Jump to content


- - - - -

Security Fix released for 2.1.x


  • Please log in to reply
15 replies to this topic

#1 Nabeel

Nabeel

    Advanced Member

  • Administrators
  • 7255 posts
  • LocationWestchester, NY

Posted 24 August 2012 - 08:00 PM

A small patch to fix a security flaw has been released; it applies to version 2.1.934 and below. It doesn't apply to any of the beta versions. Replace the admin/index.php and admin/action.php files. Thanks for Jacob Axford for finding and bringing the flaw to my attention.

The updated version is now 2.1.935.

Nabeel
Twitter | Docs | API Docs | Bug Tracker | Getting Debug Info
phpVMS Hosting - Cheap, fast, and reliable! Check it out here

#2 SouthwestVA

SouthwestVA

    Advanced Member

  • Members
  • PipPipPip
  • 77 posts

Posted 25 August 2012 - 02:24 AM

download?

#3 Kyle (Vansers)

Kyle (Vansers)

    Advanced Member

  • Moderators
  • 2358 posts
  • LocationIce Cold Canada

Posted 25 August 2012 - 02:26 AM

Nice catch Jacob. ;)

| Vansers Add-Ons - phpVMS Forums |


#4 Heliguy

Heliguy

    Advanced Member

  • Members
  • PipPipPip
  • 61 posts
  • LocationBreighton Airfield, Selby

Posted 25 August 2012 - 02:00 PM

Fatal error: Call to undefined method Template::setSkinPath() in /home/julianac/public_html/admin/index.php on line 70
Help?
Regards
Michael Atherton
Chairman - Click banner to go to website.
Posted Image

#5 jacobaxford

jacobaxford

    Advanced Member

  • Members
  • PipPipPip
  • 285 posts
  • LocationManchester, UK

Posted 25 August 2012 - 03:40 PM

View PostSouthwestVA, on 25 August 2012 - 02:24 AM, said:

download?
It will be on the main download page

#6 Strider

Strider

    Advanced Member

  • Members
  • PipPipPip
  • 1484 posts
  • LocationDublin, Ireland

Posted 26 August 2012 - 09:23 AM

Why isn't the new version backwards compatible with the old template format? It seems to be taking info from both the core>templates folder and the skin folder, as I am trying to get my VA back to the way it was before the update, but changing them to php files doesn't seem to be helping much. It has actually mae me quite ticked off, as alll my work has gone down the drain! This needs to be fixed asap. The code to change the tpl files to php is not working.
Posted Image

#7 stuartpb

stuartpb

    Advanced Member

  • Members
  • PipPipPip
  • 327 posts
  • LocationSouth Yorkshire, UK

Posted 26 August 2012 - 12:11 PM

Did you do a backup of the site before updating? It's worth doing every time, so if the update causes problems, then you can just use the backup. If you didn't do a backup yourself, your server may make automatic backups, or your web host may be able to restore the server from a backup, it's worth asking them.

#8 Strider

Strider

    Advanced Member

  • Members
  • PipPipPip
  • 1484 posts
  • LocationDublin, Ireland

Posted 26 August 2012 - 01:38 PM

I got it mainly sorted, just want to get the roster back to one, instead of seperated by hub.
Posted Image

#9 Kyle (Vansers)

Kyle (Vansers)

    Advanced Member

  • Moderators
  • 2358 posts
  • LocationIce Cold Canada

Posted 26 August 2012 - 02:15 PM

View PostNabeel, on 24 August 2012 - 08:00 PM, said:

A small patch to fix a security flaw has been released; it applies to version 2.1.934 and below. It doesn't apply to any of the beta versions. Replace the admin/index.php and admin/action.php files. Thanks for Jacob Axford for finding and bringing the flaw to my attention.

The updated version is now 2.1.935.

Nabeel

Nabeel, did you make a mistake with the update? This is the beta version.

This version has the .tpl to .php feature in it. Shouldn't it been the original version 2.1.934. with the tpl..ETC and updated only the admin/index.php and admin/action.php.

View PostMr.Bean, on 26 August 2012 - 09:23 AM, said:

Why isn't the new version backwards compatible with the old template format? It seems to be taking info from both the core>templates folder and the skin folder, as I am trying to get my VA back to the way it was before the update, but changing them to php files doesn't seem to be helping much. It has actually mae me quite ticked off, as alll my work has gone down the drain! This needs to be fixed asap. The code to change the tpl files to php is not working.

Mr.Bean, that's why becasue Nabeel might mistakely updated the Beta Version, not the stable version. The .tpl to .php files are not yet ready. It's still being worked on.

| Vansers Add-Ons - phpVMS Forums |


#10 Heliguy

Heliguy

    Advanced Member

  • Members
  • PipPipPip
  • 61 posts
  • LocationBreighton Airfield, Selby

Posted 26 August 2012 - 02:23 PM

I fixed my issue, I just restored the backup admin files.
Regards
Michael Atherton
Chairman - Click banner to go to website.
Posted Image

#11 Strider

Strider

    Advanced Member

  • Members
  • PipPipPip
  • 1484 posts
  • LocationDublin, Ireland

Posted 26 August 2012 - 04:09 PM

Bah humbug! I dont like mistakes :(
Posted Image

#12 Kyle (Vansers)

Kyle (Vansers)

    Advanced Member

  • Moderators
  • 2358 posts
  • LocationIce Cold Canada

Posted 27 August 2012 - 01:40 AM

As my request,

Does anyone still have the orginal phpVMS.full.zip file. I'm getting issues on my end with the .tpl to .php.

Thanks! ;)

| Vansers Add-Ons - phpVMS Forums |


#13 Kyle (Vansers)

Kyle (Vansers)

    Advanced Member

  • Moderators
  • 2358 posts
  • LocationIce Cold Canada

Posted 27 August 2012 - 03:22 AM

Edit, nevermind. I found it on my old OS files.

This is the orginal file with out the .tpl to .php file. (Previous) If anyone needs it.

Attached Files


| Vansers Add-Ons - phpVMS Forums |


#14 Nabeel

Nabeel

    Advanced Member

  • Administrators
  • 7255 posts
  • LocationWestchester, NY

Posted 29 August 2012 - 02:27 PM

Wait, sorry - I was supposed to get email updates on this thread, and just noticed they all went to spam :\
Checking the zip, it looks like that is wrong... crap. Sorry guys. I'm fixing this right now - I tagged it wrong.

I really apologize for this - I should have checked it more thoroughly. These last two weeks have been rather insane with work and stuff... my bad.
I'm fixing it right now
Twitter | Docs | API Docs | Bug Tracker | Getting Debug Info
phpVMS Hosting - Cheap, fast, and reliable! Check it out here

#15 Kyle (Vansers)

Kyle (Vansers)

    Advanced Member

  • Moderators
  • 2358 posts
  • LocationIce Cold Canada

Posted 29 August 2012 - 02:46 PM

View PostNabeel, on 29 August 2012 - 02:27 PM, said:

I really apologize for this - I should have checked it more thoroughly. These last two weeks have been rather insane with work and stuff... my bad.
I'm fixing it right now

No worries Nabeel, sometimes when we get busy and we get dozed off on our projects and make errors.

Cheers man! :D

| Vansers Add-Ons - phpVMS Forums |


#16 Nabeel

Nabeel

    Advanced Member

  • Administrators
  • 7255 posts
  • LocationWestchester, NY

Posted 29 August 2012 - 03:27 PM

Well, I've had to do what I needed to do anyway - the way git works, is that it does tags on a master branch - but I was using master as "3.0" - so the 2.1.935 got tagged to the latest beta, and my build scripts find the last tag, check that out and do a build. I didn't know tag's only went to the master branch, not the current branch (I had a branch called 'release' with the 2.1.x) - though I might be wrong on this. My head hurts. But anyway, this is the proper way to do it

So I've already swapped branches - master is reset to 2.1.935 (github has the latest copy now), and there's a new branch for beta called dev.
I'm fixing my build-scripts so the fixed zips/tars should be up really soon.
Twitter | Docs | API Docs | Bug Tracker | Getting Debug Info
phpVMS Hosting - Cheap, fast, and reliable! Check it out here