[URL="http://www.ebanyu.com.ar/2013/03/wordpress-comment-rating-plugin-2932.html"]http://www.ebanyu.com.ar/2013/03/wordpress-comment-rating-plugin-2932.html[/URL]
y no lo quiero cambiar porque ya tengo un tiempo usandolo pero tampoco me quiero exponer
este es el codigo del archivo y en la url muestra donde estan la vulnerabilidades
Código PHP:
<?php
/*
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
require_once('../../../wp-config.php');
require_once('../../../wp-includes/functions.php');
// CSRF attack protection. Check the Referal field to be the same
// domain of the script
$k_id = strip_tags($wpdb->escape($_GET['id']));
$k_action = strip_tags($wpdb->escape($_GET['action']));
$k_path = strip_tags($wpdb->escape($_GET['path']));
$k_imgIndex = strip_tags($wpdb->escape($_GET['imgIndex']));
// prevent SQL injection
if (!is_numeric($k_id)) die('error|Query error');
$table_name = $wpdb->prefix . 'comment_rating';
$comment_table_name = $wpdb->prefix . 'comments';
if($k_id && $k_action && $k_path) {
//Check to see if the comment id exists and grab the rating
$query = "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id";
$result = mysql_query($query);
if(!$result) { die('error|mysql: '.mysql_error()); }
if(mysql_num_rows($result))
{
$duplicated = 0; // used as a counter to off set duplicated votes
if($row = @mysql_fetch_assoc($result))
{
// Handle proxy with original IP address
$ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
if(strstr($row['ck_ips'], $ip)) {
// die('error|You have already voted on this item!');
// Just don't count duplicated votes
$duplicated = 1;
$ck_ips = $row['ck_ips'];
}
else {
$ck_ips = $row['ck_ips'] . ',' . $ip; // IPs are separated by ','
}
}
$total = $row['ck_rating_up'] - $row['ck_rating_down'];
if($k_action == 'add') {
$rating = $row['ck_rating_up'] + 1 - $duplicated;
$direction = 'up';
$total = $total + 1 - $duplicated;
}
elseif($k_action == 'subtract')
{
$rating = $row['ck_rating_down'] + 1 - $duplicated;
$direction = 'down';
$total = $total - 1 + $duplicated;
} else {
die('error|Try again later'); //No action given.
}
if (!$duplicated)
{
$query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips . "' WHERE ck_comment_id = $k_id";
$result = mysql_query($query);
if(!$result)
{
// die('error|query '.$query);
die('error|Query error');
}
// Now duplicated votes will not
if(!mysql_affected_rows())
{
die('error|affected '. $rating);
}
$karma_modified = 0;
if (get_option('ckrating_karma_type') == 'likes' && $k_action == 'add') {
$karma_modified = 1; $karma = $rating;
}
if (get_option('ckrating_karma_type') == 'dislikes' && $k_action == 'subtract') {
$karma_modified = 1; $karma = $rating;
}
if (get_option('ckrating_karma_type') == 'both') {
$karma_modified = 1; $karma = $total;
}
if ($karma_modified) {
$query = "UPDATE `$comment_table_name` SET comment_karma = '$karma' WHERE comment_ID = $k_id";
$result = mysql_query($query);
if(!$result) die('error|Comment Query error');
}
// Invalidate the W3 cache by triggering the global wordpress action hook for an edited comment
do_action("edit_comment", $k_id);
}
} else {
die('error|Comment doesnt exist'); //Comment id not found in db, something wrong ?
}
} else {
die('error|Fatal: html format error');
}
// Add the + sign,
if ($total > 0) { $total = "+$total"; }
//This sends the data back to the js to process and show on the page
// The dummy field will separate out any potential garbage that
// WP-superCache may attached to the end of the return.
echo("done|$k_id|$rating|$k_path|$direction|$total|$k_imgIndex|dummy");
?>
[URL="http://www.cyber-knowledge.net/blog/extras/comment-rating-2.9.32.zip"]http://www.cyber-knowledge.net/blog/extras/comment-rating-2.9.32.zip[/URL]
gracias de antemano