Get XOOPS XOOPS FAQ Forums News Themes Modules
News World of XOOPS Developers Hacks Modules Themes Archive Submit News
XOOPS Giftshop XOOPS Blue Move
Share

XOOPS vs. Herko Coomans

Make a donation

Please select an amount to donate


Do you want your username revealed with your donation?
Yes - List me as a Generous Donor
No - List my donation as from an Anonymous Donor


Search


Advanced Search

Local Support Sites

Cumulus Tag Cloud

admin Arabic banner block Christmas comments cumulus DayDawn dhsoft e-Commerce E-Learning Google GUI hacks instant-zero jQuery module news Nordic Olédrion oxygen PageRank security SEO simple-XOOPS sport tag Theme wiki xoops
more...

New Users

Registering user

# 96568

dvsshoescom

Welcome to XOOPS!

Archives

News Archives

XOOPS Code hosted on SourceForge

Security Release: XOOPS 2.0.12a

Posted by Mithrandir on 2005/6/28 14:10:00 (17468 reads) | Posted on Security
Just last Friday, we released XOOPS v2.0.11, but during the weekend, I had a great deal of communication with James from GulfTech Security Research, who helped me find and fix a couple of holes in the XML-RPC interface and the comment system.

Also, work done by XOOPS JP and JM2 and the zx team helped with a couple of other bugs and issues.

We therefore recommend everyone to upgrade to version 2.0.12a, available from this site.

Upgrade instructions:
1. Download patch
2. Extract patch
3. Upload patch to webserver (NOTE: ONLY upload modules/newbb/post.php if you use Newbb version 1.0)
4. Update System Module
5. That's it

Changes since 2.0.10:

============================
2005/06/29: Version 2.0.12a
============================
- Fixed bug in comments, where editing a comment would post a new one
- Removed PHP parsing in Saxparser's handleProcessingInstruction() method (Thanks to GIJOE)
- Fixed parse error in modules/newbb/post.php

============================
2005/06/28: Version 2.0.12
============================
- Fixed sanitation bug in include/comment_form.php and include/comment_post.php (Mithrandir/James@Gulftech)
- Fixed sanitation bug in class/xml/rpc/xmlrpcapi.php and class/criteria.php (Mithrandir/James@Gulftech/XOOPS JP)
- Changed admin.php to fetch news from xoops.org via Snoopy (Mithrandir/XOOPS JP)
- Fixed possible XSS hole in redirect_header (Mithrandir/XOOPS JP)
- Security fixes in pda.php and misc.php (Mithrandir/XOOPS JP)
- Fixed typos in kernel/object.php (Mithrandir/brandycoke)

============================
2005/06/24: Version 2.0.11
============================
- Fixed bug where lostpass.php would not accept emails and send new password (Ackbarr)
- Fixed bug where search result links would be wrong if the item was in another module than the searched one (Ackbarr)
- Fixed bug in groups admin where it was impossible to add users to a group if the site had 200+ users (Ackbarr)
- Fixed bug with uploading smilies (Ackbarr)

XOOPS 2.0.12 Stable
.zip | tarball

XOOPS 2.0.10 to 2.0.12 patch
.zip | tarball

XOOPS 2.0.12 to 2.0.12a patch
Kindly provided by LazyBadger


Printer Friendly Page Send this Story to a Friend Create a PDF from the article


Bookmark this article at these sites

                   

The comments are owned by the poster. We aren't responsible for their content.

Hellow Mith, Which the URL to download? You with the Xoops Nightly yesterday.Is this correct and fix ok?
Posted: 2005/6/28 14:32 • Updated: 2005/6/28 14:32
pratanet
Use the link at the top of the front page:

GET THE LATEST XOOPS VERSION / DOWNLOAD NOW! >> XOOPS 2.0.x full versions
Posted: 2005/6/28 14:42 • Updated: 2005/6/28 14:42
Dave_L
Sorry - forgot about the download links. Added now.
Posted: 2005/6/28 14:43 • Updated: 2005/6/28 14:43
Mithrandir
hah
nice news for me
but i'm changed my xoops 2.10 to 2.11 last night :)

where is xoops 2.0.11 to 2.0.12 patch ?
Posted: 2005/6/28 14:45 • Updated: 2005/6/28 14:45
indream
For who tah following xoops unstable versao of yesterday 27/06 of the error when it brings up to date with security fix

English by google

------------------------------

Para quem tah acompanhando o xoops unstable a versao de ontem 27/06 da erro quando atualiza com o security fix
Posted: 2005/6/28 14:51 • Updated: 2005/6/28 14:51
pratanet
indream, use the XOOPS-2.0.10-to-2.0.12 patch.
Posted: 2005/6/28 14:52 • Updated: 2005/6/28 14:52
Dave_L
edit:

Nevermind. Someone already posted the answer.
Posted: 2005/6/28 14:53 • Updated: 2005/6/28 14:54
kapeman
Pratanet: this is not a security fix for the unstable 2.1.x releases, but a fix for the stable 2.0.11 release. Don't mix these up please

XOOPS 2.1.x is still in active development, and the first stable release in the 2.x series will be XOOPS 2.2.

Herko
Posted: 2005/6/28 14:53 • Updated: 2005/6/28 14:53
Herko
and... if I understand correctly...
no, you cannot apply this update to a 2.1.1 or CVS Nightly installation. It is for 2.0.10 or 2.0.11 only.
Posted: 2005/6/28 14:54 • Updated: 2005/6/28 14:54
Mithrandir
XOOPS 2.0.10 to 2.0.12

You need change include/version.php (2.0.11 to 2.0.12).
Posted: 2005/6/28 14:57 • Updated: 2005/6/28 14:57
ClubNUKE
nice work guys :)
Posted: 2005/6/28 14:57 • Updated: 2005/6/28 14:57
m0nty
rsrsrs...
I perceived that of the error... tanks...
Posted: 2005/6/28 14:57 • Updated: 2005/6/28 14:57
pratanet
Quote:
You need change include/version.php (2.0.11 to 2.0.12).

Ah geez.. Sorry.

It is only in the update - will fix asap.
Posted: 2005/6/28 14:59 • Updated: 2005/6/28 14:59
Mithrandir
send new comment func not working and show a printer friendly page...
and i'm searhcing any new bugs :(
Posted: 2005/6/28 15:00 • Updated: 2005/6/28 15:02
indream
I can add comments... not sure I got all the information I need there.

And what is showing a printer friendly page?
Posted: 2005/6/28 15:06 • Updated: 2005/6/28 15:06
Mithrandir
delete this
Posted: 2005/6/28 15:10 • Updated: 2005/9/20 21:48
indream
It doesn't do that on my own installation.

Any php debug errors?
Posted: 2005/6/28 15:13 • Updated: 2005/6/28 15:13
Mithrandir
Just applied the patch to xoops.org

As you can see, it works fine
Posted: 2005/6/28 15:18 • Updated: 2005/6/28 15:18
Mithrandir
oops i'm sorry
Posted: 2005/6/28 15:23 • Updated: 2005/6/28 15:23
indream
hah
nice news for me
but i'm changed my xoops 2.10 to 2.11 last night :)
Posted: 2005/6/28 15:23 • Updated: 2005/6/28 15:23
indream
wrong alert :)
pls delete this comment
Posted: 2005/6/28 15:25 • Updated: 2005/6/28 15:25
indream
i heard u the 1st time. :s
Posted: 2005/6/28 15:28 • Updated: 2005/6/28 15:28
m0nty
Thought there was a bug in the comment system lol!
Posted: 2005/6/28 15:30 • Updated: 2005/6/28 15:30
JimLunsford
hehe


this not my error this error for my stupid ftp programs error :)
Posted: 2005/6/28 15:35 • Updated: 2005/6/28 15:35
indream
Glad you found it out.
Posted: 2005/6/28 15:38 • Updated: 2005/6/28 15:38
Mithrandir
If upgrading from 2.0.9.3 can you use the 2.0.10 to 2.0.12 patch?
Posted: 2005/6/28 17:02 • Updated: 2005/6/28 17:02
tedsmith
Yes, you can. Just done it and it works.
Posted: 2005/6/28 17:11 • Updated: 2005/6/28 17:11
tedsmith
ted, you will need to do the 2093 - 2010 1st.. otherwise you'll be missing a lot of files..
Posted: 2005/6/28 17:50 • Updated: 2005/6/28 17:50
m0nty
I was on 2.0.11. I uploaded the patch files and went to Admin Module. When I try to update the System module I get the message "Press the button below to update this module" BUT there is no button to press.
Posted: 2005/6/28 19:06 • Updated: 2005/6/28 19:06
Chainsaw
Hi all,

like a bonehead I applied the 2.0.12 patch to my installation while forgetting that I have the MultiLanguages module running.

As a warning to others with similar circumstances. Don't apply the 2.0.12 patch if you want to retain all your multilanguages functionality. I think the patch to the file: /kernel/object.php breaks the ML module's ability to make menu titles appear in their appropriate language.

I'll be waiting until Marcan and the others have an updated ML module ready to go for 2.0.12. I could go in and try to hack it myself, butI might as well wait as Marcan is good with his updates.

Otherwise if you're not running ML, then apply the security patch.

Jose
Posted: 2005/6/28 22:58 • Updated: 2005/6/28 22:58
josecruz
back again,

out of my own curiosity I found Marcan's hack in the file /kernel/object.php

Around line 282 of the file:

        case XOBJ_DTYPE_TXTBOX:
            switch (strtolower($format)) {
            case 's':
            case 'show':
            case 'e':



Changed that to reflect whatI found in the ML version of the same file. Thus it is now:


        case XOBJ_DTYPE_TXTBOX:
            switch (strtolower($format)) {
            case 's':
            case 'show':
                // ML Hack by marcan
                $ts =& MyTextSanitizer::getInstance();
                $ret $ts->htmlSpecialChars($ret);  
                return $ts->formatForML($ret);
                break 1;
                // End of ML Hack by marcan            
            case 'e':



If you choose to apply the same patch to your system after applying the 2.0.12 patch, you might get lucky and get your menu titles back like me. Otherwise, YMMV. Don't blame me if anything gets smoky. My best advice is to wait until Marcan comes outwith a new ML module.

Jose
Posted: 2005/6/28 23:12 • Updated: 2005/6/28 23:12
josecruz
Quote:

I was on 2.0.11. I uploaded the patch files and went to Admin Module. When I try to update the System module I get the message "Press the button below to update this module" BUT there is no button to press.


Just a follow up - my webhost said it is a server side problem and they are fixing it....

phew...
Posted: 2005/6/29 0:02 • Updated: 2005/6/29 0:02
Chainsaw
hi Mith.

What a Good and Prompt work! :thumb:
Many thanks.

BTW, I can't find the place Mith patched against saxparser executable

And the almost contributes are not from "XOOPS JP", but from JM2 leading "zx team".
(Though only class/criteria.php is contributed by XOOPS JP team)
Posted: 2005/6/29 0:41 • Updated: 2005/6/29 0:41
GIJOE
Quote:

Changed that to reflect whatI found in the ML version of the same file. Thus it is now:


Thanks, this did for me...
Posted: 2005/6/29 1:10 • Updated: 2005/6/29 1:10
Mamba
Quote:
the almost contributes are not from "XOOPS JP", but from JM2 leading "zx team".

Ah, sorry for confusing things.

Some things (pda.php, misc.php, admin.php) were taken from XOOPS JP 2.0.11-beta.

The saxparser.php, I was certain I had put in 2.0.x - but apparently I did only do that for 2.2, which will be out in 1½ weeks.
Posted: 2005/6/29 5:37 • Updated: 2005/6/29 5:37
Mithrandir
Quote:
I was on 2.0.11. I uploaded the patch files and went to Admin Module. When I try to update the System module I get the message "Press the button below to update this module" BUT there is no button to press.


How is this a server side problem?

I just updated from 2.0.10 and have the same thing?
Posted: 2005/6/29 5:58 • Updated: 2005/6/29 5:58
bwirum
i found a abnormality : an image from image manager in a category stored as blob/database cannot be displayed at all. Everything OK when the images are stroder a files.

This bug is included in /class/criteria.php (i experimentally upgraded (the second time) file by file). I'm not a hacker, so i cannot tell you what's wrong with it, and where....


Posted: 2005/6/29 6:20 • Updated: 2005/6/29 6:20
ghbook
Yes, you can. Just done it and it works.

============

Edit

Perhaps not, looking at Montys reply below! It seemed to have worked but I've perhaps done something wrong. Will apply the patches sequentially tonight!
Posted: 2005/6/29 6:49 • Updated: 2005/6/29 6:49
tedsmith
The above fault obviously makes me get the following when trying to post something:

Fatal errorCall to a member function on a non-object in /home/wirum/www/wow/include/functions.php on line 145


I use the newbb2 and news 1.21, but that should not be of any concern to this patch, should it? It hasn't updated anything in those respective mods, only the system as far as I can see.
Posted: 2005/6/29 8:15 • Updated: 2005/6/29 8:15
bwirum
originally posted by ClubNuke:

XOOPS 2.0.10 to 2.0.12

You need change include/version.php (2.0.11 to 2.0.12).

I just wanted to bump this as I did not see any answer.

Great work, Mith!!!
Posted: 2005/6/29 9:52 • Updated: 2005/6/29 9:52
kapeman
Quote:
I did not see any answer.

Look a little closer:

Quote:

Quote:
You need change include/version.php (2.0.11 to 2.0.12).

Ah geez.. Sorry.

It is only in the update - will fix asap.


I uploaded a new update patch with a fixed include/version.php - at least it should be.
Posted: 2005/6/29 10:23 • Updated: 2005/6/29 10:23
Mithrandir
How do you upgrade from 2.0.9.3 to this new one ?
Posted: 2005/6/29 11:12 • Updated: 2005/6/29 11:12
hervet
How do you upgrade from 2.0.9.3 to this new one ?
Does someone have the full 2.0.10 and 2.0.11 ?
Posted: 2005/6/29 11:13 • Updated: 2005/6/29 11:13
hervet
the 2.0.9.2 to 2.0.10 is on the download page.

Anyone know what's up with the fail I get on my site? 4 or so posts up, look please.

Thanks.
Posted: 2005/6/29 11:23 • Updated: 2005/6/29 11:23
bwirum
And how come every edit here becomes a new post?
Posted: 2005/6/29 11:24 • Updated: 2005/6/29 11:24
bwirum
hervé:
2.0.9.3 consists of 2 files that have new versions in the new package.

2.0.9.2->2.0.10 patch
2.0.10->2.0.12 patch

That was how I did for my upgrade.
tl
Posted: 2005/6/29 11:25 • Updated: 2005/6/29 11:25
tl
Quote:

the 2.0.9.3 to 2.0.10 is on the download page.


should be :
the 2.0.9.3 to 2.0.10 is not on the download page.
Posted: 2005/6/29 11:25 • Updated: 2005/6/29 11:25
hervet
[remove] Do we have a newbb bug? Editing post creates a new post??
Posted: 2005/6/29 11:27 • Updated: 2005/6/29 11:27
tl
Thank you tl
Posted: 2005/6/29 11:28 • Updated: 2005/6/29 11:28
hervet
Finally, I think that i will wait...
Posted: 2005/6/29 11:30 • Updated: 2005/6/29 11:30
hervet
Mith:
It seems there is a bug in either include/comment_form.php or include/comment_post.php or both. User can't edit comments. Instead of overwriting the old version, the edited version is posted/created as a new comment.
tl
Posted: 2005/6/29 11:34 • Updated: 2005/6/29 11:34
tl
Quote:
should be :
the 2.0.9.3 to 2.0.10 is not on the download page.

See my 'try to edit' post after that one. 2.0.9.2 to 2.0.10 is on there. Use that.
Posted: 2005/6/29 11:40 • Updated: 2005/6/29 11:40
bwirum
Quote:
It seems there is a bug in either include/comment_form.php or include/comment_post.php or both

I'll look into it.
Posted: 2005/6/29 12:24 • Updated: 2005/6/29 12:24
Mithrandir
Found the bugger:

include/comment_post.php:

around line 50-55:

} else {
    $com_id = isset($_POST['com_id']) ? intval($_POST['com_id']) : 0//<-- add this line
    if (XOOPS_COMMENT_APPROVENONE == $xoopsModuleConfig['com_rule']) {
    exit();
    }



That should work
Posted: 2005/6/29 12:32 • Updated: 2005/6/29 12:33
Mithrandir
Thanks Mith,

It works for me!
Posted: 2005/6/29 12:53 • Updated: 2005/6/29 12:53
JamesSAEP
Thanks, Mith!

I fixed my issue.

The answer was too obvious!

No wonder I missed it.
Posted: 2005/6/29 13:13 • Updated: 2005/6/29 13:13
kapeman
Quote:
I was on 2.0.11. I uploaded the patch files and went to Admin Module. When I try to update the System module I get the message "Press the button below to update this module" BUT there is no button to press.


Any answer to this question? Mine is not a server side error!
Posted: 2005/6/29 13:30 • Updated: 2005/6/29 13:30
Shelia
Please stick to one thread, Shelia. I'm trying to help you in the forum thread. Double-posting just increases the places you have to look for answers.
Posted: 2005/6/29 13:36 • Updated: 2005/6/29 13:36
Mithrandir
I will make and release XOOPS 2.0.12a in about 50 minutes (unless Argentina forces Brazil into extended time) - I'm sorry Shelia, but I simply don't know what is causing your trouble, except that I cannot see how it can come from 2.0.11/2.0.12 since the troublesome areas have not been touched since 2.0.10. So if 2.0.10 was working, I'm clueless on this.

Sorry.
Posted: 2005/6/29 16:22 • Updated: 2005/6/29 16:22
Mithrandir
A fresh install of Xoops 2.0.12 have the same problem i previously talked about. In the image manager images of a blob/database stored category dont display at all. Only their name appear.
Mzybe it's the sanitazation of the sql request in /class/criteria.php that doesn't work.
Posted: 2005/6/29 16:42 • Updated: 2005/6/29 16:42
ghbook
any debug errors in MySQL debug?
Posted: 2005/6/29 17:07 • Updated: 2005/6/29 17:07
Mithrandir
Found something:

In /image.php, add this line:

include_once XOOPS_ROOT_PATH."/class/module.textsanitizer.php";



above these two lines:

$xoopsLogger =& XoopsLogger::instance();
$xoopsLogger->startTime();


I've never used the blob feature, so I cannot say if this will work correctly, since my test installation corrupts the images during upload. But at least it will avoid the fatal error in Criteria::render()
Posted: 2005/6/29 17:19 • Updated: 2005/6/29 17:19
Mithrandir
News item updated
Download links updated

Hope this one works better for you all.
Posted: 2005/6/29 17:41 • Updated: 2005/6/29 17:41
Mithrandir
Mithrandir, thanks for your help. Do you have any idea why the update button doesn't show? Is there another way to update the system module?

Shelia
Posted: 2005/6/29 21:09 • Updated: 2005/6/29 21:09
Shelia
quick release... thanks...!
Posted: 2005/6/30 1:33 • Updated: 2005/6/30 1:33
smdcom
Hi, Mith.

With 2.0.12x criteria.php, AddSlases is applied to $value.

But some module source like modules/xoopsmembers/index.php initializes Criteria class with Add-Slashed value.
(I also found this pattern in /modules/system/admin/findusers/main.php

It will cause imcompatbility error.

Don't you think, this change is a very important imcompatbility issue for 3rd Party Modules.
------
(This suggetion is made by NobuNobu as a WordPress XOOPS Module author , not as a JP Core developing member. )
Posted: 2005/6/30 2:25 • Updated: 2005/6/30 2:26
nobunobu
You mean that xoopsmembers doesn't work? I find that it does. There might be some trouble if you search for something that includes a ' or " - but how often does that happen?

I will look at improving it for 2.2 - but no, I don't find it extremely important.
Posted: 2005/6/30 4:29 • Updated: 2005/6/30 4:30
Mithrandir
I'd like to know which files are different between 2.0.12 and 2.0.12a because I made some changes and I would not like to upgrade all the files a second time ?
Posted: 2005/6/30 5:54 • Updated: 2005/6/30 5:54
fdj
From memory:

include/comment_edit.php
include/comment_post.php
class/criteria.php
class/xml/saxparser.php
modules/system/include/update.php
modules/system/xoops_version.php
image.php
Posted: 2005/6/30 6:04 • Updated: 2005/6/30 6:04
Mithrandir
Quote:
if you search for something that includes a ' or " - but how often does that happen?

Mayby searching words contains " is very rare case.
But I found , there are 5 persons whose Real Name contains ' in XOOPS.ORG members.
(w/o people who use Real name as a description)
' is often used for shorten some words.
Posted: 2005/6/30 6:55 • Updated: 2005/6/30 6:55
nobunobu
Sure, but do you actually search for them?

What would you suggest? I was thinking about adding a $myts->stripSlashesGPC() before the ->addSlashes() call - then it would only be a problem, if you actually did search for \'

Anyway, my point is that it is not a crucial problem and that I will therefore work on limiting it - or removing it - (it = the problem) for XOOPS 2.2
It doesn't require a XOOPS 2.0.12b rushed release, I mean.
Posted: 2005/6/30 7:14 • Updated: 2005/6/30 7:14
Mithrandir
Thanks a lot, Mithrandir,. I applied the 2.0.10 --> 2.0.12a patch with the image.php modifications. It worked perfectly on my sites with the blob/database stored image categories.

Thanks once again


Posted: 2005/6/30 8:03 • Updated: 2005/6/30 8:03
ghbook
Glad to hear it ghbook, it was a bit annoying that I couldn't test it, so I'm happy it works for you.
Posted: 2005/6/30 8:16 • Updated: 2005/6/30 8:16
Mithrandir
Quote:

Mithrandir wrote:

You mean that xoopsmembers doesn't work? I find that it does. There might be some trouble if you search for something that includes a ' or " - but how often does that happen?


It starts to become a problem if you have your server with magic_quotes_gpc disabled and try to search for a exact match on a string containing ' or other chars escaped by addslashes().
Posted: 2005/6/30 8:34 • Updated: 2005/6/30 8:34
onokazu
I am wondering about xoops_module_system_update in modules / system / include / update.php. This function is nowhere called, but I can imagine what it is supposed for.
Posted: 2005/6/30 8:49 • Updated: 2005/6/30 8:49
frankblack
which is why I suggested changing
$myts->addSlashes($value); to
$myts->addSlashes($myts->stripSlashesGPC($value));
Posted: 2005/6/30 8:55 • Updated: 2005/6/30 8:55
Mithrandir
Quote:
This function is nowhere called

Ah bugger - typo in the function name. Well, it is "just" a fix for the duplicating templates.

Will nail it with 2.2 next week.
Posted: 2005/6/30 8:56 • Updated: 2005/6/30 8:56
Mithrandir
i'm bored to change xoops versions.
2.0.11 2.0.12 2.012a blablabla
Posted: 2005/6/30 10:27 • Updated: 2005/6/30 10:50
indream
Quote:
which is why I suggested changing
$myts->addSlashes($value); to
$myts->addSlashes($myts->stripSlashesGPC($value));


Maybe you are being confused between sanitizing input parameter and making exact SQL query string.

$myts->AddSlashes($value) method should be called only if $value is GET or POST parameter. Because $myts->addSlashes method only escape ' character to \' ,only if magic_quotes_gpc is set to "off".

But, string contains ' should always be escaped to \' for valid SQL query.

If you use $myts->addSlashes($value) in your render() and magic_quotes_gpc is set to "on", literal constant or DB field value contains ' will not be escaped.

If you use $myts->addSlashes($myts->stripSlashesGPC($value)); in your render() and magic_quotes_gpc is set to "on", input parameter string contains ' will not be escaped.

If you use $xoopsDB->quoteString() in your render() and magic_quotes_gpc is set to "on", input parameter string contains ' will be escaped twice.

If you use $xoopsDB->quoteString($myts->stripSlashesGPC($value)) in your render() and magic_quotes_gpc is set to "on", literal constant or DB field value contains \' will not be escaped.

Maybe there is no universal solution for escaping ' only modifying logic of render() method.
$myts->stripSlashesGPC shold be called when initializing Criteria object, and render() should call $xoopsDB->quoteString for making valid SQL query string.

(I'm also confusing now )
Posted: 2005/6/30 11:12 • Updated: 2005/6/30 11:12
nobunobu
Too many versions r a bit confusing for a new person like me ..

But by reading all comments what i got is

At My test installation currentl with "XOOPS 2.0.10" I just neet to get "XOOPS 2.0.12patch"

And at my Site where i am going for a new installation i need to use "XOOPS 2.0.12 Stable"

But where comes "XOOPS 2.0.12a" ??
Posted: 2005/6/30 12:01 • Updated: 2005/6/30 12:01
Fastian
I understand how it could be confusing. The good part about it though is that the Core Dev team cares enough to release a fix when there is a problem.


Quote:
At My test installation currentl with "XOOPS 2.0.10" I just neet to get "XOOPS 2.0.12patch"


Get the 2.0.12a patch and install it and you will be fine.


Quote:
And at my Site where i am going for a new installation i need to use "XOOPS 2.0.12 Stable"


I don't know for sure if the .12a patch was applied to that package. Might want to apply the patch on that anyway to be safe.
Posted: 2005/6/30 12:10 • Updated: 2005/6/30 12:10
JimLunsford
Quote:
Maybe you are being confused between sanitizing input parameter and making exact SQL query string.

Granted, I was for a while. And forgot that magic_quotes would not affect non-GPC parameters (however that could happen )

However, I still think that $myts->addSlashes($myts->stripSlashesGPC($value)); is the best alternative. Here is why:

Let's look at where parameters for a Criteria can come from:

1) GPC input
2) Database output (values fetched in DB)
3) literal constant (do you mean any constant? Or what is the "literal" part? just so we are not talking past each other)
4) String supplied by developer

With the suggested solution 1) is safe no matter whether magic_quotes are on or off and no matter if the developer escapes the string or not.
Since database values are escaped (in order to be stored) they are safe, too.
3) and 4) are - if I understand it correctly - input by the developer or possibly a translator.

Worst case scenario with 1) and 2) being unsanitised is an SQL injection.
Worst case scenario with 3) and 4) is that the code will not work.
1) and 2) can look like it is working until someone exploits the hole. 3) and 4) will not work at all until the developer fixes it.

Therefore I think that my suggestion is the best solution. It will not be a universal solution but it will be the next best thing, I think.

If I have overlooked something or made a mistake or misunderstood you, please say so. I'm very happy for this dialogue and feel we are really getting somewhere.
Posted: 2005/6/30 13:34 • Updated: 2005/6/30 13:34
Mithrandir
Quote:
I don't know for sure if the .12a patch was applied to that package

The full version is 2.0.12a
Posted: 2005/6/30 13:36 • Updated: 2005/6/30 13:36
Mithrandir
Quote:

which is why I suggested changing
$myts->addSlashes($value); to
$myts->addSlashes($myts->stripSlashesGPC($value))


Do you mean

addSlashes($myts->stripSlashesGPC($value))

?

If magic_quotes_gpc is on, then $myts->addSlashes() will not escape anything.
$myts->addSlashes($myts->stripSlashesGPC($value)) will not escape $value if magic_quotes_gpc on and GPC values passed in direclty to Criteria.

MyTextsanitizer::addSlashes() and MyTextsanitizer::stipSlashesGPC() methods were not originally meant to be used simultaneously. MyTextsanitizer::addSlashes() was meant for escaping GPC variables before saving them to DB (though DB::quoteString() is preferred now) and MyTextsanitizer::stripSlashesGPC for displaying GPC values.

What I would recommend (and which is implemented in our RC version) is to use XoopsDB::quoteString() only within render() and let the magic_quotes_gpc thing taken care before passing in any value to Criteria - clear enough for devs to understand when using the class, IMHO.
Posted: 2005/6/30 14:54 • Updated: 2005/6/30 14:54
onokazu
is there a update pack for 2.0.12 to 2.0.12a?

we are using some kernel hacks and so i dont really want to research the files once again.

or is there a changelog where i can see what changes have been done from 2.0.12 to 2.0.12a so i do this changes by hand?
Posted: 2005/6/30 14:54 • Updated: 2005/6/30 14:54
krobi
Quote:
If magic_quotes_gpc is on, then $myts->addSlashes() will not escape anything.
$myts->addSlashes($myts->stripSlashesGPC($value)) will not escape $value if magic_quotes_gpc on and GPC values passed in direclty to Criteria.

If magic_quotes_gpc is on, $myts->addSlashes() will not need to escape anything (except programmer-provided variables... but that would be the programmer's responsibility to do that).

If a GPC value is passed directly to Criteria with magic_quotes_gpc on, the GPC value will be escaped by magic_quotes. If a GPC value is passed directly to Criteria with magic_quotes_gpc off, the stripSlashesGPC() will not do anything (since there will not be slashes to remove) and addSlashes() will escape the string.
Posted: 2005/6/30 15:02 • Updated: 2005/6/30 15:02
Mithrandir
Quote:

If a GPC value is passed directly to Criteria with magic_quotes_gpc on, the GPC value will be escaped by magic_quotes.


I am refering to what you suggested for the next change:

$myts->addSlashes($myts->stripSlashesGPC($value))

Escapes by magic quotes are removed with stripSlashesGPC() in the above code.
Posted: 2005/6/30 15:08 • Updated: 2005/6/30 15:08
onokazu
Quote:
is there a update pack for 2.0.12 to 2.0.12a?

Yes, I prepared it here
Posted: 2005/6/30 15:15 • Updated: 2005/6/30 15:15
LazyBadger
thx thats great, should be linked in the news for all 2.0.12 users.
Posted: 2005/6/30 15:33 • Updated: 2005/6/30 15:33
krobi
Quote:
Escapes by magic quotes are removed with stripSlashesGPC() in the above code.

How?

Ahhh bugger. Had read that as
if (!get_magic_quotes_gpc()) {

Back to the drawing board, I guess. Perhaps the best solution is the one with quoteString().

Will think about it some more.
Posted: 2005/6/30 15:45 • Updated: 2005/6/30 15:51
Mithrandir
btw. Thanks for the help
Posted: 2005/6/30 15:55 • Updated: 2005/6/30 15:55
Mithrandir
Just upgraded from 2.0.10 to 2.0.12a Everything seems to working fine

Thanks for all the top notch geek work, dev team

Tabby
Posted: 2005/6/30 22:27 • Updated: 2005/6/30 22:27
Tabasco
I've done the upgrade and everything went smoothly. However, with debug mode on, I am getting the following at the bottom of some pages of the site, in the pop-up windows for Who's Online, etc., and in the admin control panel as well:

Warning [PHP]: ob_start(): output handler 'ob_gzhandler' cannot be used after 'URL-Rewriter' in file include/cp_functions.php line 33

Any ideas on how to fix this??
Posted: 2005/7/1 0:42 • Updated: 2005/7/1 0:44
dhdesign
Apparently, there's a conflict between gzip compression and PHP debug mode, so turn one of them off.
Posted: 2005/7/1 0:53 • Updated: 2005/7/1 0:53
Dave_L
if you want gzip, then try this way.

turn off gzip in xoops admin..

then create an .htaccess file.. (if you can that is)

inside the htaccess file put

php_flag zlib.output_compression on
php_value zlib.output_compression_level 5

and save it to the xoops_root folder, the 1 with mainfile.php in..

then check your headers to see if it's actually working..

i use a program called iehttp headers to view header info..
Posted: 2005/7/1 1:27 • Updated: 2005/7/1 1:27
m0nty
Having some problems with all themes on fresh install of 2.0.12a.

I have a blue border around logo and banner. I don't understand it!

Check here:

Open in new window
Posted: 2005/7/1 9:10 • Updated: 2005/7/1 9:10
Gambero[removed]
check root/xoops.css

make sure

img {border: 0;} is included in it.
Posted: 2005/7/1 9:27 • Updated: 2005/7/1 9:27
m0nty
That solved the problem, thanks!

In the zip package there are no user.php and style.css files.
Posted: 2005/7/1 9:42 • Updated: 2005/7/1 9:42
Gambero[removed]
Monty and Dave_L - Thank you for your quick responses.

I've got debug mode on as I'm having some problems with a few modules, and wanted to check the error messages. From what you said, once I turn it off, the error that I listed will go away.
Posted: 2005/7/1 12:14 • Updated: 2005/7/1 12:14
dhdesign
I am running 2.0.9.2. How can I upgrage to 2.0.12a and is it worth the effort?
Posted: 2005/7/1 18:35 • Updated: 2005/7/1 18:35
pixelpusher
security wise, yes. That is the reason for a security release.

Download the 2.0.9.2 to 2.0.10 patch and the 2.0.10 to 2.0.12a patch, overwrite the files in the 2.0.9.2 to 2.0.10 patch with the other patch. Copy all files to your XOOPS site directory.

See this: XOOPS System Upgrade Flash Tutorial to follow along with the process. It will explain updating templates and so on.
Posted: 2005/7/1 21:30 • Updated: 2005/7/1 21:30
jdseymour
[edited Giba splanish version]

My version of Xoops Before is 2.0.73
--------------------------------------


Sorry, after install version 2.0.12 my conection MySql not read.

mainfile.php is correct.
No found of problem, help-me

I using Xamp 1.14.14 in localhost for tests.

Sorry my stup question, one day and not found error.

Posted: 2005/7/1 21:39 • Updated: 2005/7/1 21:40
giba
Did you follow the upgrade path? 2.0.7.3 to 2.0.9.2 to 2.0.10 to 2.0.12a?

What about news and newbb folders in the upgrade, did you remove them if your modules are upgraded?

Any error messages?
Posted: 2005/7/1 21:54 • Updated: 2005/7/1 21:54
jdseymour
Poor me! :( I updated even module/newbb/post.php even though my newbb was newbb2, now I cannot post anymore in my site. In my frustration I re-upload post.php from version 2.0.10 but it doesn't work.

The problem seems to be not being able to overwrite updated post.php file, it is around 15kb while the previous version 2.0.10 was around 10kb. I'm not able to overwrite it.

1st Edit: And I have updated system mobule as well as newbb2 module after I could overwrite post.php old file with the new file. But Error still occurs and nothing is posted in my forum when tried. Should I carry on updating my site to patch 2.0.13 from 2.0.12a? But forum is a problem now.

Please help me. Thanks.
Posted: 2005/7/21 8:02 • Updated: 2005/7/21 8:38
Housefly