A CRITICAL flaw has been pointed out in Custom Pages v1.0. It is very important that you download the fixed file attached.
Upload it to your forums root directory!
The download has been updated to fix this manually open pages.php from your forums directory.
Thanks to Michael83 for reporting this to my attention.
Staff App mod...
Where do turn on the mod after I activate it on the forum?
I set up what I want it to do in the staffapp.php file but I cannot find were to turn it on.
Sorry, I'm not very code savvy without a 'for dummies' instructions.
Nice Work,
but can you please update the Spam Central Mod, because it uses some depreciated functions.
Line 74 to 82:
update_forum_count
update_thread_count
now called:
update_forum_counters()
update_thread_counters()
Thanks
Sonny
MediaSonny Wrote:Nice Work,
but can you please update the Spam Central Mod, because it uses some depreciated functions.
Line 74 to 82:
update_forum_count
update_thread_count
now called:
update_forum_counters()
update_thread_counters()
Thanks
Sonny
A new version was uploaded! Thanks for alerting me to the situation
All users of Custom Pages plugin:
I've been notified that there is a security vulnerability reported for the Custom Pages plugin by nickman. Please take necessary actions to secure your forum.
The details of the exploit are here:
http://milw0rm.com/exploits/5379
I believe it's line 38 of root/page.php
$page=($mybb->input['page']);
Should be...
$page=mysql_real_escape_string($mybb->input['page']);
Please let me know if that's wrong.
labrocca Wrote:I believe it's line 38 of root/page.php
$page=($mybb->input['page']);
Should be...
$page=mysql_real_escape_string($mybb->input['page']);
Please let me know if that's wrong.
Yeah, that should do it. I'm just an idiot and thought that it was automatically done through myBB if you used their functions
EDIT: Hmm..I just downloaded it off the mods site and apparently this version was fixed..I'm pretty sure this is an old vulnerability because it was reported to me before.
My just downloaded version:
$page=$db->escape_string($mybb->input['page']);
i installed the guestbook plugin, it works fine, but doesn't looks quiet the way i need it.
so i opened the member_profile template and hoped to find the code there, but instead there is a pointer called {$usergb}. so that means the code is in a seperate template.
there is one called gb_newcomment, but it only contains the page where one can write comments, not the guestbook itself.
nickman, can you please tell me where i can find the template with the main code?
edit:
i manually made some little changes in the usergb.php file and uploaded it. worked... but
when i try to change that piece of code:
$html.="<tr>
<td class=\"trow1\">posted by:<a href='member.php?action=profile&uid=$post[posterdid]'>$poster</a></td>
<td class=\"trow1\">$comment</td>";
into this:
$html.="<tr>
<td valign="top" class=\"trow1\">posted by:<a href='member.php?action=profile&uid=$post[posterdid]'>$poster</a></td>
<td class=\"trow1\">$comment</td>";
and reupload the file again, nth works anymore
i need the usernames to be displayed in the same line their comments beginn, otherwise you can hardly tell where a comemnt ends and another one begins
see:
http://laiila.com/forum/member.php?action=profile&uid=2
You added this ?
valign="top"
If so; you need to escape those "" ; so it becomes
valign=\"top\"
thank you LeX-
now it works perfectly.
i had no clue i had to add those slashes, i am still in the middle of a webdesign training course, and bump into unknown problems every now and then.....solely caused by a lack of knowledge
thank you very much
