226

Re: Private Message System

In message_send.php it should look like this around line ~91:

// Get userid
$result = $db->query('SELECT id,username,status FROM '.$db->prefix.'users WHERE id!=1 AND username=\''.addslashes($_POST['req_username']).'\'') or error('Unable to get user id', __FILE__, __LINE__, $db->error());

// Send message
if(list($id,$user,$status) = $db->fetch_row($result)){

    // Check inbox status
    if($pun_config['o_pms_messages'] != 0 && $cur_user['status'] < PUN_MOD && $status < PUN_MOD){

Re: Private Message System

Hello

French translation for the fr_pms.php

'Multidelete'                    =>    'supprimer plusieurs messages',
     'Delete messages comply'    => 'Voulez-vous supprimer ces messages',
     'Deleted redirect'            => 'Messages supprimés. Redirection ...',
     'Read redirect'                => 'Tous les messages marqués comme lus. Redirection...',
     'Mark all'                    =>        'marquer tous ces messages comme lus',

voilà wink

Re: Private Message System

Hi Chacmool,
when do u think could finish with the email function? smile

Thats  a  very good mod, but without thsi function, nobody knows that he become an PMS.

Greetings
Michaela

229

Re: Private Message System

Have some problems with this mod! Some (don't know if everyone) is getting the message "Felaktig HTTP_REFERER. Du refererades till denna sida från en icke-auktoriserad....." (Bad HTTP_REFERER...) when they try to delete several messages at the same time (when u check some checkboxex and press delete..). I thought only admins were to get this kind om error!?

Also, when one of my member deleted all his messages in the inbox he still had 50% usage of space. Does the "sent messages" take up storage like that?

230

Re: Private Message System

No, there's no email's yet...

cherry1499 wrote:

Hi Chacmool,
when do u think could finish with the email function? :)

Thats  a  very good mod, but without thsi function, nobody knows that he become an PMS.

Greetings
Michaela

Don't your forum show the New-messages-link?
http://www.etek.chalmers.se/~e0mool/punbb/files/new_messages.png

Madoor wrote:

Have some problems with this mod! Some (don't know if everyone) is getting the message "Felaktig HTTP_REFERER. Du refererades till denna sida från en icke-auktoriserad....." (Bad HTTP_REFERER...) when they try to delete several messages at the same time (when u check some checkboxex and press delete..). I thought only admins were to get this kind om error!?

Also, when one of my member deleted all his messages in the inbox he still had 50% usage of space. Does the "sent messages" take up storage like that?

I'll look it... hopefully soon.

231

Re: Private Message System

For better visibility ... it would be great a layer appears in middle of the screen smile it's true this very little red sentence is not very easy to see ...

Re: Private Message System

Hi Chacmool,
sure! But if anyone are not daily in the forum, he missed the message or read it too late. Do u know, what i mean?

Greetings
Michaela

233

Re: Private Message System

Madoor wrote:

Have some problems with this mod! Some (don't know if everyone) is getting the message "Felaktig HTTP_REFERER. Du refererades till denna sida från en icke-auktoriserad....." (Bad HTTP_REFERER...) when they try to delete several messages at the same time (when u check some checkboxex and press delete..). I thought only admins were to get this kind om error!?

Also, when one of my member deleted all his messages in the inbox he still had 50% usage of space. Does the "sent messages" take up storage like that?


can add that the users that get this message (only think it's two of them) is former moderators (they were moderators when I used your script to convert the forum from phpBB to punBB, but I then made them "members").

234

Re: Private Message System

Have you found the reason behind the referer problem yet Chacmool?

235

Re: Private Message System

No. But I've not looked either :) I've just forgot about it, mostly been working on the converters lately...

No, no mails yet either. Does someone have a mailserver I can use?

236

Re: Private Message System

Works great bro. Thanks!

237 (edited by xargh 2004-10-18 10:10)

Re: Private Message System

Hi, Chacmool! I'd like to thank you for this great mod - it enhances functionality of punbb forum a lot (for me and my forum users).
I'd like to suggest one little feature - checkboxes in the first column in message_list.php allowing users to e.g. multiple deleting of messages or backup selected messages to the text file. Other interresting feature could be when sb clicks on user's atavar in topic, he/she will (be redirected to message_send.php) start writing a PM message to that user... I myself added one little thing in my forum - in message_send.php, you have Save messages checkbox unchecked by default. I changed it to be checked by default, because I prefer to store all the messages I wrote.

238

Re: Private Message System

xargh wrote:

I'd like to suggest one little feature - checkboxes in the first column in message_list.php allowing users to e.g. multiple deleting of messages or backup selected messages to the text file.

There's a 'Delete multiple messages'-link in the footer. Backup selected messages? Is that really necessary?

xargh wrote:

Other interresting feature could be when sb clicks on user's atavar in topic, he/she will (be redirected to message_send.php) start writing a PM message to that user...

There's a PM-link that takes the user to the send_message-page. I don't want to change to much of PunBB's original functionality.

xargh wrote:

I myself added one little thing in my forum - in message_send.php, you have Save messages checkbox unchecked by default. I changed it to be checked by default, because I prefer to store all the messages I wrote.

I maybe can make this an admin/profile option?

239

Re: Private Message System

thanx for prompt reply smile
1)  i didn't find it sad
2)  i missed it  :$
3)  yes, definitely a good idea. smile

240

Re: Private Message System

I would really like to add this mod, but the download link in the first post is broken.  Is there anywhere else that I can get it?  If it isn't too much touble, just  e-mail the link or file to me at johnornd@gmail.com.  Thanks!

241

Re: Private Message System

http://www.punres.org/download.php?pfid=60 - works for me

242

Re: Private Message System

to fix the problem with "bad referer" I have added a line in line 47, message_list.php

What I have aded is: if ($is_admmod)

so, now the referer is only checked if it's an admin who's deleting the posts.

The code is:
if ($is_admmod)
    confirm_referer('message_list.php');

My question to you is: will this result in any security issues?

243

Re: Private Message System

I installed this mod today, went very smoothly.

Just wanted to come back and say how much i like it.

Thanks!

244

Re: Private Message System

stewy wrote:

I installed this mod today, went very smoothly.

Just wanted to come back and say how much i like it.

Thanks!

once again works like a charm THX!!! big_smile:D:D:D:D:D

245 (edited by anythingwilldo 2004-11-23 09:02)

Re: Private Message System

The is a potentially dangerous line of code in many of those files:

require $pun_root.'lang/'.$language.'/'.$language.'_pms.php';

Without validation of where the variables originate from (ie. common.php or the GET interface) problems could arise. If any of these are true, then this is dangerous.


* Obviously, register globals must be on.
* PHP 4.1.0 or less - A null can be put on strings meaning any file can be included, not just php files.
* If the version of PHP is 4.3.0 or greater, and allow_url_fopen is on, remote files can be included


But, the problem is that even if that particular vulneribility isn't exploited successfully there is plenty more. Many of the scripts, if accessed directly, make no checks of where the variables originated from. This can lead to XSS, SQL Injection, session hijacking, etc, etc. Best solution would be to check if config.php is loaded:

if (!defined('PUN')) {
    exit('This file is not meant to be loaded directly');
}

And obviously if the page is meant to be accessed directly devise a more indepth check to see where variables came from.

I don't know if this truly an issue for you guys or not. If you require register_globals to be off (I don't believe you do) then it is secure or if you expect people to devise protection themselves on individual files (which I don't believe you do).

Re: Private Message System

I failed to realise the post was 10 pages long, probably more appropiate I guess to post this issue at www.punres.org I suppose.

247

Re: Private Message System

Your level is welcome anythingwilldo : really interesting posts about hack and vulnerability !

248

Re: Private Message System

anythingwilldo:
You're absolutely right. I should have looked through the code long ago. Though, I've never taken any time to do it, as I must go through it when converting the mod to PunBB 1.2 (don't know if I'm gonna do it though, as Rickard might make one himself).

Thanks for the comment.

249

Re: Private Message System

It would be great, indeed, PM has to be inside 1.2 not as a mod, but as a functionnality : PM is very practice for a lot of things

250

Re: Private Message System

I don't believe I've ever said I would add PM's in 1.2. Polls on the other hand has been discussed.

"Programming is like sex: one mistake and you have to support it for the rest of your life."