Jump to content
Nabeel

2.1.936 - Security Patch

Recommended Posts

Hi all,

I've updated the download to 2.1.936 - basically to null the file where I believe the exploit is coming from. I looked through the other files, and I think they look OK.

Please update as soon as possible - really the only updated file was core/lib/php-ofc-library/ofc_upload_image.php. Instead of deleting it, I patched it, so then it will get patched on an upload.

Sorry for all the trouble guys! Please be sure to look through your server and account very carefully - if you see something suspicious, delete it, or rename it to add a .txt extension so it can't be found, until you can verify if the file is safe or not.

Thanks!

  • Like 5

Share this post


Link to post
Share on other sites

Hi Nabeel,

I'm a little confused, the latest changelog.htm file says Version 2.1.938:

Build 938 (Version 2.1.938)

Patched the php-ofc-library to remove an exploit

Build 937 (Version 2.1.937)

Navigation data included for routes, more accurate maps for schedules, ACARS and PIREPS

Financial backend overhauled, all data is in real-time, and more accurate

Expenses are saved, so your expenses will stick and stay different, month-to-month

Aircraft can now be tied to a minimum rank to fly them

All charts/graphs replaced with new OFC (Open Flash Charts)

Google Maps replaced with v3 API (no more key needed! :)

Added reCaptcha support into the registration.

New format for skinning - whole page layout

Ability to change a pilot's ID

Send mass-email to specific groups

Maintenance cron-script, for faster/more efficient background processing

Added 'profile badge' page with links to your signature in various formats

And numerous bug fixes

Templates Changed:

core_htmlhead.tpl - Javascript all cleaned up, path to Google Maps API changed for v3

acarsmap.tpl - Completely changed with map customizations (I would just start from scratch)

route_map.tpl - Rewritten to accomodate v3 API (I would just start from scratch)

profile_myroutesmap.tpl - Removed, replaced with flown_routes_map.tpl, used for RouteMap

pirep_new.tpl - Added field for route, and aircraft restriction for rank

schedule_results.tpl - Aircraft restriction for rank

registration_mainform.tpl - Replaced old captcha with reCaptcha

registration_customfields.tpl - Bug fixed with textarea field type

finance_summarysheet.tpl - Updated for new finances

finance_header.tpl - Updated for new finances

finances_balancesheet.tpl - Updates for new finances

contact_form.tpl - Implemented reCaptcha

In my admin page i can see this:

"'S'mofo butter layin' me to da' BONE! Jackin' me up... tight me!"

Copyright © 2007 - 2013 phpVMS, nsslive.net

License & About | Version 2.1.936

What is the last version?

Share this post


Link to post
Share on other sites

I would say it is an error in the changelog, it is automated I and must have gotten off a little. 936 is the latest release version.

  • Like 1

Share this post


Link to post
Share on other sites

Hi,

I got from github and the filename is nshahzad-phpVMS-v2.1.935-7-g89e65bb.zip

so I assume it is version 2.1.935 ?

Is there a newer version with the security patch?

Can you please provide a direct link to where to download the latest patched version?

Thanks.

Share this post


Link to post
Share on other sites

I have the same experience with the chart error.

I updated the "core/lib/php-ofc-library/ofc_upload_image.ph

But that didn't help.. i still see the error:

------------------------------------------

Open Flash Chart

JSON Parse Error [syntax Error]

Error at character 0, line 1:

0: <br />

------------------------------------------

I would like to try download the file "nshahzad-phpVMS-v2.1.935-7-g89e65bb.zip" does anyone have the link to that?

  • Like 1

Share this post


Link to post
Share on other sites

Can anyone confirm what the latest stable version of phpvms is please ?

Then, what is the latest beta version of phpvms please ?

I have 935, 936 and 938 all showing in different admin panels on my localhost and live servers in several different installs and none of the OFC charts are working with a returned JSON error like stated above ...

I would most appreciated if someone could tell me what version can give me the activity feed and the OFC Charts patched and working ....

Thanks in advance,

Adam

Share this post


Link to post
Share on other sites

The latest official "Release" is 935 which can be found here -> https://github.com/n...phpVMS/releases

The version got bumped to 936 when the OFC patch was added (https://github.com/n...2cfa00467c64129) but it has not been set as a "Release" package. It is the active version that can be downloaded here -> https://github.com/nshahzad/phpVMS <- which also includes some other changes that may or may not be fully tested.

Someone else came up with a version 938 as well but I do not know where this came from but I think it was a mistake in the change log that is updated automatically. It is discussed earlier in this thread.

There is also the development version available here -> https://github.com/n...phpVMS/tree/dev

There is also some forked versions that you can follow here -> https://github.com/nshahzad/phpVMS/network

  • Like 1

Share this post


Link to post
Share on other sites

Hello, Thanks Simpilot,

My Development on local host has the folliwing;

License & About | Version v2.1.934-202-g9a77c3d

As this version looks to be the latest with the activity feed working.

It did mention somewhere that it was v938 but I can't reference it anywhere at the moment and the more I go looking the more I get confused .... lol

Its a shame with such a community of this size that we couldn't all work together for a few weeks and release an updated stable version.

Thanks again and I shall ponder around testing all versions and try and make sense of it ..

Cheers

Share this post


Link to post
Share on other sites

Its a shame with such a community of this size that we couldn't all work together for a few weeks and release an updated stable version.

The core members of the project number less than three at this point I would say.... You can submit any updates that you author in the form of a pull request on the github account.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×