vb.org Archive
Page 5 of 16 « First 34 5 6715 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Beta Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=34)
-   -   vB Journal 1.5 Beta 3 (https://vborg.vbsupport.ru/showthread.php?t=100385)

AN-net 11-19-2005 11:46 AM
XSS Vulnerability Patched!

All running Beta 1 prior to 11/19/05 are strongly encouraged to apply this patch or download the updated file then overwrite.

To patch this security risk find the following in journal.php(Find and Replace All Instaces):
PHP Code:
$message trim(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0)); 
Replace that with:
PHP Code:
$message trim(htmlspecialchars_uni(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0))); 
Find in journal.php(Find and Replace All Instances):
PHP Code:
$entry['message'] = trim(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0)); 
Replace that with:
PHP Code:
$entry['message'] = trim(htmlspecialchars_uni(convert_wysiwyg_html_to_bbcode($_POST['WYSIWYG_HTML'], 0))); 
I have updated the zip and attached the patched file below.

xfaethorx 11-24-2005 04:35 PM
upgraded from 1.0.1 to current beta and i'm getting

Invalid SQL: SELECT
journals.journal_id, journals.journalname, journals.journaldesc,
journals.journalist, journals.journalist_id, entrycount, commentcount, usertextfield.jbuddylist, ipaddress, journals.lastentry,
journals.lastentry_date, journals.private, journals.lastentry_id, journals.lastentry_misc, journals.status, journals.journalviews,
journals.journal_totalrating AS totalrating, journals.journal_totalvotes AS totalvotes
FROM journals AS journals
LEFT JOIN usertextfield AS usertextfield ON (journals.journalist_id=usertextfield.userid)
WHERE journal_id IN(1,2,3,4,5,6,8,9)
ORDER BY
LIMIT 0,10

on journal.php although everything seems ok if i access the journals directly via user name...

really confused need some help ehre.

AN-net 11-24-2005 04:40 PM
Quote:
Originally Posted by xfaethorx
upgraded from 1.0.1 to current beta and i'm getting


Invalid SQL: SELECT
journals.journal_id, journals.journalname, journals.journaldesc,
journals.journalist, journals.journalist_id, entrycount, commentcount, usertextfield.jbuddylist, ipaddress, journals.lastentry,
journals.lastentry_date, journals.private, journals.lastentry_id, journals.lastentry_misc, journals.status, journals.journalviews,
journals.journal_totalrating AS totalrating, journals.journal_totalvotes AS totalvotes
FROM journals AS journals
LEFT JOIN usertextfield AS usertextfield ON (journals.journalist_id=usertextfield.userid)
WHERE journal_id IN(1,2,3,4,5,6,8,9)
ORDER BY
LIMIT 0,10

on journal.php although everything seems ok if i access the journals directly via user name...

really confused need some help ehre.
you must set the order by in your admincp/journal settings;)

xfaethorx 11-24-2005 04:44 PM
yeah i just went in and saved the current settings and its all working now...
sorry dumbass moment there...

jesus im special, sorry

AN-net 11-24-2005 04:48 PM
Quote:
Originally Posted by xfaethorx
yeah i just went in and saved the current settings and its all working now...
sorry dumbass moment there...

jesus im special, sorry
not a problem, we all have our moments of idiocy.

xfaethorx 11-24-2005 06:25 PM
yeah thing is so far i've managed quite a few decades of idiocy......;) by the way great work on the hack! The upgrade was simplicity after my own mistake! keep it up!

AN-net 11-24-2005 06:54 PM
Quote:
Originally Posted by xfaethorx
yeah thing is so far i've managed quite a few decades of idiocy......;) by the way great work on the hack! The upgrade was simplicity after my own mistake! keep it up!
im currently working on beta 2 which adds some features:)

xfaethorx 11-24-2005 08:03 PM
nice one..i know on another forum blog software has been asked for but with a few more additions on here and this is it to be honest! It'd be nice to have a collapsable comments block so you could expand the comments under a journal entry..or some kind of alternative thread views and obviously a now listening too and all the like.

Anyway you'll have a better idea of what you want to do with it than me. I'm just happy its still supported seeing as everyone else is going 3.5 and im staying 3.0.x
:D

AN-net 11-24-2005 08:10 PM
Quote:
Originally Posted by xfaethorx
nice one..i know on another forum blog software has been asked for but with a few more additions on here and this is it to be honest! It'd be nice to have a collapsable comments block so you could expand the comments under a journal entry..or some kind of alternative thread views and obviously a now listening too and all the like.

Anyway you'll have a better idea of what you want to do with it than me. I'm just happy its still supported seeing as everyone else is going 3.5 and im staying 3.0.x
:D
can you explain the alternative thread views thing?

also 1.5 will be the last version of vB Journal on 3.0.x, future versions past 1.5 will be designed for 3.5.x. I felt as though I owed it the users to include a more stable and featured version before I migrate to 3.5.

xfaethorx 11-25-2005 07:33 AM
just the intergration if possible of the the linear , hybrid and threaded display modes.

so when you clicked on comments you'd be taken to comments that are pretty much styled like showthread.php with the ability to change the display type.

It would be nice to see the comments like showthread.php making the journal entry and comments a thread unto themselves, then you could support more display views, the postbit templates, use the quick reply box as the add new comment and other bits and bats.You could potentially do stuff for journal attachments as well but that would mean changes to newattachments.php and attachment.php. However thats a big change and would mean much more intergration work.

It would however be nice to have the comments similar to postbit and postbit_legacy so you can see user avatars etc.


All times are GMT. The time now is 05:31 PM.
Page 5 of 16 « First 34 5 6715 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01167 seconds
  • Memory Usage 1,756KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete