Amiga.org
Amiga News and Community Announcements => Amiga News and Community Announcements => Amiga.org site announcements => Topic started by: Kent on February 13, 2004, 03:39:44 AM
-
The latest posts module has now been restored to service.
The Latest posts module has been restored, thanks to the input provided by DaveP and code fix written by Orgin. Thanks guys.
The Amiga.org development Team
-
I'd say this is a good thing. I'd much rather put up with a small amount of inconvenience for a couple weeks, than try to log in one morning and find out that the site got 0wned by some #### who got a canned exploit off some website.
-
True... but, argh! That's my most-used module!
Ah well :-(
-
I didn't even know there was such a thing. All I ever used was the recent discussions thing on the main page. So, I guess I'm unaffected.
-
Well, the only real difference is that Talk-about threads don't appear on the front page. I think that's the only forum that's excluded from the front page.
-
oh ok, damn i where just about to direct "haymiggan" to amiga.org to download some modules that he could have played in his modplayer :))))
(he axed me for some mods yesterday :))
anyway, i have never heard any music on amiga.org so i guess thats another pc only feature ? :DDDDDDDDD
/sarcasm OFF
-
I was wondering what was happenning, I thought you had started to update the site.
That's where I usually start from.
"DoomMaster" would have loved to know about that! :-o
---Edit:
I suppose you can't tell us what the problem was, can you? Please? Pretty please with sugar on top? ? :-)
-
To keep the security level at a normal level on other Xoops sites, no. Just know that it was a major security risk, not just for the Amiga.org server, but for your personal computer system as well. With the right scripts, you could go so far as to potentially pull out a password, or install software to the unknowing user. I was able to reproduce both with very basic account settings (ie, not using the admin).
I'll leave it at this... it was a very big hole waiting to be hacked. Not to mention, there are other Xoops sites still using the "Latest Posts" module. I am working on picking the source appart to create my own module. I don't think it will be available until after the the new site is already in place and running for a while. The development has to take the back burner to family, school, and work in that order. Unfortunately I'm quite swamped at school and family life is no better.
:pint:
-
Is this problem still there in XOOPS2?
-
Is this problem still there in XOOPS2?
That's something we're looking into atm.
@ everyone
Remember that you can click on the 'forums' link, and talk-about open, you'd get much the same view.
-
Kent
Here is an example of the kind of patches it needs:
$topic_title = $myts->makeTboxData4Show($arr["topic_title"]);
echo " ".$topic_title."";
That will "safe" the topic for you and fix the remote code exploit although its not perfect, calling sanitize directly to turn off the use of smileys would be better.
Compliments of amigaworld.net.
-
Is this problem still there in XOOPS2?
Yes. Since the author abandoned it, there is no Xoops 2 version of the same module. It could only be adapted.
Wayne
-
*cough*
I wrote the code fix and Orgin suggested which method to use from that class ;-)
Not that thats important, oh shut up Dave ;-)
Dave.
-
That's better... :relief:
-
Good thing you guys caught it in time.
Well Done! :-)
-
Wow, I never even thought to look for a security hole in this module. The original developer's homepage has long since dissapeared....
-
Ah! I see now.
@DaveP:
Thanks! Do you think shoving $arr["forum_name"] through $myts>makeTboxData4Show would help further, or would that be a waste of time in your opinion?
--
Targhan
-
@Targhan
I think its probably overkill as only you or authorised people can set the forum name :-)
-
@DaveP
Heh, I can be dense sometimes too! Like I'll go around posting JS in the forum name... :-P Anyway, thanks again for pointing that out.
-
No worries, when we figured it out we went round paranoid looking at all the fields also :-)
-
Hah! It's really making me want to go through every line of code throughout the Xoops systems :-P
-
I assume someone has mentioned this on Xoops.org. It's always nice to cycle back such info, patches, etc. to that which you use for free.
-
http://www.xoops.org/modules/newbb/viewtopic.php?topic_id=16640&forum=4
-
@Targhan,
Good luck at trying to make sense of the Xoops code (either version). Honestly, I don't have time to write my own so I can't bitch, but looking at the code for certain things like viewpmsg.php will drive you insane with the author swapping out his use of " and ' for quotes almost every line.
EVERY module I see is like that. Impossible to trace. This is what you get with open source code projects though, so based on that, I'm glad to see OS4 not go Open Source.
Well, that's not true, I think 3.1 should have been released open source, but I'll give Ben the benefit of doubt that OS4 is a different creature (which just LOOKS exactly like 3.1 :) )
Wayne
-
They don't have a code writing style guide?
-
@Wayne
I hear ya. I've been through that routine before with the " and ' in the PM system.
For that fanfiction site I'm tinkering with, I've been hacking on one of the modules from day one--and, it had nothing to do with Amiga/MOS compatability! Things like anonymous reviews, and no way to delete the reviews without axing the article they were attached to. A royal pain for my "off work" time.
Then again, anytime I visit fanfiction.net, I'm reminded of why I started the site. I **hate** sites that try to install useless software on my machine--and I was using IBrowse the last time it happened at ff.net for crying out loud! <>
-
There's absolutely no "code style" enforced from what I've seen. Granted LastPost v2 is going to be my first module for xoops, it's also the very first serious work I've done in PHP. I'm using a strict code style that I'm already familiar with from other projects. For example:
String strName = "string of text";
char = 'a';
for (int i = 0; i < strName.length(); i++) {
...;
} // Notes of "for loop"
It's the default code style found in Java, but I take it to a further extreme--putting spaces between operators, notes always at the end of a loop, whitespace after deliminators (ie ';'), and /** block commenting complete with @params */. It's something I learned about four or five years back working with Roj in ARexx. If you can't lock down a code style, half the work will be sloppy as all hell.
:pint: