Fix : CVE-2011-3760 : Nucleus における重要な情報を取得される脆弱性

 http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-004957.html
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3760

nucleus/xmlrpc/.htaccess

@@ -0,0 +1,12 @@
+Order allow,deny
+Deny from all
+
+<Files ~ "^server.php$">
+##### Allow all access
+Allow from all
+### example:
+##### Allow softbank ybb
+# Allow from .bbtec.net
+##### Allow from local_ip_address
+# Allow from 127.0.0.1
+</Files>

nucleus/xmlrpc/api_blogger.inc.php

@@ -12,6 +12,9 @@
  * This file contains definitions for the methods in the Blogger API
  */
 
+// prevent direct access
+if (!isset($member))
+  exit;
 
 	// blogger.newPost
 	$f_blogger_newPost_sig = array(array(
@@ -443,4 +446,4 @@ function blogger_specialTags($item) {
 	);
 
 
-?>
+?>

nucleus/xmlrpc/api_metaweblog.inc.php

@@ -13,6 +13,9 @@
  *	This file contains definitions for the methods of the metaWeblog API
  */
 
+// prevent direct access
+if (!isset($member))
+  exit;
 
 	// metaWeblog.newPost
 	$f_metaWeblog_newPost_sig = array(array(

nucleus/xmlrpc/api_mt.inc.php

@@ -15,6 +15,10 @@
  * Wouter Demuynck 2003-08-31
  */
 
+// prevent direct access
+if (!isset($member))
+  exit;
+
 	// mt.supportedMethods
 	$f_mt_supportedMethods_sig = array(array(
 			// return type

nucleus/xmlrpc/api_nucleus.inc.php

@@ -14,6 +14,10 @@
  * NOTE: These functions are deprecated and will most likely be removed!
  */
 
+// prevent direct access
+if (!isset($member))
+  exit;
+
 	// nucleus.addItem
 	$f_nucleus_addItem_sig = array(array(
 			// return type
@@ -290,7 +294,8 @@ function _getItem($itemid, $username, $password) {
 
 	}
 
-
+	if (!isset($functionDefs))
+	  $functionDefs = array();
 	$functionDefs = array_merge($functionDefs,
 		array(
 			"nucleus.addItem" =>