Page 14 of 16

Posted: Tue Jan 18, 2005 6:52 pm
by Graham
Can you post the first 5 or 10 lines of the other file mentioned in the error message - that is where the problem is likely to be.

Posted: Tue Jan 18, 2005 7:38 pm
by Janet Jackson
Thank you for your time :D

Lines 1 to 10 of includes/usercp_register.php :

Code: Select all

 *
***************************************************************************/<?php
/***************************************************************************
 *                            usercp_register.php
 *                            -------------------
 *   begin                : Saturday, Feb 13, 2001
 *   copyright            : (C) 2001 The phpBB Group
 *   email                : support@phpbb.com
 *
 *   $Id: usercp_register.php,v 1.20.2.57 2004/03/25 15:57:20 acydburn Exp $
In case you need the first ten lines after the file information, lines 35 to 45 :

Code: Select all

*/

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
	exit;
}

$unhtml_specialchars_match = array('#>#', '#<#', '#"#', '#&#');
$unhtml_specialchars_replace = array('>', '<', '"', '&');

edit @ 11 PM : I guess you were right. The first two lines looked different from other .php files in the same directory, so I made it similair.
Now the first two lines of the file are as follows :

Code: Select all

<?php
/***************************************************************************
The errors are gone ! Thanks for your hint :)

security fix to 2.0.10 only?

Posted: Wed Jan 19, 2005 5:15 pm
by laboyde
I have 2.0.10 installed, and its over-customised. so cant run risk of usual update.

This patch looks great. But all I really want to do is fix the security holes in .10, As this current board will be deactivated in 6 months. I dont want to run the risk of a database structure update file.

I have done the 1 line change in viewtopic. But I feel there are few more areas to implement? Can anyone suggest the bare minimum changes, do implment the following?

-Fix vulnerability in highlighting code: anywhere else other than viewtopic?
-Fixed unsetting global vars - which bits?
-Fixed XSS vulnerability in username handling
-Fixed not confirmed sql injection in username handling

Any ideas?

Can I just go through all the changes in this mod without running update to 2011.php?? Or does this file NEED to be run....

Thanks and peace and love

Posted: Wed Jan 19, 2005 7:12 pm
by Graham
The update_to_2011.php file should be run - although if you are going from 2.0.10 to 2.0.11 you can actually do the same thing by hand; all it does is alter the version number between those 2 versions.

Posted: Thu Jan 20, 2005 12:00 pm
by laboyde
thanks...

I had previously scoured the .php and seen the code, and thought **** its going to screw the entire world.. So if that's all it does, I can relax...

many many thanks

Posted: Wed Jan 26, 2005 9:33 am
by Shanana
Wait - what is this some people are talking about? That you only have to change 2.0.10 to 2.0.11 & that's it?

Posted: Wed Jan 26, 2005 1:51 pm
by asinshesq
Shanana wrote: Wait - what is this some people are talking about? That you only have to change 2.0.10 to 2.0.11 & that's it?


They are just talking about the only change you need to make to your database...you can run the database updater script (which is the way you should be doing things so that in the future if there are more significant table changes you won't miss them) or you can simply change the 2.0.10 to 2.0.11 in the db.

But that has nothing to do with the changes you NEED to make to your phpbb files. For those, you need to make the changes that are described step by step in this mod. And this is a very very very imortant upgrade...your site is extemely vulnerable if you do not do it. (And lest you think no one hates you enough to mess your board up, be aware that there are people out there who have done web searches looking for phpbb boards that are still running 2.0.10 and then have attacked those boards...so you don't need to have a prominent board or any particular enemies to be a real live target.)

Posted: Sat Jan 29, 2005 5:57 pm
by Rosoner
i updated to 2.0.11 but now auto login doesn't work anymore

Posted: Sat Jan 29, 2005 8:27 pm
by steoo
OK, I've applied all the code changes, now my profile.php sometimes doesn't work.

All I added was as required -

Code: Select all

...
include($phpbb_root_path . 'includes/usercp_register.'.$phpEx);
		exit;
	}
	else if ( $mode == 'confirm' ) 
   { 
      // Visual Confirmation 
      if ( $userdata['session_logged_in'] ) 
      { 
         exit; 
      } 

      include($phpbb_root_path . 'includes/usercp_confirm.'.$phpEx); 
       exit; 
    } 

	else if ( $mode == 'sendpassword' )
	{
		include($phpbb_root_path . 'includes/usercp_sendpasswd.'.$phpEx);
		exit;
...
If I am logged in and look at my own profile it works fine, but if I try to look at my profile or someone elses profile by clicking on their username beside their post I get the following error -

Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/staff/public_html/forum/includes/usercp_viewprofile.php on line 177

Any ideas??

Thanks

Posted: Sat Jan 29, 2005 8:51 pm
by steoo
Referring to my above post, here is the code around line 177 of usercp_viewprofile -

Code: Select all

$yim_img = ( $profiledata['user_yim'] ) ? '<a href="http://edit.yahoo.com/config/send_webmesg?.target=' . $profiledata['user_yim'] . '&.src=pg"><img src="' . $images['icon_yim'] . '" alt="' . $lang['YIM'] . '" title="' . $lang['YIM'] . '" border="0" /></a>' : '';
$yim = ( $profiledata['user_yim'] ) ? '<a href="http://edit.yahoo.com/config/send_webmesg?.target=' . $profiledata['user_yim'] . '&.src=pg">' . $lang['YIM'] . '</a>' : '';

$temp_url = append_sid("search.$phpEx?search_author=" . urlencode($profiledata['username']) . "&showresults=posts");
$search_img = '<a href="' . $temp_url . '"><img src="' . $images['icon_search'] . '" alt="' . $lang['Search_user_posts'] . '" title="' . $lang['Search_user_posts'] . '" border="0" /></a>';
$search = '<a href="' . $temp_url . '">' . $lang['Search_user_posts'] . '</a>';

//
// Generate page
//
$page_title = $lang['Viewing_profile'];
include($phpbb_root_path . 'includes/page_header.'.$phpEx);

if (function_exists('get_html_translation_table')) 
{ 
   $u_search_author = urlencode(strtr($profiledata['username'], array_flip(get_html_translation_table(HTML_ENTITIES)))); 
} 
else 
{ 
   $u_search_author = urlencode(str_replace(array('&', ''', '"', '<', '>'), array('&', "'", '"', '<', '>'), $profiledata['username'])); 
} 


$show_jobs_user_type = jobs_user_type($profiledata['user_type'], "viewprofile");
//$show_jobs_user_type = $_COOKIE['vgm_user_type'];
$jobs_location_array = array($profiledata['jobs_address'], $profiledata['jobs_country']);
$jobs_location = implode(", ", $jobs_location_array);

$template->assign_vars(array(
	'USERNAME' => $profiledata['username'],
	'JOINED' => create_date($lang['DATE_FORMAT'], $profiledata['user_regdate'], $board_config['board_timezone']),
	'POSTER_RANK' => $poster_rank,
	'RANK_IMAGE' => $rank_image,
	'POSTS_PER_DAY' => $posts_per_day,
	'POSTS' => $profiledata['user_posts'],
	'JOBS_USER_TYPE' => ucfirst($show_jobs_user_type[0]),
	'PERCENTAGE' => $percentage . '%', 
	'POST_DAY_STATS' => sprintf($lang['User_post_day_stats'], $posts_per_day), 
	'POST_PERCENT_STATS' => sprintf($lang['User_post_pct_stats'], $percentage), 
...

Posted: Sat Jan 29, 2005 8:58 pm
by steoo
Sorry for all my replies...

But this new line -

Code: Select all

 $u_search_author = urlencode(str_replace(array('&', ''', '"', '<', '>'), array('&', "'", '"', '<', '>'), $profiledata['username'])); 
- is what's causing all the problems.

How is that line giving me this error -

Parse error: parse error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ')' in /home/staff/public_html/forum/includes/usercp_viewprofile.php on line 177

Any help greatly appreciated!!

(note: commenting out the line makes my phpbb not crash.)

Posted: Tue Feb 01, 2005 9:11 pm
by smackdown
Ok. . .I installed this and now, when I enter a username in Permissions, I get this error:
Warning: Wrong parameter count for rtrim() in //includes/functions.php on line 79

Information
Sorry, but no such user exists.

This is the code from includes/functions.php:
}

74 return false;
75 }
76 // added at phpBB 2.0.11 to properly format the username
77 function phpbb_clean_username($username)
78 {
79 $username = htmlspecialchars(rtrim(trim($username), "\\"));
80 $username = substr(str_replace("\\'", "'", $username), 0, 25);
81 $username = str_replace("'", "\\'", $username);
82
83 return $username;
84 }
85 //
86 // Get Userdata, $user can be username or user_id. If force_str is true, the username will 87 be forced.
88 //
89 function get_userdata($user, $force_str = false)
90 {


I re-did this entire install to make sure I wasn't making any mistakes and ended up with the same result.

Posted: Tue Feb 01, 2005 10:36 pm
by smackdown
Duh. . .Nevermind. . .I always find an answer right after I post stuff.

Sorry gang!!!

This topic was the problem: http://www.phpbb.com/phpBB/viewtopic.php?t=241257

you cannot create new topics mode and something else

Posted: Sun Feb 13, 2005 3:22 pm
by dragon39
two questions only please.

a) i am at 2.10 and am fearful to upgrade because i have many mods installed. won't these be affected?

b) i notice there are a lot of phpbb forums out there with the YOU CANNOT CREATE NEW TOPICS selection. i want that too to stop stupid users from creating duplicate threads. wheres the mod for that.

thanks

update

Posted: Fri Feb 18, 2005 5:25 pm
by dragon39
for 6 days, no one answered my Queries above so i updated 2.010 to 2.011 using easymod and it worked. even visual confirmation. using icgstation template.

now my question is, why does my pages still say version 2.010 at the bottom?