2010-10-30, 12:27 AM
2010-12-05, 07:57 AM
Quote:- Don't show admin only forums to everyone.
Any fix please
2010-12-05, 10:24 PM
I haven't been able to figure that out yet if anyone has an idea let me know.
2010-12-06, 09:41 AM
(2010-12-05, 10:24 PM)vbgamer45 Wrote: [ -> ]I haven't been able to figure that out yet if anyone has an idea let me know.
thanks for answer.
Another problem with this extension, when click whose online : i can't see the location, i can't see the location.. just " Read a topic/discussion"
i try with another test account, when access a thread from "recent topic" i can't see location just read topic but when access from forum to the same topic i can see " test read "topic title"
2011-02-25, 07:14 PM
Hello.
I've installed this plugin in my board. Unfortunately today an hacker used it to do a XSS attack by placing html code in topic title.
I'd suggest you to take a look at line 133 of \inc\plugins\recenttopicsindex.php
$subject should be changed to htmlspecialchars($subject)
Regards,
NewEraCracker.
I've installed this plugin in my board. Unfortunately today an hacker used it to do a XSS attack by placing html code in topic title.
I'd suggest you to take a look at line 133 of \inc\plugins\recenttopicsindex.php
<a href="showthread.php?tid=' . $threadRow['tid'] . '&action=lastpost">' . $subject .'</a> ' . $lang->recenttopics_by . (!empty($threadRow['lastposteruid']) ? ' <a href="member.php?action=profile&uid=' . $threadRow['lastposteruid'] . '">' . $threadRow['lastposter'] . '</a>' : $threadRow['lastposter']) . ' (<a href="forumdisplay.php?fid=' . $threadRow['fid'] . '">' . $threadRow['name'] . '</a>)
$subject should be changed to htmlspecialchars($subject)
Regards,
NewEraCracker.
2011-02-26, 04:31 AM
Thanks patched and update released.
I assumed that the data in the database was already safe did not know that it is needed to be protected during output.
I assumed that the data in the database was already safe did not know that it is needed to be protected during output.
2011-04-03, 11:15 PM
Hello vbgamer45,
There is another issue with this mod about showing hidden forums.
Issue has been described by stain on 3rd February 2011:
http://mods.mybb.com/reviews/recent-topi...index-page
Thanks
There is another issue with this mod about showing hidden forums.
Issue has been described by stain on 3rd February 2011:
http://mods.mybb.com/reviews/recent-topi...index-page
Thanks
2011-04-03, 11:26 PM
Anyone have a fix for it?
2011-04-05, 09:06 AM
--- /recenttopicsindex.php Wed Aug 04 13:18:34 2010
+++ /recenttopicsindex.php Tue Dec 28 10:20:54 2010
@@ -87,7 +87,7 @@
function recenttopicsindex_show()
{
- global $db, $mybb, $page, $recenttopics, $theme, $lang;
+ global $db, $mybb, $page, $recenttopics, $theme, $lang, $permissioncache;
$lang->load('recenttopicsindex');
@@ -107,6 +107,13 @@
</thead>';
// Run the Query
+ // !!! FIX private forum exposure!!!
+ if ( !is_array($permissioncache) ||
+ (is_array($permissioncache) && ((count($permissioncache)==1) && (isset($permissioncache['-1']) && ($permissioncache['-1'] = "1"))))
+ ) {
+ $permissioncache = forum_permissions();
+ }
+
$unsearchforums = get_unsearchable_forums();
if($unsearchforums)
$where_sql .= " AND t.fid NOT IN ($unsearchforums)";
2011-04-05, 12:28 PM
Awesome thanks odd that you have to do that before get_unsearchable_forums();
Update
1.0.2
!Fixed issue showing private forums thanks to NewEraCracker
Update
1.0.2
!Fixed issue showing private forums thanks to NewEraCracker