4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
August 21, 2014, 08:16:55 AM

Login with username, password and session length
Search:     Advanced search
4images is now on facebook. Click here and become a fan!
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  News & Announcements
| | |-+  4images 1.7.11
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: 4images 1.7.11  (Read 81319 times)
kai
Administrator
Addicted member
*****
Offline Offline

Posts: 1379

Thank You
-Given: 64
-Receive: 175


View Profile WWW
« on: July 06, 2012, 03:05:46 PM »

Deutsch Die neue Version 4images 1.7.11 wurde veröffentlicht. Das Release bringt Detailverbesserungen und behebt bugs und sicherheitsrelevante Fehler.
Wir empfehlen allen Nutzern ein Update auf die aktuelle Version. Alle Änderungen und Features sind in der Datei "docs/Changelog.txt" aufgelistet.

English The new version 4images 1.7.11 has been released. This release comes with some improvements, bugfixes and security fixes.
We recommend all users to update to the current version. All changes and features are listed in "docs/Changelog.txt".

Download:
http://www.4homepages.de/4images/download.php

Demo:
http://www.4homepages.de/4images/demo.php


Für Feedback zur 4images 1.7.11 Version bitte diesen Thread nutzen.

Please use this thread for feedback about the 4images 1.7.11 version.
Logged


Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
kai
Administrator
Addicted member
*****
Offline Offline

Posts: 1379

Thank You
-Given: 64
-Receive: 175


View Profile WWW
« Reply #1 on: July 06, 2012, 03:15:35 PM »

=========================================================
ChangeLog Version 1.7.11
=========================================================
- [1.7 - 1.7.10] Security fix for XSS issue in admin/categories.php
- [1.7 - 1.7.10] Security fix for sql injection in admin/categories.php
- [1.7 - 1.7.10] Security fix for open redirect vulnerability in admin/index.php
- [1.7 - 1.7.10] Security fix for XSS issue
- Fixed auto-login in sessions.php
- Fixed email notification to user after activation by admin (http://www.4homepages.de/forum/index.php?topic=29623.0)
- Fixed sql error if apostrophe in name of image (http://www.4homepages.de/forum/index.php?topic=29950.0)
- Changed DB default settings from TYPE to ENGINE (http://www.4homepages.de/forum/index.php?topic=29627.0)
- template with 960px width used as default


Geänderte Dateien / Changed Files:
---------------------------------------

details.php
rss.php
admin/categories.php
admin/index.php
admin/users.php
data/database/default/mysql_default.sql
includes/db_mysql.php
includes/functions.php
includes/search_utils.php
includes/sessions.php
« Last Edit: July 10, 2012, 02:42:01 PM by kai » Logged


Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
kai
Administrator
Addicted member
*****
Offline Offline

Posts: 1379

Thank You
-Given: 64
-Receive: 175


View Profile WWW
« Reply #2 on: July 25, 2012, 01:28:20 PM »

Here is a detailed list of what has been changed in the php files from 4images 1.7.10 -> 1.7.11.
(The best way for yourself to compare the code of files is to use Winmerge.)



details.php
search for
1
$meta_keywords  = !empty($image_row['image_keywords']) ? implode(", "explode(","$image_row['image_keywords'])) : "";

replace with
1
$meta_keywords  = !empty($image_row['image_keywords']) ? strip_tags(implode(", "explode(","$image_row['image_keywords']))) : "";

rss.php
search for
1
2
3
4
5
function format_rss_html($text) {
  
$text format_text(trim($text), 101);

  return 
$text;
}

replace with
1
2
3
4
5
function format_rss_html($text) {
  
$text format_text(trim($text), 201);

  return 
$text;
}

admin/categories.php
search for
1
$cat_parent_id = (isset($HTTP_GET_VARS['cat_parent_id'])) ? $HTTP_GET_VARS['cat_parent_id'] : 0;

replace with
1
$cat_parent_id = (isset($HTTP_GET_VARS['cat_parent_id'])) ? intval($HTTP_GET_VARS['cat_parent_id']) : 0;

admin/index.php
search for
1
2
3
4
5
6
if ($redirect != "") {
  
show_admin_header("<meta http-equiv=\"Refresh\" content=\"0; URL=".$site_sess->url($redirect)."\">");
  echo 
"<p><a href=\"".$site_sess->url($redirect)."\">".$lang['admin_login_redirect']."</a></p>";
  
show_admin_footer();
  exit;
}

replace with
1
2
3
4
5
6
7
8
9
10
if ($redirect != "") {
  if (
strpos($redirect'://') === false) {
    
show_admin_header("<meta http-equiv=\"Refresh\" content=\"0; URL=".$site_sess->url($redirect)."\">");
    echo 
"<p><a href=\"".$site_sess->url($redirect)."\">".$lang['admin_login_redirect']."</a></p>";
    
show_admin_footer();
  } else {
      
redirect('home.php');
  }
  exit;
}

search for
1
2
3
4
5
6
7
if ($action == "frames") {
  if (
$goto != "") {
    
$framesrc $site_sess->url($goto);
  }
  else {
    
$framesrc $site_sess->url("home.php");
  }

replace with
1
2
3
4
5
6
7
if ($action == "frames") {
  if (
$goto != "" && strpos($goto'://') === false) {
    
$framesrc $site_sess->url($goto);
  }
  else {
    
$framesrc $site_sess->url("home.php");
  }

admin/users.php
search for
1
2
3
else {
    
$activation 0;
  }

replace with
1
2
3
4
5
6
7
else {
    if (
$config['account_activation'] == && $user_row['user_level'] == USER_AWAITING) {
        
$activation 1;
    } else {
        
$activation 0;
    }
  }

data/database/default/mysql_default.sql
use the mysql_default.sql from 1.7.11 package

includes/db_mysql.php
search for
1
2
3
4
5
6
7
8
9
10
11
12
13
  function Db($db_host$db_user$db_password ""$db_name ""$db_pconnect 0) {
    
$connect_handle = ($db_pconnect) ? "mysql_pconnect" "mysql_connect";
    if (!
$this->connection = @$connect_handle($db_host$db_user$db_password)) {
      
$this->error("Could not connect to the database server ($db_host$db_user)."1);
    }
    if (
$db_name != "") {
      if (!@
mysql_select_db($db_name)) {
        @
mysql_close($this->connection);
        
$this->error("Could not select database ($db_name)."1);
      }
    }
    return 
$this->connection;
  }

replace with
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
function Db($db_host$db_user$db_password ""$db_name ""$db_pconnect 0) {
    
$connect_handle = ($db_pconnect) ? "mysql_pconnect" "mysql_connect";
    if (!
$this->connection = @$connect_handle($db_host$db_user$db_password)) {
      
$this->error("Could not connect to the database server ($db_host$db_user)."1);
    }
    if (
$db_name != "") {
      if (!@
mysql_select_db($db_name)) {
        @
mysql_close($this->connection);
        
$this->error("Could not select database ($db_name)."1);
      }
    }
    return 
$this->connection;
  }

  function 
escape($value) {
    return 
mysql_real_escape_string($value$this->connection);
  }

includes/functions.php
search for
1
2
3
function check_email($email) {
  return (
preg_match('/^[-!#$%&\'*+\\.\/0-9=?A-Z^_`{|}~]+@([-0-9A-Z]+\.)+([0-9A-Z]){2,4}$/i'$email)) ? 0;
}

replace with
1
2
3
function check_email($email) {
  return (
preg_match('/^[-!#$%&\'*+\\.\/0-9=?A-Z^_`{|}~]+@([-0-9A-Z]+\.)+([0-9A-Z]){2,}$/i'$email)) ? 0;
}

includes/search_utils.php
search for
1
2
3
4
5
$word_cache = array();
    foreach (
$split_words as $word) {
      
$word_cache[$word] = 1;
      
$allwords_sql .= ($allwords_sql != "") ? ", '".$word."'" "'".$word."'";
    }

replace with
1
2
3
4
5
$word_cache = array();
    foreach (
$split_words as $word) {
      
$word_cache[$word] = 1;
      
$allwords_sql .= ($allwords_sql != "") ? ", '".addslashes($word)."'" "'".addslashes($word)."'";
    }

search for
1
2
3
4
5
$sql "INSERT INTO ".WORDMATCH_TABLE." (image_id, word_id".$match_insert_key_sql.")
              SELECT DISTINCT 
$image_id, word_id".$match_insert_val_sql."
                FROM "
.WORDLIST_TABLE."
                WHERE word_text = '
$key'";
      
$site_db->query($sql);

replace with
1
2
3
4
5
      $sql "INSERT INTO ".WORDMATCH_TABLE." (image_id, word_id".$match_insert_key_sql.")
              SELECT DISTINCT 
$image_id, word_id".$match_insert_val_sql."
                FROM "
.WORDLIST_TABLE."
                WHERE word_text = '" 
addslashes($key) . "'";
      
$site_db->query($sql);

includes/sessions.php
search for
1
2
3
if (secure_compare($this->read_cookie_data("userpass"), md5($this->user_info['user_password'])) && $this->user_info['user_level'] > USER_AWAITING) {
        
$this->set_cookie_data("userpass"$this->user_info['user_password']);
      }

replace with
1
2
3
if (secure_compare($this->read_cookie_data("userpass"), md5($this->user_info['user_password'])) && $this->user_info['user_level'] > USER_AWAITING) {
        
$this->set_cookie_data("userpass"md5($this->user_info['user_password']));
      }


If you want to get rid of the update notice in the admin area, edit the value in constants.php.


thanks to Crazymodder!
« Last Edit: July 30, 2012, 10:38:41 AM by kai » Logged


Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.144 seconds with 20 queries.