[2.0.18] Track PMs

All new MODs released in our MOD Database will be announced in here. All support for released MODs needs to take place in here. No new MODs will be accepted into the MOD Database for phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

On February 1, 2009 this forum will be set to read only as part of retiring of phpBB2.

Rating:

Excellent!
9
82%
Very Good
0
No votes
Good
0
No votes
Fair
1
9%
Poor
1
9%
 
Total votes: 11

fahraeus
Registered User
Posts: 134
Joined: Tue Nov 23, 2004 3:47 pm

Post by fahraeus » Sun Dec 11, 2005 7:41 pm

Hi!
asinshesq wrote: Are you using manipe's or phantomk's version?

And you never confirmed my assumption that the track pm mod is working fine when the recipient answers a regular pm (it's only messed up when the user answers a welcoming pm). Is that assumption correct?


I am using mainpe's version.

Your assumption is correct, tracking was only messed up when the user answered a welcoming PM.

Your posts above made me try the following:

The Welcome PM mod has this code:

Code: Select all

	$sql_info = "INSERT INTO " . PRIVMSGS_TABLE . " (privmsgs_type, privmsgs_subject, privmsgs_from_userid, privmsgs_to_userid, privmsgs_date, privmsgs_ip, privmsgs_enable_html, privmsgs_enable_bbcode, privmsgs_enable_smilies, privmsgs_attach_sig)
		VALUES (" . PRIVMSGS_NEW_MAIL . ", '" . str_replace("\'", "''", $wpm_subject) . "', " . $swpm_config['wpm_userid'] . ", " . $usertodata['user_id'] . ", $msg_time, '$user_ip', 0, 1, 1, 1)";
I changed '$user_ip' in above code to a fictive value copied from the administrators ip-field when an normal message is sent.

Great thing it seems to work.

But maybe not the nicest way to solve it?

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Sun Dec 11, 2005 8:05 pm

fahraeus wrote: ......Your posts above made me try the following:

The Welcome PM mod has this code:

Code: Select all

	$sql_info = "INSERT INTO " . PRIVMSGS_TABLE . " (privmsgs_type, privmsgs_subject, privmsgs_from_userid, privmsgs_to_userid, privmsgs_date, privmsgs_ip, privmsgs_enable_html, privmsgs_enable_bbcode, privmsgs_enable_smilies, privmsgs_attach_sig)
		VALUES (" . PRIVMSGS_NEW_MAIL . ", '" . str_replace("\'", "''", $wpm_subject) . "', " . $swpm_config['wpm_userid'] . ", " . $usertodata['user_id'] . ", $msg_time, '$user_ip', 0, 1, 1, 1)";
I changed '$user_ip' in above code to a fictive value copied from the administrators ip-field when an normal message is sent.

Great thing it seems to work.

But maybe not the nicest way to solve it?

That's really strange. I have no idea why that would work, since the select sql that manipe uses to find all pms sharing the same track_id doesn't even use the IP in the first place. Glad it worked, and I don't see anything wrong with having a fictive IP in there.

Manipe, any idea why that would have made a difference?

Manipe
Former Team Member
Posts: 1146
Joined: Thu Jul 22, 2004 6:30 pm
Location: Éire
Contact:

Post by Manipe » Sun Dec 11, 2005 8:17 pm

asinshesq wrote: Manipe, any idea why that would have made a difference?


The only answer I have is that it shouldn't work, and I'm almost certain that it hasn't been this that has made it to work. Ip addresses make no difference whatsoever to the tracking id, and as such won't influence the tracking frame.
He/she has obviously made another change to make this work, and I don't know what, but it's not the ips.
My MODs: [ Topics a user has started ] , [ Profile views ] , [ Colour on poll results ] , [ Topic posters ] , [ Add number to PM ] , [ Default avatar ] , [ View category name ] , [ Null vote ] , [ Forum description in viewforum ] , [ Resync forum ids ] , [ View PM while replying ] , [ Quick poll insert ] , [ Limit login attempts ] , [ Track PMs ]

www.ManipeF1.com

fahraeus
Registered User
Posts: 134
Joined: Tue Nov 23, 2004 3:47 pm

Post by fahraeus » Sun Dec 11, 2005 8:56 pm

Checking...

fahraeus
Registered User
Posts: 134
Joined: Tue Nov 23, 2004 3:47 pm

Post by fahraeus » Mon Dec 12, 2005 2:16 am

I think I know what happend. Before getting great advise quoted below I had a temporary solution where i excluded from sql any messages with the subject in the welcome message.

Code: Select all

not like ('%Welcome to%')
I thought I had removed it but must have left it in.

I am sorry for taking your time with something that I clearly should have kept track of.

The good thing is that with Manipes fix below to the welcome PM mod it seems like the Track PM mod and Welcome PM mod works great together. I'll try it out for a while and report back.

Thank you very much for help asinshesq and Manipe.
Manipe wrote:
fahraeus wrote:http://www.phpbbhacks.com/download.php?id=2127

Thank you in advance.

That link leads nowhere, just redirects to the phpbbhacks homepage.

Anyway, I know what you are talking about.
What you need to do is find where the sql inserts the data for the PM, and insert this before it.

Code: Select all

$sql = "SELECT MAX(privmsgs_id) AS privmsgs_track_id
	FROM " . PRIVMSGS_TABLE;
	if ( !$result = $db->sql_query($sql) )
	{
		message_die(GENERAL_ERROR, 'Could not get PM track id', '', __LINE__, __FILE__, $sql);
	}

	$row = $db->sql_fetchrow($result);
	$pm_track_id = $row['privmsgs_track_id'] + 1;
The in the sql command, you need to add ", privmsgs_track_id" to the end of the INSERT INTO line, and you need to add ", $pm_track_id" at the end of the VALUES line.
The sql command should look like this then

Code: Select all

$sql = "INSERT INTO " . PRIVMSGS_TABLE . "(some, other, columns, privmsgs_track_id)
VALUES('some', 'other', 'columns', $pm_track_id);
I hope this helps.

phantomk
Registered User
Posts: 1039
Joined: Wed Apr 14, 2004 5:32 am
Location: Canada Eh?
Name: Daniel Lee
Contact:

Post by phantomk » Sat Dec 17, 2005 10:16 pm

A minor fix for anyone useing my version.

OPEN
includes/topic_review.php

FIND

Code: Select all

	$sql = 'SELECT pm.privmsgs_subject, pm.privmsgs_date, pm.privmsgs_enable_html, pm.privmsgs_enable_smilies, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text, u.username, u.user_id
			FROM ' . PRIVMSGS_TABLE . ' pm, ' . PRIVMSGS_TEXT_TABLE . ' pmt, ' . USERS_TABLE . ' u
			WHERE pmt.privmsgs_text_id = pm.privmsgs_id
				AND pm.privmsgs_track_id = ' . $pm_track_id . '
				AND u.user_id = pm.privmsgs_from_userid
				AND (pm.privmsgs_type = ' . PRIVMSGS_READ_MAIL . '
					OR pm.privmsgs_type = ' . PRIVMSGS_NEW_MAIL . '
					OR pm.privmsgs_type = ' . PRIVMSGS_UNREAD_MAIL . ')
			ORDER BY privmsgs_date DESC
			LIMIT ' . $board_config['posts_per_page'];
REPLACE WITH

Code: Select all

	$sql = 'SELECT pm.privmsgs_subject, pm.privmsgs_date, pm.privmsgs_enable_html, pm.privmsgs_enable_smilies, pmt.privmsgs_bbcode_uid, pmt.privmsgs_text, u.username, u.user_id
			FROM ' . PRIVMSGS_TABLE . ' pm, ' . PRIVMSGS_TEXT_TABLE . ' pmt, ' . USERS_TABLE . ' u
			WHERE pmt.privmsgs_text_id = pm.privmsgs_id
				AND pm.privmsgs_track_id = ' . $pm_track_id . '
				AND u.user_id = pm.privmsgs_from_userid
				AND (pm.privmsgs_type = ' . PRIVMSGS_READ_MAIL . '
					OR pm.privmsgs_type = ' . PRIVMSGS_NEW_MAIL . '
					OR pm.privmsgs_type = ' . PRIVMSGS_UNREAD_MAIL . ')
				AND (pm.privmsgs_from_userid = ' . (int) $userdata['user_id'] . '
					OR pm.privmsgs_to_userid = ' . (int) $userdata['user_id'] . ')
			ORDER BY privmsgs_date DESC
			LIMIT ' . $board_config['posts_per_page'];
Apply this fix immediately otherwise anyone can read anyone's PM's.
Last edited by phantomk on Sun Dec 18, 2005 7:07 pm, edited 2 times in total.

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Sun Dec 18, 2005 4:57 am

phantomk, I don't see anything like that in includes/topic_review (and more generally I don't see anything like that in your mod). I'll take a more careful look tomorrow.

phantomk
Registered User
Posts: 1039
Joined: Wed Apr 14, 2004 5:32 am
Location: Canada Eh?
Name: Daniel Lee
Contact:

Post by phantomk » Sun Dec 18, 2005 5:32 am

Sorry, posted the wrong bit of code :)

Updated the post, apply the fix immideately.

asinshesq
Registered User
Posts: 6266
Joined: Sun Feb 22, 2004 9:34 pm
Location: NYC
Name: Alan

Post by asinshesq » Sun Dec 18, 2005 11:21 am

phantomk wrote: ...Updated the post, apply the fix immideately.

OK, I will.

But could you also explain the exploit you are warning us about?

- privmsg.php ensures that a user can only open up a pm he has received or sent, and fetches that pm's only tracking_id

- any pm conversation between two users has a unique tracking_id that will not be contained in any pms with other users,

- the code you qutoe in topic_review.php retrieves only pms that share that unique tracking_id.

So how could the original code lead to another user who was not part of a conversation being able to view a pm he is not supposed to be able to view? So long as the code limits the retrieval to pms that have that tracking_id, and so long as only pms in that conversation between those two users have that tracking _id, where's the loophole?

And by the way, if there is a loophole, wouldn't the same loophole exist for manipe's version?

phantomk
Registered User
Posts: 1039
Joined: Wed Apr 14, 2004 5:32 am
Location: Canada Eh?
Name: Daniel Lee
Contact:

Post by phantomk » Sun Dec 18, 2005 6:33 pm

The exploit is only existant in my version. I don't want to explain it in detail, so please don't press the matter ;)

phantomk
Registered User
Posts: 1039
Joined: Wed Apr 14, 2004 5:32 am
Location: Canada Eh?
Name: Daniel Lee
Contact:

Post by phantomk » Sun Dec 18, 2005 7:07 pm

Updated the code for a second time, make sure you have the same in your topic_review.php

PerlAddict
Registered User
Posts: 61
Joined: Thu Sep 29, 2005 7:00 am

Post by PerlAddict » Thu Feb 09, 2006 7:50 pm

Is either of these up to date with the newest version of phpBB (2.0.19).

I must say, it's highly confusing having two versions of the same mod with slightly differing features in the same thread, all being discussed at once. Have you guys pooled your resources yet to release one combined/final version of this? What are the links to the most up-to-date versions of the mod packages?

Manipe
Former Team Member
Posts: 1146
Joined: Thu Jul 22, 2004 6:30 pm
Location: Éire
Contact:

Post by Manipe » Thu Feb 09, 2006 9:02 pm

PerlAddict wrote: Is either of these up to date with the newest version of phpBB (2.0.19).

I must say, it's highly confusing having two versions of the same mod with slightly differing features in the same thread, all being discussed at once. Have you guys pooled your resources yet to release one combined/final version of this? What are the links to the most up-to-date versions of the mod packages?

The only MOD which is being supported/discussed is my version of the MOD. The latest version can be found in the first post of this topic, and does work with the latest version of phpBB.
Please don't use any other because they may not run properly.
My MODs: [ Topics a user has started ] , [ Profile views ] , [ Colour on poll results ] , [ Topic posters ] , [ Add number to PM ] , [ Default avatar ] , [ View category name ] , [ Null vote ] , [ Forum description in viewforum ] , [ Resync forum ids ] , [ View PM while replying ] , [ Quick poll insert ] , [ Limit login attempts ] , [ Track PMs ]

www.ManipeF1.com

PerlAddict
Registered User
Posts: 61
Joined: Thu Sep 29, 2005 7:00 am

Post by PerlAddict » Thu Feb 09, 2006 9:21 pm

K, wasn't sure if phantomk still had some seperate version.

I'll download the one in the first post tonight and check it out. Looking forward to it!

Thanks.

tweeter
Registered User
Posts: 1
Joined: Sat Apr 01, 2006 5:11 pm

Post by tweeter » Sat Apr 01, 2006 5:13 pm

--Deleted--

Post Reply

Return to “[2.0.x] MOD Database Releases”