Yes. Paul told you that you need to edit the PHP files (although all you're changing is markup I believe).
277 2008-04-13 02:26
Re: Issues with EXTERN.PHP (2 replies, posted in PunBB 1.2 troubleshooting)
extern.php only shows what Guests can read. If they can't read those other fids, which they can't, then nothing gets shown.
278 2008-04-13 02:24
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Null byte: \0
If I put that in my input, PHP (at least for file operations) interprets the string as ending at the null byte.
279 2008-04-13 01:40
Re: Force Registration... (6 replies, posted in PunBB 1.2 troubleshooting)
Actually, it'll just look something like this
http://www.punbb-hosting.com/forums/travian/
(The message in English is "You do not have permission to view these forums.")
You can certainly edit your language files to link to the registration page in that message or edit the actual code to add a login box or something.
280 2008-04-13 01:25
Re: Force Registration... (6 replies, posted in PunBB 1.2 troubleshooting)
OK, then you turn off Read board for Guests. They're not allowed to view anything until they register.
281 2008-04-13 00:31
Re: Force Registration... (6 replies, posted in PunBB 1.2 troubleshooting)
Moved to Troubleshooting
Yes, you can disable posting for guests. Just edit the forums and uncheck the boxes that allow Guests to post.
282 2008-04-13 00:30
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Splitting up PHP handling from the other filetypes was smart, although if you want to avoid the redirect, you can just use file_get_contents and echo the contents out.
Also, I still think the "use .htaccess to redirect all requests to the right file" idea is better, I just don't know how easy it is.
You still need to properly deal with null bytes.
In extensions/domain/admin.php, your file writing allows the person to write to an arbitrary file. They can also delete arbitrary files. You should never allow raw, unchecked data from the user to be used in picking a file.
This:
foreach (glob($dirname.'/*.php') as $file){
$pun_domain_old = $pun_domain;
include $file;
$domains[] = array(
'id' => substr(basename($file), 0, -4),
'base_url' => $pun_domain['base_url'],
'category' => explode(',', $pun_domain['category'])
);
$pun_domain = $pun_domain_old;
unset($pun_domain_old);
}
can be simply written as
$real_pun_domain = $pun_domain;
foreach (glob($dirname.'/*.php') as $file)
{
include $file;
$domains[] = array(
'id' => substr(basename($file), 0, -4),
'base_url' => $pun_domain['base_url'],
'category' => explode(',', $pun_domain['category'])
);
}
$pun_domain = $real_pun_domain;
unset($real_pun_domain);
283 2008-04-12 21:11
Re: Styling Question (14 replies, posted in PunBB 1.2 troubleshooting)
Then try adding:
.pun .tclcon { BORDER-LEFT: 1px #363636 solid; }
284 2008-04-12 21:03
Re: Styling Question (14 replies, posted in PunBB 1.2 troubleshooting)
No, this is the right section
Do you want it just on the index page?
285 2008-04-12 20:34
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
Oh look, your host has its own domain name. And cPanel? Of course they're trustworthy! I mean, those are two very big, important hosting things. It's not like you can buy a domain name for $10 and get cPanel for < $100 (or for free, if it's a cracked copy). And lets not forget their great deals: they offer free hosting AND they offer unlimited bandwidth and hard drive space for under $5 per month! It's not like computer space really costs more than that....
Seriously. I mean, it's certainly possible that one of your modifications allowed the hacker to take control of your fourm AND get the password for your cPanel, but I doubt it.
286 2008-04-12 17:15
Re: Punbb search & large boards (20 replies, posted in PunBB 1.2 troubleshooting)
"Because it was buggy and enabled people to search in forums they shouldn't have access to"
And as I pointed out to you:
http://www.punres.org/viewtopic.php?pid=15699#p15699
"There will probably still be locks"
They shouldn't be nearly as bad
"and the search results won't be more accurate"
Do you have something to base that statement on or are you just saying it?
"I am more looking for something like xapian, sphinx, lucene"
Someone could develop it as an extension for 1.3, but I doubt anyone is going to devote the time and effort at this point to completely rewriting 1.2's search to use a new system.
287 2008-04-12 16:26
Re: url rewrite (8 replies, posted in PunBB 1.2 modifications, plugins and integrations)
1.3, and yes, that would be simplest.
288 2008-04-12 10:48
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
I very much doubt there is a vulnerability, other than a bad host. Of course, I can't really investigate too much, since the host still has my IP banned for trying to log in to his cPanel account too much.
289 2008-04-12 10:43
Re: Maintenance mode (5 replies, posted in PunBB 1.3 troubleshooting)
One thing has nothing to do with the other, and there's no need to reindex for MySQL(i) since it uses MySQL fulltext indexing.
290 2008-04-12 02:00
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Well, thank you for being so responsive and for developing such an interesting extension
291 2008-04-12 01:38
Re: Read board permission (8 replies, posted in PunBB 1.3 troubleshooting)
For manual admin approval.
292 2008-04-12 01:37
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
You also do need to check for the null byte
293 2008-04-12 01:35
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
I wasn't thinking about having admin/options.php save to a different location, but you're right, that probably would be easiest.
And your folder would be no different than PunBB's cache folder. It doesn't have to be 777, PHP just needs permission to write there.
And I like your code, other than the fact that you're again taking arbitrary input from the user ($_GET['domain']) and using it in an include, which is a security flaw.
294 2008-04-12 01:11
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
I was thinking more along the lines of redoing the extension so it goes something like this:
I own example.com. I want to run two sites, 1.example.com and 2.example.com.
I have one set of files somewhere (not in either folder). I then put a .htaccess in the folder for each site that redirects the request to the real PunBB folder and appends the subdomain= part to the query string.
In the folder for the extension, I have a configs folder. I check if the basename of the subdomain passed exists, and if it does I use that config file. You could have your extension read in its own files in the admin panel to allow editing them/creating new ones.
Does that make sense?
295 2008-04-12 01:08
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
Which has absolutely no relevance here. The cookie seed does not allow someone to change your cPanel password or view your config.php file. And to see the cookie seed you need to have access to config.php in the first place.
296 2008-04-12 00:24
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
Just so everyone knows, my current opinion of the source of the hack, stated nicely, is that you generally get what you pay for with shared hosting and a $1.99 per month host is worth every penny (that is to say, very little).
297 2008-04-12 00:04
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Well, I would write it as
if (strpos($_GET['file'], '..') === false && is_file($file = PUN_ROOT.$_GET['file']) && in_array(strrchr($_GET['file'], '.'), array('.php', '.html', '.htm', '.tpl', '.txt', '.xml'))
include $file;
else
include PUN_ROOT.'index.php';
and also make sure there's no null byte (I can't remember if it could be abused in this case, but I'm relatively sure it could). It still wouldn't be extremely secure, since if I can upload any of those file types I can execute arbitrary PHP on the server.
A better solution might be to see if mod_rewrite can rewrite the requests to the correct folder and append a variable to the query string like "subdomain=test.example.com" which you could then use in a lookup.
298 2008-04-11 23:36
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
lol
Try this:
http://www.mibbit.com/
Server is Quakenet.org
Channel is #punbb
No password
Nickname is whatever you want (no spaces)
299 2008-04-11 23:35
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Well, no, the problem is that I could really put an arbitrary number of subdirectories in there and try to use it (eg: admin/index.php, extensions/sample_extension/some_file.php, extensions/sample_extension/some_other_file.html, etc). I don't think there's a clean solution to the problem, really, other than defining some allowed extensions (eg: .php, .htm, .html) and only allowing loading if the file ends in those as well (of course, you probably also need to check for null bytes),
300 2008-04-11 23:32
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
Quakenet, #punbb