301

(28 replies, posted in PunBB 1.3 extensions)

Looking at the code, it seems like it won't act properly for URLs like http://example.com/admin/index.php: is that true?

302

(28 replies, posted in PunBB 1.3 extensions)

Does that now break things like accessing the admin panel?

303

(18 replies, posted in PunBB 1.2 troubleshooting)

Hmm, if you get on IRC right now and/or email me with enough details to see your access log (and give me admin access on your forum), I should be able to check out and see how he did it.

304

(28 replies, posted in PunBB 1.3 extensions)

lexazloy: Please don't be rude, I do know what I'm talking about. wink
Prefixing the path with PUN_ROOT just means you need a relative path to the file, it doesn't mean that you're secure. I can put ../../../etc/passwd in there and, assuming I have a layout like /home/smartys/example.com/index.php, the script would obediently load the content of /etc/passwd. Or a malicious script that I uploaded, embedded within an avatar: that would be something like images/avatars/5573.png

305

(4 replies, posted in PunBB 1.2 show off)

(this was not so easy: extern.php cannot be included directly and had to be modified. Will this point change in 1.3?)

That's actually not true, if you set $_GET properly it can. However, yes, we have planned to add some more useful internal syndication features (at least as an official extension, if not as part of the core).

306

(28 replies, posted in PunBB 1.3 extensions)

if (is_file($file = PUN_ROOT.$_GET['file']))

307

(8 replies, posted in PunBB 1.3 troubleshooting)

Good point: fixed smile

Could you link to your site?

Cherry wrote:

I just found this: http://punbb.org/forums/viewtopic.php?id=18132

Does that mean you * can't* rewrite the urls in v.1.2* ?

sad

No, it means that 1.3 comes with systems for working with alternative URL schemes built in. If you want to modify PunBB to add rewriting of certain links, you can, that's all done via Apache/mod_rewrite. However, you'll find that you'll also need to change all of the links in PunBB if you want to stay consistent. And that is easier said than done.

310

(20 replies, posted in PunBB 1.2 troubleshooting)

As lie said, you'll just have to be patient wink
Last time you brought this up, I think I mentioned the fulltext modification. Remind me again why that's not suitable?

311

(5 replies, posted in PunBB 1.3 troubleshooting)

Hmm, not a bad idea smile

312

(7 replies, posted in General discussion)

Rickard is active, there's more to activity than posting in the forums. wink

Nice smile

314

(3 replies, posted in PunBB 1.2 troubleshooting)

You can't use SMTP with SSL with PunBB 1.2 by default.
try this:
http://punbb.org/forums/viewtopic.php?id=14179

315

(56 replies, posted in PunBB 1.3 troubleshooting)

You don't seem to understand two fundamental things:
1. How cookies actually work.
2. That the system proposed here would authenticate the user IN THE EXACT SAME WAY that the rest of PunBB does.

Now then, how cookies work. Your browser sends a request to log in to PunBB, PunBB sends a reply. That reply contains a line telling the browser to create a cookie on the computer with certain data in it. On each subsequent pageview, that cookie is used to authenticate the user: if it weren't, the user would have to enter his/her username/password for every pageview. When the user logs out, the cookie is removed from the browser. If the user has not enabled permanent logins, the cookie is removed from the browser when the browser is closed as well. If the user has enabled permanent logins, the cookie stays in the browser for a period of one year. No new logins required.

316

(28 replies, posted in PunBB 1.3 extensions)

Do not use this code on a live site. Just in a quick glance at it I can see it opens a site up to the execution of arbitrary PHP files.

Also, just as a general compatibility note, do not use PHP short tags (<?).

And if you're not sure how to use the CSRF prevention system, take a look at how PunBB uses it. wink

317

(69 replies, posted in News)

"Hello, if I do this upgrade will I lose my colour scheme etc? Im running 1.2.14"
No, styles are separate

"Also how bad are the security holes in the version I have? Do I really need to do this upgrade?"
Bad. Yes.

"These updates seem very messy for novice like me & not explained very well."http://punbb.org/docs/install.html
http://punbb.org/docs/install.html
Replace the references to 1.2.16 on that page to 1.2.17 and everything should be clear to you.

And what you quoted up there seems to be the PHP code for the update script.

318

(5 replies, posted in Programming)

matt: No, that code is perfectly fine.
StevenBullen: You need to give us context, what file/around what line?

319

(17 replies, posted in PunBB 1.3 troubleshooting)

Hmm, then that's not the issue.

320

(3 replies, posted in PunBB 1.3 troubleshooting)

He's talking about install.php, which has neither hooks nor extensions. wink

321

(3 replies, posted in PunBB 1.3 troubleshooting)

Yup, that is yet to be done.

322

(56 replies, posted in PunBB 1.3 troubleshooting)

You're missing something very important. The cookie would be authenticated IN THE EXACT SAME WAY. Right now, we do so anyway and then ignore the results and treat the user as a guest. Instead, we would just use the data that we already have.

323

(1 replies, posted in PunBB 1.2 discussion)

PunBB is released under the GPL, yes.

324

(56 replies, posted in PunBB 1.3 troubleshooting)

"The presumption I'm working upon is that the cookie stores, under normal conditions, the user id, password hash, etc. Upon login, the information is checked, verified against the login details, and any necessary cookie alterations/updates are then made. Is that correct?"
Upon login a cookie is set with the proper details. That cookie is then used to authenticate the user on each page.

"PunBB doesn't use sessions, does it?"
No, but it works the same except without the URL part. And without a session ID.

325

(56 replies, posted in PunBB 1.3 troubleshooting)

...I'm not understanding you hmm