NewsFeaturesDownloadsDevelopmentSupportAbout Us

Full path disclosure vulnerability in LifeType 1.0.x and 1.1.x

A minor security issue affecting LifeType 1.0.x and 1.1.x has been reported. Please read on for the details.
< !-- ADS -->

LifeType 1.0.x and 1.1.x will reveal full paths if users attempt to point their browser at any of the .php files available under the class/ or plugins/ folder. This is considered a minor issue by the development team but it could be used by malicious parties to gather information about the server and therefore it is recommended to patch all LifeType installations.

The best way to patch this is to follow the advice of the PHP documentation and set display_errors to Off in the php.ini file in all production servers.

If not possible, the development team is providing two .htaccess files that will prevent this issue. These files will be included in the LifeType 1.1.3 package but while the development team is busy readying the release, the patches can be obtained and installed as follows.

Download the following files and save them in the indicated folders:

.htaccess for the classes folder, save as classes/.htaccess
.htaccess for the plugins folder, save as plugins/.htaccess

Credit goes to Jesper Jurcenok for finding and reporting the vulnerability. Please see the full advisory for more details.