Has this been finalized? Is there one file that has all the fixes in it?

good question!! would like to know this too!

Schorsch

Installed the thread preview, and search preview - works slick!

Thanks a lot for a great hack!

could someone please explain how to "run" the tpinstall.php?

Sure - upload it to your forum, and then open it with your browser, using the address your_forum_address/tpinstall.php

Hope this helps.

thanks very much!

installed and works awesome

Hello folks, I'm Overgrow's partner and a security concern was pointed out to me about this hack. Overgrow has been using the version of this hack since he last posted here so I haven't checked to see if his version is the exact same as what you are using now but if you follow the instructions below, it may help you discover if you have security breach in your private forums. Here are the details that were sent to me to help you test it;

---------------------------------------------------------------------------
first of all this is what I came up with since 8:00 tonight or so.
I found ONE way to read the Mods forums. It has in part to do with an "upgrade" by Overgrow made not too long before he left, the Post preview option.

So go to my overgrow, update profile, then options.


View thread previews?
If you select yes, you will get a short preview of the thread when you mouseover the title. yes no



This is part of the problem.
Now while your looking at a thread in the forum listing, drag your mouse over the thread title, a pop-up screen should appear with a snippet of the content of the thread.
At this point I'll consider this part of it is understood.

Now to the next piece.

Go to the top of the page, click forums,
scroll down to the list of current users online.

Click the hyperlink on Currently Active Users.

This brings you to a monitoring page...
I can see what everyone is doing.
I can monitor the movement of the MODS and ADMINS.
This will make sense in a few mins.

Next Subject.
URL Manipulation can let people view all the searches that
people have done.

Here's a link for you to follow of one such search made
by someone with MOD or ADMIN access.

http://www.overgrow.com/edge/search...searchid=502803

With that link I can see what MODS are posting. Give it a shot. Log in as some normal user account and go for it.

Now using this I can gain info about what is being said.
All they have to do is change the number on the end and
they see a different search. Eventually they will stumble across a doozie with lots of sensitive things in the search results.

Here's where the Currently Active page ties into it all, you can
save time by monitoring Mods or Admins activity I can estimate where their searches will be by performing my own search and checking out the #'s and searching that area.

------------------------------------------------------------------------------
Credit goes to The White Rabbit for finding this. The results here may be different for most as I said before, the hack here may have been altered by Overgrow and the results may not be the same for everyone. Anyway, better to check and be sure before you continue to use this hack.

Also, to the Mods/Admins here. This post may used by others as information to gain access to private information on other boards so feel free to modify this post if you feel it may pose a security threat. I for one have done away with this hack and since doing so Overgrow has shown quite an increase in speed. Not sure if this could have been a cause but I am keeping watch. Thanks.

Works well on 2.2.7. Thanks.

By the way, I did find one typo in the search.php stuff....

title="fppreview" should be title="$fppreview"

this hack is one of the VERY VERY best ones.

I just love it !!!!!

it is so straightforward, so easy to install, and it just works !!!!!

Thank you a milliono nicksaunders !!!!!