upload directory beneath it and my site was probably hacked via it...
So what is it used for in TinyPortal ?

Can I just these the whole
wysiwyg
directory where it was located in my case ?

Many thanks..

bloc

#9
November 29, 2007, 11:24:33 AM
You can remove it yes, and the wysiwyg folder if you are not using Whizzywig as an editor.
Print
Go Up Pages1 2 All
User actions

This website is proudly hosted on Crocweb Cloud Website Hosting.