Latest Posts restored (updated)

[Kent]

The latest posts module has now been restored to service.

The Latest posts module has been restored, thanks to the input provided by DaveP and code fix written by Orgin.  Thanks guys.

The Amiga.org development Team

[CodeSmith]

I'd say this is a good thing.  I'd much rather put up with a small amount of inconvenience for a couple weeks, than try to log in one morning and find out that the site got 0wned by some #### who got a canned exploit off some website.

[that_punk_guy]

True... but, argh! That's my most-used module!

Ah well :-(

[weirdami]

I didn't even know there was such a thing. All I ever used was the recent discussions thing on the main page. So, I guess I'm unaffected.

[that_punk_guy]

Well, the only real difference is that Talk-about threads don't appear on the front page. I think that's the only forum that's excluded from the front page.

[lempkee]

oh ok, damn i where just about to direct "haymiggan" to amiga.org to download some modules that he could have played in his modplayer ))

(he axed me for some mods yesterday

anyway, i have never heard any music on amiga.org   so i guess thats another pc only feature ? :DDDDDDDDD

/sarcasm OFF

[iamaboringperson]

I was wondering what was happenning, I thought you had started to update the site.

That's where I usually start from.



"DoomMaster" would have loved to know about that! :-o


---Edit:

I suppose you can't tell us what the problem was, can you? Please? Pretty please with sugar on top? ? :-)

[Kent]

To keep the security level at a normal level on other Xoops sites, no.  Just know that it was a major security risk, not just for the Amiga.org server, but for your personal computer system as well.  With the right scripts, you could go so far as to potentially pull out a password, or install software to the unknowing user.  I was able to reproduce both with very basic account settings (ie, not using the admin).

I'll leave it at this... it was a very big hole waiting to be hacked.  Not to mention, there are other Xoops sites still using the "Latest Posts" module.  I am working on picking the source appart to create my own module.  I don't think it will be available until after the the new site is already in place and running for a while.  The development has to take the back burner to family, school, and work in that order.  Unfortunately I'm quite swamped at school and family life is no better.

:pint:

[uncharted]

Is this problem still there in XOOPS2?

[mikeymike]

Is this problem still there in XOOPS2?

That's something we're looking into atm.

@ everyone
Remember that you can click on the 'forums' link, and talk-about open, you'd get much the same view.

[DaveP]

Kent

Here is an example of the kind of patches it needs:

$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);

                        echo "  ".$topic_title."";

That will "safe" the topic for you and fix the remote code exploit although its not perfect, calling sanitize directly to turn off the use of smileys would be better.


Compliments of amigaworld.net.

[System]

Is this problem still there in XOOPS2?

Yes.  Since the author abandoned it, there is no Xoops 2 version of the same module. It could only be adapted.

Wayne

[DaveP]

*cough*

I wrote the code fix and Orgin suggested which method to use from that class ;-)

Not that thats important, oh shut up Dave ;-)


Dave.

[that_punk_guy]

That's better... :relief:

[DanDude]

Good thing you guys caught it in time.

Well Done!  :-)