Description
===========
PHPSecure.org's "fix" broke the functionality of PHPMyNewsLetter and
wouldn't fix the vulnerability of PHPMyNewsLetter
even if we would write the script using ereg-function correctly
(PHPSecure.org released their fix in Nov. 2002).

I. Details
II. Patch
III. Credits

I. Details
==========

How PHPSecure.org "fixed" PHPMyNewsletter:

include/customize.php

<?
$langfile = $l;
if ((!ereg("..",$l)) AND (file_exists($l))){
include($l);
}else{
echo "Lang File can't be found.";
}

<snip>

?>

What happens? The ereg function will always return TRUE and ! will
negate to FALSE, causing IF to abort always.
Why? http://www.php.net/manual/en/function.ereg.php
OK why? Simply because "." is used as symbol for "any single character".

So what happens if we "correct" the script and maintain the same technique?

<snip>
if ( (!ereg("\.\.",$l)) AND (file_exists($l)) ){
<snip>

It has the functionlity PHPSecure.org wanted (prevent a directory
traversal),
but who needs a directory traversal to access files?

So customize.php?l=../index.html would not work, but e.x.
customize.php?l=/home/mywebspace_username/www/.htpasswd will work
perfectly.

Fix
===

include/customize.php (or php3, php4.. whatever)

<?
$l = basename($l); # Sanitize
if ( (ereg("^lang-", $l)) AND (file_exists($l)) ){ # valid filename?
include($l); # Include
}else{
echo "Invalid language file";
exit;
}

$langfile = $l;

<snip>

?>

This allows accessing files begining with "lang-", that are in the same
directory as customize.php ("include" usually)