I never expected to release another version of my old weblog project Flip, but while searching my own name in a new search engine, I came upon several vulnerability reports for Flip 3.0. I’ve known about them for awhile now, but having dropped Flip in favor of another project (which I’ve since abandoned, for the most part, in favor of WordPress), it seemed pointless to bother. However, since there is an active exploit, I thought I’d release an update and a patch.
I don’t believe anyone out there is still using Flip, but if there is, this is how to defeat the script: simple add this line at line 102 of account.php:
if(strstr($_POST['em'],"][")) { die('Fail'); } |
and this at line 162:
if(strstr($_POST['nem'],"][")) { die('Fail'); } |
Alternatively, you can download the modified file here or download Flip 3.0.1 here.
It may sound odd, but I would highly recommend that you do *not* use this code. It’s now 7 years old and the web is a much different place. The code here is really not suited for running a website today. That said, it was odd to unzip and install it and see that it actually works. The rendering of most of the “themes” is weird (Fudge works great), but otherwise, everything worked.
If you are still a Flip user, I recommend you update your account.php page immediately, and if you have the time and inclination, upgrade to 3.0.1. The following files have some minor changes:
- account.php
- index.php
- inc/config.php
- README.html
Once again, this code is aged not particularly well suited for today’s web. If you want a simple weblog, I recommend WordPress.
