[Tool] phpBB 2.0.10 to 2.0.11 Changes

All new MODs released in our MOD Database will be announced in here. All support for released MODs needs to take place in here. No new MODs will be accepted into the MOD Database for phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.

Rating:

Excellent!
43
70%
Very Good
7
11%
Good
5
8%
Fair
0
No votes
Poor
6
10%
 
Total votes: 61

Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

Can you post the first 5 or 10 lines of the other file mentioned in the error message - that is where the problem is likely to be.
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
Janet Jackson
Registered User
Posts: 2
Joined: Thu Sep 30, 2004 11:30 pm
Location: The Netherlands
Contact:

Post by Janet Jackson »

Thank you for your time :D

Lines 1 to 10 of includes/usercp_register.php :

Code: Select all

 *
***************************************************************************/<?php
/***************************************************************************
 *                            usercp_register.php
 *                            -------------------
 *   begin                : Saturday, Feb 13, 2001
 *   copyright            : (C) 2001 The phpBB Group
 *   email                : support@phpbb.com
 *
 *   $Id: usercp_register.php,v 1.20.2.57 2004/03/25 15:57:20 acydburn Exp $
In case you need the first ten lines after the file information, lines 35 to 45 :

Code: Select all

*/

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
	exit;
}

$unhtml_specialchars_match = array('#>#', '#<#', '#"#', '#&#');
$unhtml_specialchars_replace = array('>', '<', '"', '&');

edit @ 11 PM : I guess you were right. The first two lines looked different from other .php files in the same directory, so I made it similair.
Now the first two lines of the file are as follows :

Code: Select all

<?php
/***************************************************************************
The errors are gone ! Thanks for your hint :)
Shut up, be happy.
laboyde
Registered User
Posts: 3
Joined: Wed Jan 19, 2005 5:03 pm

security fix to 2.0.10 only?

Post by laboyde »

I have 2.0.10 installed, and its over-customised. so cant run risk of usual update.

This patch looks great. But all I really want to do is fix the security holes in .10, As this current board will be deactivated in 6 months. I dont want to run the risk of a database structure update file.

I have done the 1 line change in viewtopic. But I feel there are few more areas to implement? Can anyone suggest the bare minimum changes, do implment the following?

-Fix vulnerability in highlighting code: anywhere else other than viewtopic?
-Fixed unsetting global vars - which bits?
-Fixed XSS vulnerability in username handling
-Fixed not confirmed sql injection in username handling

Any ideas?

Can I just go through all the changes in this mod without running update to 2011.php?? Or does this file NEED to be run....

Thanks and peace and love
Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

The update_to_2011.php file should be run - although if you are going from 2.0.10 to 2.0.11 you can actually do the same thing by hand; all it does is alter the version number between those 2 versions.
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
laboyde
Registered User
Posts: 3
Joined: Wed Jan 19, 2005 5:03 pm

Post by laboyde »

thanks...

I had previously scoured the .php and seen the code, and thought **** its going to screw the entire world.. So if that's all it does, I can relax...

many many thanks
Shanana
Registered User
Posts: 368
Joined: Sat Aug 28, 2004 4:03 am
Location: USA [from London, England]

Post by Shanana »

Wait - what is this some people are talking about? That you only have to change 2.0.10 to 2.0.11 & that's it?
asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq »

Shanana wrote: Wait - what is this some people are talking about? That you only have to change 2.0.10 to 2.0.11 & that's it?


They are just talking about the only change you need to make to your database...you can run the database updater script (which is the way you should be doing things so that in the future if there are more significant table changes you won't miss them) or you can simply change the 2.0.10 to 2.0.11 in the db.

But that has nothing to do with the changes you NEED to make to your phpbb files. For those, you need to make the changes that are described step by step in this mod. And this is a very very very imortant upgrade...your site is extemely vulnerable if you do not do it. (And lest you think no one hates you enough to mess your board up, be aware that there are people out there who have done web searches looking for phpbb boards that are still running 2.0.10 and then have attacked those boards...so you don't need to have a prominent board or any particular enemies to be a real live target.)
Rosoner
Registered User
Posts: 37
Joined: Sat Feb 08, 2003 7:41 am

Post by Rosoner »

i updated to 2.0.11 but now auto login doesn't work anymore
steoo
Registered User
Posts: 28
Joined: Sat Jan 15, 2005 9:47 pm

Post by steoo »

OK, I've applied all the code changes, now my profile.php sometimes doesn't work.

All I added was as required -

Code: Select all

...
include($phpbb_root_path . 'includes/usercp_register.'.$phpEx);
		exit;
	}
	else if ( $mode == 'confirm' ) 
   { 
      // Visual Confirmation 
      if ( $userdata['session_logged_in'] ) 
      { 
         exit; 
      } 

      include($phpbb_root_path . 'includes/usercp_confirm.'.$phpEx); 
       exit; 
    } 

	else if ( $mode == 'sendpassword' )
	{
		include($phpbb_root_path . 'includes/usercp_sendpasswd.'.$phpEx);
		exit;
...
If I am logged in and look at my own profile it works fine, but if I try to look at my profile or someone elses profile by clicking on their username beside their post I get the following error -

Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/staff/public_html/forum/includes/usercp_viewprofile.php on line 177

Any ideas??

Thanks
steoo
Registered User
Posts: 28
Joined: Sat Jan 15, 2005 9:47 pm

Post by steoo »

Referring to my above post, here is the code around line 177 of usercp_viewprofile -

Code: Select all

$yim_img = ( $profiledata['user_yim'] ) ? '<a href="http://edit.yahoo.com/config/send_webmesg?.target=' . $profiledata['user_yim'] . '&.src=pg"><img src="' . $images['icon_yim'] . '" alt="' . $lang['YIM'] . '" title="' . $lang['YIM'] . '" border="0" /></a>' : '';
$yim = ( $profiledata['user_yim'] ) ? '<a href="http://edit.yahoo.com/config/send_webmesg?.target=' . $profiledata['user_yim'] . '&.src=pg">' . $lang['YIM'] . '</a>' : '';

$temp_url = append_sid("search.$phpEx?search_author=" . urlencode($profiledata['username']) . "&showresults=posts");
$search_img = '<a href="' . $temp_url . '"><img src="' . $images['icon_search'] . '" alt="' . $lang['Search_user_posts'] . '" title="' . $lang['Search_user_posts'] . '" border="0" /></a>';
$search = '<a href="' . $temp_url . '">' . $lang['Search_user_posts'] . '</a>';

//
// Generate page
//
$page_title = $lang['Viewing_profile'];
include($phpbb_root_path . 'includes/page_header.'.$phpEx);

if (function_exists('get_html_translation_table')) 
{ 
   $u_search_author = urlencode(strtr($profiledata['username'], array_flip(get_html_translation_table(HTML_ENTITIES)))); 
} 
else 
{ 
   $u_search_author = urlencode(str_replace(array('&', ''', '"', '<', '>'), array('&', "'", '"', '<', '>'), $profiledata['username'])); 
} 


$show_jobs_user_type = jobs_user_type($profiledata['user_type'], "viewprofile");
//$show_jobs_user_type = $_COOKIE['vgm_user_type'];
$jobs_location_array = array($profiledata['jobs_address'], $profiledata['jobs_country']);
$jobs_location = implode(", ", $jobs_location_array);

$template->assign_vars(array(
	'USERNAME' => $profiledata['username'],
	'JOINED' => create_date($lang['DATE_FORMAT'], $profiledata['user_regdate'], $board_config['board_timezone']),
	'POSTER_RANK' => $poster_rank,
	'RANK_IMAGE' => $rank_image,
	'POSTS_PER_DAY' => $posts_per_day,
	'POSTS' => $profiledata['user_posts'],
	'JOBS_USER_TYPE' => ucfirst($show_jobs_user_type[0]),
	'PERCENTAGE' => $percentage . '%', 
	'POST_DAY_STATS' => sprintf($lang['User_post_day_stats'], $posts_per_day), 
	'POST_PERCENT_STATS' => sprintf($lang['User_post_pct_stats'], $percentage), 
...
steoo
Registered User
Posts: 28
Joined: Sat Jan 15, 2005 9:47 pm

Post by steoo »

Sorry for all my replies...

But this new line -

Code: Select all

 $u_search_author = urlencode(str_replace(array('&', ''', '"', '<', '>'), array('&', "'", '"', '<', '>'), $profiledata['username'])); 
- is what's causing all the problems.

How is that line giving me this error -

Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/staff/public_html/forum/includes/usercp_viewprofile.php on line 177

Any help greatly appreciated!!

(note: commenting out the line makes my phpbb not crash.)
User avatar
smackdown
Registered User
Posts: 89
Joined: Tue Aug 24, 2004 5:55 pm

Post by smackdown »

Ok. . .I installed this and now, when I enter a username in Permissions, I get this error:
Warning: Wrong parameter count for rtrim() in //includes/functions.php on line 79

Information
Sorry, but no such user exists.

This is the code from includes/functions.php:
}

74 return false;
75 }
76 // added at phpBB 2.0.11 to properly format the username
77 function phpbb_clean_username($username)
78 {
79 $username = htmlspecialchars(rtrim(trim($username), "\\"));
80 $username = substr(str_replace("\\'", "'", $username), 0, 25);
81 $username = str_replace("'", "\\'", $username);
82
83 return $username;
84 }
85 //
86 // Get Userdata, $user can be username or user_id. If force_str is true, the username will 87 be forced.
88 //
89 function get_userdata($user, $force_str = false)
90 {


I re-did this entire install to make sure I wasn't making any mistakes and ended up with the same result.
You can PM me with support questions, but I don't know a thing about phpBB...
User avatar
smackdown
Registered User
Posts: 89
Joined: Tue Aug 24, 2004 5:55 pm

Post by smackdown »

Duh. . .Nevermind. . .I always find an answer right after I post stuff.

Sorry gang!!!

This topic was the problem: http://www.phpbb.com/phpBB/viewtopic.php?t=241257
You can PM me with support questions, but I don't know a thing about phpBB...
dragon39
Registered User
Posts: 44
Joined: Thu Oct 28, 2004 4:50 pm

you cannot create new topics mode and something else

Post by dragon39 »

two questions only please.

a) i am at 2.10 and am fearful to upgrade because i have many mods installed. won't these be affected?

b) i notice there are a lot of phpbb forums out there with the YOU CANNOT CREATE NEW TOPICS selection. i want that too to stop stupid users from creating duplicate threads. wheres the mod for that.

thanks
dragon39
Registered User
Posts: 44
Joined: Thu Oct 28, 2004 4:50 pm

update

Post by dragon39 »

for 6 days, no one answered my Queries above so i updated 2.010 to 2.011 using easymod and it worked. even visual confirmation. using icgstation template.

now my question is, why does my pages still say version 2.010 at the bottom?
Post Reply

Return to “[2.0.x] MOD Database Releases”