vb.org Archive
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Beta Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=34)
-   -   vB Journal 1.5 Beta 3 (https://vborg.vbsupport.ru/showthread.php?t=100385)

AN-net 11-19-2005 11:46 AM
XSS Vulnerability Patched!

All running Beta 1 prior to 11/19/05 are strongly encouraged to apply this patch or download the updated file then overwrite.

To patch this security risk find the following in journal.php(Find and Replace All Instaces):
PHP Code:
$message trim(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0)); 
Replace that with:
PHP Code:
$message trim(htmlspecialchars_uni(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0))); 
Find in journal.php(Find and Replace All Instances):
PHP Code:
$entry['message'] = trim(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0)); 
Replace that with:
PHP Code:
$entry['message'] = trim(htmlspecialchars_uni(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0))); 
I have updated the zip and attached the patched file below.

xfaethorx 11-24-2005 04:35 PM
upgraded from 1.0.1 to current beta and i'm getting

Invalid SQL: SELECT
journals.journal_id, journals.journalname, journals.journaldesc,
journals.journalist, journals.journalist_id, entrycount, commentcount, usertextfield.jbuddylist, ipaddress, journals.lastentry,
journals.lastentry_date, journals.private, journals.lastentry_id, journals.lastentry_misc, journals.status, journals.journalviews,
journals.journal_totalrating AS totalrating, journals.journal_totalvotes AS totalvotes
FROM journals AS journals
LEFT JOIN usertextfield AS usertextfield ON (journals.journalist_id=usertextfield.userid)
WHERE journal_id IN(1,2,3,4,5,6,8,9)
ORDER BY
LIMIT 0,10

on journal.php although everything seems ok if i access the journals directly via user name...

really confused need some help ehre.

AN-net 11-24-2005 04:40 PM
Quote:
Originally Posted by xfaethorx
upgraded from 1.0.1 to current beta and i'm getting


Invalid SQL: SELECT
journals.journal_id, journals.journalname, journals.journaldesc,
journals.journalist, journals.journalist_id, entrycount, commentcount, usertextfield.jbuddylist, ipaddress, journals.lastentry,
journals.lastentry_date, journals.private, journals.lastentry_id, journals.lastentry_misc, journals.status, journals.journalviews,
journals.journal_totalrating AS totalrating, journals.journal_totalvotes AS totalvotes
FROM journals AS journals
LEFT JOIN usertextfield AS usertextfield ON (journals.journalist_id=usertextfield.userid)
WHERE journal_id IN(1,2,3,4,5,6,8,9)
ORDER BY
LIMIT 0,10

on journal.php although everything seems ok if i access the journals directly via user name...

really confused need some help ehre.
you must set the order by in your admincp/journal settings;)

xfaethorx 11-24-2005 04:44 PM
yeah i just went in and saved the current settings and its all working now...
sorry dumbass moment there...

jesus im special, sorry

AN-net 11-24-2005 04:48 PM
Quote:
Originally Posted by xfaethorx
yeah i just went in and saved the current settings and its all working now...
sorry dumbass moment there...

jesus im special, sorry
not a problem, we all have our moments of idiocy.

xfaethorx 11-24-2005 06:25 PM
yeah thing is so far i've managed quite a few decades of idiocy......;) by the way great work on the hack! The upgrade was simplicity after my own mistake! keep it up!

AN-net 11-24-2005 06:54 PM
Quote:
Originally Posted by xfaethorx
yeah thing is so far i've managed quite a few decades of idiocy......;) by the way great work on the hack! The upgrade was simplicity after my own mistake! keep it up!
im currently working on beta 2 which adds some features:)

xfaethorx 11-24-2005 08:03 PM
nice one..i know on another forum blog software has been asked for but with a few more additions on here and this is it to be honest! It'd be nice to have a collapsable comments block so you could expand the comments under a journal entry..or some kind of alternative thread views and obviously a now listening too and all the like.

Anyway you'll have a better idea of what you want to do with it than me. I'm just happy its still supported seeing as everyone else is going 3.5 and im staying 3.0.x
:D

AN-net 11-24-2005 08:10 PM
Quote:
Originally Posted by xfaethorx
nice one..i know on another forum blog software has been asked for but with a few more additions on here and this is it to be honest! It'd be nice to have a collapsable comments block so you could expand the comments under a journal entry..or some kind of alternative thread views and obviously a now listening too and all the like.

Anyway you'll have a better idea of what you want to do with it than me. I'm just happy its still supported seeing as everyone else is going 3.5 and im staying 3.0.x
:D
can you explain the alternative thread views thing?

also 1.5 will be the last version of vB Journal on 3.0.x, future versions past 1.5 will be designed for 3.5.x. I felt as though I owed it the users to include a more stable and featured version before I migrate to 3.5.

xfaethorx 11-25-2005 07:33 AM
just the intergration if possible of the the linear , hybrid and threaded display modes.

so when you clicked on comments you'd be taken to comments that are pretty much styled like showthread.php with the ability to change the display type.

It would be nice to see the comments like showthread.php making the journal entry and comments a thread unto themselves, then you could support more display views, the postbit templates, use the quick reply box as the add new comment and other bits and bats.You could potentially do stuff for journal attachments as well but that would mean changes to newattachments.php and attachment.php. However thats a big change and would mean much more intergration work.

It would however be nice to have the comments similar to postbit and postbit_legacy so you can see user avatars etc.

AN-net 11-25-2005 01:34 PM
Quote:
Originally Posted by xfaethorx
just the intergration if possible of the the linear , hybrid and threaded display modes.

so when you clicked on comments you'd be taken to comments that are pretty much styled like showthread.php with the ability to change the display type.

It would be nice to see the comments like showthread.php making the journal entry and comments a thread unto themselves, then you could support more display views, the postbit templates, use the quick reply box as the add new comment and other bits and bats.You could potentially do stuff for journal attachments as well but that would mean changes to newattachments.php and attachment.php. However thats a big change and would mean much more intergration work.

It would however be nice to have the comments similar to postbit and postbit_legacy so you can see user avatars etc.
that is something i do not have planned and will most likely not implement as vb journal will try its best to stay separate from the forums.

T3MEDIA 11-25-2005 05:31 PM
I tried to upgrade but the old templates still look the same... (your signage on the bottom) and I get a database error even if I update the journals in admincp
Quote:
Database error in vBulletin:

Invalid SQL: SELECT journalist_id, entry_id, journal_entries.whocanview, journal_entries.private, journal_entries.allowbuddies, jbuddylist
FROM myvb3_ journal_entries AS journal_entries LEFT JOIN myvb3_journals AS journals ON (journal_entries.journal_id=journals.journal_id)
LEFT JOIN myvb3_usertextfield AS usertextfield ON (journals.journalist_id=usertextfield.userid)
WHERE journal_entries.journal_id IN (1) AND entry_active=1

mysql error: You have an error in your SQL syntax near 'AS journal_entries LEFT JOIN myvb3_journals AS journals ON (journal_entries.jour' at line 2

mysql error number: 1064

T3MEDIA 11-25-2005 09:35 PM
entire editor is gone through out the site.
An obvious error in changing the hacked code. any idea what file would do that?

As in what file would handle the wysiwyg editor? or template? It seems to have disapeared thru out the site.

Thanks.

T3MEDIA 11-25-2005 10:13 PM
For some reason editor_toolbar_wysiwyg has replaced editor_clientscript template...
newpost_usernamecode
posticons these templates are not in the 3.0.x setup.
How do I adjust things back to call proper templates?
Please and thank you.

How would that happen? Please advise.

AN-net 11-26-2005 01:51 AM
what version are you running and can you please state your errors more conscisely.

T3MEDIA 11-26-2005 02:51 PM
Quote:
Originally Posted by AN-net
what version are you running and can you please state your errors more conscisely.
Please take a look at post #52
It happens whenever I try to goto journal.php and adjusting the admincp does nothing.... unless you need a specific edit
this was on 3.0.3 board and updating to your latest version here. your other port for 3.5 works like a charm I just have a 3.0.x site that needs updating...

AN-net 11-26-2005 02:54 PM
it should have updated the old templates...you did not get any errors while upgrading?

Sean S 11-26-2005 03:57 PM
Quote:
Originally Posted by AN-net
it should have updated the old templates...you did not get any errors while upgrading?
AN-net I have one more question. Would it be possible to pull out the latest journal entry and display it somewhere in the user's profile if he/she has created a journal? if so could you give me some directions or ideas of how I would be able to achieve this? if you are too busy at the moment then don't worry I will try to ask someone else.

thank you.

AN-net 11-26-2005 10:39 PM
Quote:
Originally Posted by Sean S
AN-net I have one more question. Would it be possible to pull out the latest journal entry and display it somewhere in the user's profile if he/she has created a journal? if so could you give me some directions or ideas of how I would be able to achieve this? if you are too busy at the moment then don't worry I will try to ask someone else.

thank you.
try looking at the code in vbjournal_class.php, it has a function for recent entries, that code should give you an idea of how to use it:)

Sean S 11-27-2005 02:32 AM
Quote:
Originally Posted by AN-net
try looking at the code in vbjournal_class.php, it has a function for recent entries, that code should give you an idea of how to use it:)
oh cool, thanks a lot buddy, I will take a look :)

T3MEDIA 11-27-2005 12:47 PM
Quote:
Originally Posted by AN-net
it should have updated the old templates...you did not get any errors while upgrading?
there was no errors in the upgrade. however the reason why everything disapeared was because there was a corrupted table I used tools.php and fixed that.

I will manually add the templates but the SQL error what would that be from?

AN-net 11-27-2005 02:36 PM
if you did not receive errors you can rebuild the styles through admincp and hopefully the templates will update.

i think it may be caused by the space between ON and '('. im currently tinkering with beta 2 so once im done adding the features to beta 2 ill go and see if removing the spaces does anything.

T3MEDIA 11-27-2005 02:54 PM
could it be because your 3.0.7 and this was on 3.0.3?

Ok for this site how do I go about reverting? I want them to at least have thier old journals back.

AN-net 11-27-2005 03:19 PM
Quote:
Originally Posted by T3MEDIA
could it be because your 3.0.7 and this was on 3.0.3?

Ok for this site how do I go about reverting? I want them to at least have thier old journals back.
looking at the database changes, you can just use the old file and templates and it should work;)

T3MEDIA 11-28-2005 08:26 AM
Quote:
Originally Posted by AN-net
looking at the database changes, you can just use the old file and templates and it should work;)
No for real... because I had that hack for vbjournal & vbinex and it only shows ,,,,, now. That was not changed at all so reverting templates will work? Im asking because you havent told me any thing about the errors I asked and I simply want them to have back thier journals if this doenst work.

AN-net 11-28-2005 08:42 AM
Quote:
Originally Posted by T3MEDIA
No for real... because I had that hack for vbjournal & vbinex and it only shows ,,,,, now. That was not changed at all so reverting templates will work? Im asking because you havent told me any thing about the errors I asked and I simply want them to have back thier journals if this doenst work.
the mysql error you said you got from journal.php may be due to a space between some components in the query and the way your server is processing the query. i think the editor and unupdated templates is due to the styles not rebuilding correctly. which if is the case, then in admincp you can go to Important & Maintenance -> Update Counters -> Rebuild Styles

sNator 12-01-2005 07:58 PM
Can users have several journals for travel etc?

AN-net 12-02-2005 04:47 PM
Quote:
Originally Posted by sNator
Can users have several journals for travel etc?
currently the system only allows one journal per user

T3MEDIA 12-02-2005 06:49 PM
thanks for the info. Shame it doesnt work for me.

xfaethorx 12-09-2005 06:47 PM
dont have time to look into this in great detail myself but i need to be able to stop administrators being able to read peoples or just other administrators private journals / entries . One admin read another admins journals private entries...caused mass havoc...:s would be nice to be able to set it so admins can't read things set private to other admins.
:surprised:

xfaethorx 12-09-2005 07:11 PM
i made a quick change in function verify_viewer($id, $type) which works but i've had to hard code it i'd like a nicer solution for it but it'll do for a temp solution.

AN-net 12-09-2005 08:15 PM
remove all clauses of
PHP Code:
$bbuserinfo['usergroupid'] == 

xfaethorx 12-09-2005 08:37 PM
that kind of been my approach but i've set it so that one administrators account can't be viewed by any other admin account but he can see every other administrators journal and entries.

Any chances of getting some kind of permissions settings for this in the next version?

i've had to make other changes in journal.php to make sure no one who knows or tries to guess an entry link can view it via printentry or editentry..even delete entry if someone just wants to try and mangle a journal....

AN-net 12-10-2005 12:51 AM
probably not the next beta but the one after it definately:) my current version i am working on overhauls the front end message system.

Datenpapst 12-10-2005 01:27 PM
Quote:
Originally Posted by AN-net
its sort of scary and eerie that no one has found any errors yet but me>_>
Some Questions:
is it now possible to sort the journals by categories and to change the autor?

AN-net 12-10-2005 01:49 PM
Quote:
Originally Posted by Datenpapst
Some Questions:
is it now possible to sort the journals by categories and to change the autor?
there are no categories in this version and probably not till version 2. the author can not be changed through front-end. again that is probably not a likely feature until version 2. the main focus of 1.5 is to improve the basic system we have right now. version 2 will extend 1.5 by adding more frivulous features.

Datenpapst 12-12-2005 09:25 AM
Quote:
Originally Posted by AN-net
there are no categories in this version and probably not till version 2. the author can not be changed through front-end. again that is probably not a likely feature until version 2. the main focus of 1.5 is to improve the basic system we have right now. version 2 will extend 1.5 by adding more frivulous features.
When there will be v2.0? :)

AN-net 12-12-2005 10:11 AM
Quote:
Originally Posted by Datenpapst
When there will be v2.0? :)
if i get 1.5 out of beta early next year then probably spring '06

T3MEDIA 12-17-2005 05:05 PM
any luck on that error I was getting? Any update I can beta test?

AN-net 12-18-2005 01:48 AM
Quote:
Originally Posted by T3MEDIA
any luck on that error I was getting? Any update I can beta test?
im currently stuck on a development issue with WYSIWYG, once i resolve it i can release the next beta.


All times are GMT. The time now is 03:36 AM.
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02924 seconds
  • Memory Usage 1,849KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_php_printable
  • (20)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (40)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete