Below is the public form for Sales Syntax CRM. If you would like priority Support YOU CAN CLICK HERE FOR OUR PRIORITY SUPPORT TICKET PAGE


sql injection vulnerability - Security upgrade

questions regarding installation
Post Reply
csyntax
Site Admin
Posts: 7
Joined: Fri Feb 17, 2017 8:07 am

sql injection vulnerability - Security upgrade

Post by csyntax » Fri Feb 17, 2017 9:54 am

There is a security issue with versions of Sales Syntax below version 3.6.2 .

Download the latest version 3.6.2 from the following zip file:

http://www.salessyntax.com/salessyntax-3.6.2.zip

Then upload all the files EXCEPT config.php over your existing installation and it will upgrade.
If you have bought the unbranded version of the program or the pro release you will need
to log into your Member services account at:
http://www.salessyntax.com/apple.php
and then download the upgraded version of your pro or unbranded release by downloading
the link shown inside your member services area of that site.

If you would like to have us upgrade or patch your
installation for you then you can request this service by filling out the following form:

http://www.salessyntax.com/upgrade/

OR apply the following patches to just fix vulnerability only:

in the file iphone/functions.php change lines 957to 963 to have a complete if else statement:

Code: Select all

if($typeof=="writediv"){
  if($omitself){
     $excludesql = " AND saidfrom!=". intval($myid);  
  }   
} else {
	$typeof="";
}
in functions.php have lines 961 on to have a complete if else statement:

Code: Select all

if($typeof=="writediv"){
  if($omitself){
     $excludesql = " AND saidfrom!=". intval($myid);  
  }   
} else {
	$typeof="";
}
the important thing is that the value of typeof is either a empty string or writediv

ALSO need to replace all strings of >'$aftertime' with >'".intval($aftertime)."'";

so for example line 975 in functions.php this :

Code: Select all

AND timeof>'$aftertime' AND livehelp_messages.typeof='$typeof'
SHOULD BE:

Code: Select all

AND timeof>'".intval($aftertime)."' AND livehelp_messages.typeof='$typeof'

salessyntax
Posts: 1
Joined: Fri Feb 17, 2017 9:31 pm

Re: Security upgrade to version 3.6.2

Post by salessyntax » Fri Feb 17, 2017 9:35 pm

Or If you do NOT want to mess with editing the code you can just fill out this upgrade
request and we will do the work for you:

http://www.salessyntax.com/upgrade/

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest