| View previous topic :: View next topic |
| Author |
Message |
Mephisto
DevTeam
Joined: 07 Oct 2004
Posts: 93
Location: Minsk
|
 Posted: Fri Dec 02, 2005 11:02 am Post subject: Security update |
 |
|
Very important security update.
I've updated CVS version, here are changes:
Files:
etc/rc.conf.php
mvc/controller/user_request_analysis.inc.php
usr/xml/ddc/authorization.xml
Changes:
in rc.conf.php added line:
| Code: | | define("REGISTRATION_GROUP", "secret"); //Group name, where newly registered users will be placed |
diff -C2 -d -r1.5 -r1.6 mvc/controller/user_request_analysis.inc.php:
| Code: | *** user_requests_analysis.inc.php 5 Sep 2005 09:43:55 -0000 1.5
--- user_requests_analysis.inc.php 1 Dec 2005 08:42:34 -0000 1.6
***************
*** 50,55 ****
--- 50,57 ----
}
if(!$env["registration_error"] and $_POST["password"]==$_POST["c_password"]){
+
$data["row"]=$_POST;
$data["row"]["nologin"]="nologin";
+ $data["row"]["group"]=REGISTRATION_GROUP;
unset($data["row"]["c_password"]);
***************
*** 74,77 ****
--- 76,80 ----
if($_POST["password"]==$_POST["c_password"]){
$data=$_POST;
+ $data["group"]=REGISTRATION_GROUP;
unset($data["c_password"]);
unset($data["authorize"]); |
diff -C2 -d -r1.5 -r1.6 usr/xml/ddc/authorization.xml:
| Code: | *** authorization.xml 31 Aug 2005 16:13:56 -0000 1.5
--- authorization.xml 1 Dec 2005 08:42:51 -0000 1.6
*** 55,59 ****
<form method="post">
<input type="hidden" name="authorize" value="register" />
- <input type="hidden" name="group" value="secret" />
<div style="background: #efefef; padding: 5px; width: 320px;">
<span style="width: 110px;">Login:</span><input type="text" name="login" style="width: 200px;" /><br />
***************
*** 30,37 ****
<div style="background: #efefef; padding: 5px;">
You're logged in as: <b><sapi:apply name="user.LOGIN.value" /></b> ( <a href="?authorize=logout" style="font-weight: bold">Logout</a> )<br /><br />
!
<form method="post">
<input type="hidden" name="authorize" value="edit" />
- <input type="hidden" name="group" sapi:value="user.GROUP.value" />
<input type="hidden" name="login" sapi:value="user.LOGIN.value" />
<div style="background: #efefef; padding: 5px; width: 320px;">
|
Also, in files
usr/system/insert_file.php
usr/system/insert_image.php
usr/system/insert_link.php
usr/system/insert_qcfile.php
usr/system/edit.php
Add 2 lines to the begginning (right after comments block)
| Code: | session_start();
if(!isset($_SESSION["user"]["LOGIN"]) or $_SESSION["user"]["NOLOGIN"]!="") die(); |
_________________
<?php while(!$success) {$try++}?> |
|
| Back to top |
|
 |
TryHard
Joined: 16 Jul 2005
Posts: 41
|
| Posted: Fri Dec 16, 2005 11:33 pm Post subject: |
|
|
Hi Mephisto
is the above patch mandatory to apply - ie. what security issue does it address ? Am I ok if I am not using authorization.xml
Thanks
Carl
_________________
SAPID Learner Permit
Last edited by TryHard on Wed Aug 16, 2006 1:07 pm; edited 1 time in total |
|
| Back to top |
|
|
Mephisto
DevTeam
Joined: 07 Oct 2004
Posts: 93
Location: Minsk
|
| Posted: Mon Dec 19, 2005 11:29 am Post subject: |
|
|
| TryHard wrote: | | I am using v.1.2.3 (RC1?) - is the above patch mandatory to apply - ie. what security issue does it address ? Am I ok if I am not using authorization.xml |
Yes, this patch is mandatory to v.1.2.3 RC1.
Id you're not using authorization.xml, you should only aplly second part of this patch and modify files
usr/system/insert_file.php
usr/system/insert_image.php
usr/system/insert_link.php
usr/system/insert_qcfile.php
usr/system/edit.php
_________________
<?php while(!$success) {$try++}?> |
|
| Back to top |
|
|
TryHard
Joined: 16 Jul 2005
Posts: 41
|
| Posted: Tue Dec 20, 2005 10:48 pm Post subject: |
|
|
Great thanks ! I'll get to work 
_________________
SAPID Learner Permit |
|
| Back to top |
|
|
|
|
|
