Author Topic: [1.7.2] Security fix for global.php  (Read 118257 times)

0 Members and 1 Guest are viewing this topic.

Offline Bugfixed

  • Jr. Member
  • **
  • Posts: 96
    • View Profile
    • Lavinya
Re: [1.7.2] Security fix for global.php
« Reply #15 on: April 26, 2006, 10:13:22 AM »
Hımmm..

thanks V@no .
<?php echo 'Hello, World!'; ?>

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.2] Security fix for global.php
« Reply #16 on: April 26, 2006, 10:23:27 AM »
I've updated the original post with some more instructions (see step 2)
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline BartAfterDark

  • Hero Member
  • *****
  • Posts: 520
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #17 on: April 26, 2006, 11:43:40 AM »
so the only thing that needs to get replaced is
Code: [Select]
/* and */ ?

If you want to read about this bug: http://secunia.com/advisories/19745/

Offline quartz

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #18 on: April 26, 2006, 02:11:38 PM »
thanks for that update

Offline hyde101

  • Sr. Member
  • ****
  • Posts: 410
  • 34TR.COM (Running 4images)
    • View Profile
    • Nostalgia Istanbul
Re: [1.7.2] Security fix for global.php
« Reply #19 on: April 26, 2006, 04:30:32 PM »
Thank you for the update, I have several sites running 1.7.2 but others were 1.7.
Would this be OK if I applied it on 1.7 ?

Thank You.

Please Vote for my site: Here

Offline mawenzi

  • 4images Moderator
  • 4images Guru
  • *****
  • Posts: 4.500
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #20 on: April 26, 2006, 04:43:12 PM »
@ ufkydpnr,

An 4images installation version 1.7 with all "security fixes" does not contain this "security hole"!
Your first three "must do" before you ask a question ! ( © by V@no )
- please read the Forum Rules ...
- please study the FAQ ...
- please try to Search for your answer ...

You are on search for top 4images MOD's ?
- then please search here ... Mawenzi's Top 100+ MOD List (unsorted sorted) ...

Offline hyde101

  • Sr. Member
  • ****
  • Posts: 410
  • 34TR.COM (Running 4images)
    • View Profile
    • Nostalgia Istanbul
Re: [1.7.2] Security fix for global.php
« Reply #21 on: April 26, 2006, 05:14:33 PM »
Dear Mawenzi,
Thanks for your reply, I guess you replied the same thing in German before, but thanks again since I don't speak German.

:)

Please Vote for my site: Here

Offline Ston4Img

  • Newbie
  • *
  • Posts: 28
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #22 on: April 26, 2006, 11:03:43 PM »
Hi.

What is with the Bug from here? http://www.4homepages.de/forum/index.php?topic=10921.0 is it in 1.7.2 included ? I can register with "<" oder ">" in the Name....???

Hallo.
Was ist mit diesem Fehler: http://www.4homepages.de/forum/index.php?topic=10921.0. Ist das in der Verision 1.7.2 integriert? Ich kann wieder Benutzer registrieren mit > oder < im Namen ???
... macht das nicht eigentlich fast das gleiche?

Edit 1:
Code: [Select]
if ($site_db->not_empty($sql)) {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_exists'];
        $error = 1;
      }
    }
    else {
      $msg .= (($msg != "") ? "<br />" : "").$field_error = preg_replace("/".$site_template->start."field_name".$site_template->end."/siU", str_replace(":", "", $lang['user_name']), $lang['field_required']);
      $error = 1;

Can´t find this ...

Finde diesen Bereich nicht mehr

Code: [Select]
elseif (preg_match("#[<>]#", $user_name))
      {
        $msg .= (($msg != "") ? "<br />" : "").$lang['username_bad_characters'];
        $error = 1;
      }

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.2] Security fix for global.php
« Reply #23 on: April 26, 2006, 11:37:30 PM »
What is with the Bug from here? http://www.4homepages.de/forum/index.php?topic=10921.0 is it in 1.7.2 included ? I can register with "<" oder ">" in the Name....???
Please pay attention to the version number of the security fix.
If its says v1.7 / v1.7.1 it means only v1.7 and v1.7.1 affected, v1.7.2 is already fixed. If it says v1.7.2 that means only v1.7.2 has the bug all previous version dont have it.
Now, if you are having problem installing the fix for v1.7 or v1.7.1, then why would reply to this topic?
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline linux_rh

  • Newbie
  • *
  • Posts: 34
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #24 on: April 28, 2006, 10:44:18 AM »
 :D :D :D

hi  all  thank you for the bug sulation that was found in  version 1.7.2   in the  global.php

i replace   that old file with new file   and we try  to register  but  we can n't 

it means  that  the problem is solved   

thank youuuuuuuuuuuuuuuuuuuuuuu


Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
Re: [1.7.2] Security fix for global.php
« Reply #25 on: April 28, 2006, 03:08:28 PM »
Just a note:
With this fix you can not post any <script> <iframe> etc HTML code anywhere from regular members pages (profile, descriptions, comments, etc)
If you, as admin, wish to add such code, you'll have to do it via ACP
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)

Offline brice626

  • Pre-Newbie
  • Posts: 7
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #26 on: April 30, 2006, 01:52:17 AM »
Just a note:
With this fix you can not post any <script> <iframe> etc HTML code anywhere from regular members pages (profile, descriptions, comments, etc)
If you, as admin, wish to add such code, you'll have to do it via ACP

Question: I just posted this topic: http://www.4homepages.de/forum/index.php?topic=12761.new#new

Is the reason the issue you mention above? If by ACP you mean "Admin Control Panel" (I'm just guessing) that didn't seem to be the case for me. After the upgrade, all my existing HTML in the description fields stopping working and even when entered from the Admin Control Panel it will not work.

Offline caballonegro

  • Newbie
  • *
  • Posts: 34
    • View Profile
Re: [1.7.2] Security fix for global.php
« Reply #27 on: May 10, 2006, 12:01:46 PM »
 :twisted: :twisted:
Ist eine Änderung denn auch notwendig wenn 4images bei registrierungen auf die Userdatenbank von phpbb zugreift? :?: :?: :?:


danke u. gruß
 
gruß
caballonegro

Offline milius.net

  • Pre-Newbie
  • Posts: 3
  • milius.net
    • View Profile
    • milius.net
Re: [1.7.2] Security fix for global.php
« Reply #28 on: May 31, 2006, 02:47:41 PM »
auf die userdatenbank von phpbb?
bin neu hier aber ich an deiner stelle würde die änderungen einfügen ...

Offline FransisDastinut

  • Pre-Newbie
  • Posts: 1
    • View Profile
    • http://tinka.info/wrd/b/k/
Re: [1.7.2] Security fix for global.php
« Reply #29 on: December 13, 2008, 12:57:50 PM »
thanks a lot for [1.7.2] Security fix  8)
Fransis Loirty Dastinut, Sr.