sql injection vulnerability - Security upgrade

[csyntax]

There is a security issue with versions of Sales Syntax below version 3.6.2 .

Download the latest version 3.6.2 from the following zip file:

http://www.salessyntax.com/salessyntax-3.6.2.zip

Then upload all the files EXCEPT config.php over your existing installation and it will upgrade.
If you have bought the unbranded version of the program or the pro release you will need
to log into your Member services account at:
http://www.salessyntax.com/apple.php
and then download the upgraded version of your pro or unbranded release by downloading
the link shown inside your member services area of that site.

If you would like to have us upgrade or patch your
installation for you then you can request this service by filling out the following form:

http://www.salessyntax.com/upgrade/

OR apply the following patches to just fix vulnerability only:

in the file iphone/functions.php change lines 957to 963 to have a complete if else statement:

Code: Select all

if($typeof=="writediv"){
  if($omitself){
     $excludesql = " AND saidfrom!=". intval($myid);  
  }   
} else {
	$typeof="";
}

in functions.php have lines 961 on to have a complete if else statement:

Code: Select all

if($typeof=="writediv"){
  if($omitself){
     $excludesql = " AND saidfrom!=". intval($myid);  
  }   
} else {
	$typeof="";
}

the important thing is that the value of typeof is either a empty string or writediv

ALSO need to replace all strings of >'$aftertime' with >'".intval($aftertime)."'";

so for example line 975 in functions.php this :

Code: Select all

AND timeof>'$aftertime' AND livehelp_messages.typeof='$typeof'

SHOULD BE:

Code: Select all

AND timeof>'".intval($aftertime)."' AND livehelp_messages.typeof='$typeof'

[salessyntax]

Or If you do NOT want to mess with editing the code you can just fill out this upgrade
request and we will do the work for you:

http://www.salessyntax.com/upgrade/