Looking at the code, it seems like it won't act properly for URLs like http://example.com/admin/index.php: is that true?
301 2008-04-11 23:13
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
302 2008-04-11 23:09
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Does that now break things like accessing the admin panel?
303 2008-04-11 23:07
Re: I just got hacked.. (18 replies, posted in PunBB 1.2 troubleshooting)
Hmm, if you get on IRC right now and/or email me with enough details to see your access log (and give me admin access on your forum), I should be able to check out and see how he did it.
304 2008-04-11 22:43
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
lexazloy: Please don't be rude, I do know what I'm talking about.
Prefixing the path with PUN_ROOT just means you need a relative path to the file, it doesn't mean that you're secure. I can put ../../../etc/passwd in there and, assuming I have a layout like /home/smartys/example.com/index.php, the script would obediently load the content of /etc/passwd. Or a malicious script that I uploaded, embedded within an avatar: that would be something like images/avatars/5573.png
305 2008-04-11 22:31
Re: Punbb integration (4 replies, posted in PunBB 1.2 show off)
(this was not so easy: extern.php cannot be included directly and had to be modified. Will this point change in 1.3?)
That's actually not true, if you set $_GET properly it can. However, yes, we have planned to add some more useful internal syndication features (at least as an official extension, if not as part of the core).
306 2008-04-11 22:29
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
if (is_file($file = PUN_ROOT.$_GET['file']))
307 2008-04-11 21:20
Re: Read board permission (8 replies, posted in PunBB 1.3 troubleshooting)
Good point: fixed
308 2008-04-11 21:15
Re: Registration emails not being sent/received (20 replies, posted in PunBB 1.2 troubleshooting)
Could you link to your site?
309 2008-04-11 21:14
Re: url rewrite (8 replies, posted in PunBB 1.2 modifications, plugins and integrations)
I just found this: http://punbb.org/forums/viewtopic.php?id=18132
Does that mean you * can't* rewrite the urls in v.1.2* ?
No, it means that 1.3 comes with systems for working with alternative URL schemes built in. If you want to modify PunBB to add rewriting of certain links, you can, that's all done via Apache/mod_rewrite. However, you'll find that you'll also need to change all of the links in PunBB if you want to stay consistent. And that is easier said than done.
310 2008-04-11 21:12
Re: Punbb search & large boards (20 replies, posted in PunBB 1.2 troubleshooting)
As lie said, you'll just have to be patient
Last time you brought this up, I think I mentioned the fulltext modification. Remind me again why that's not suitable?
311 2008-04-11 21:06
Re: Maintenance mode (5 replies, posted in PunBB 1.3 troubleshooting)
Hmm, not a bad idea
312 2008-04-11 21:02
Re: Why isen't Rickard active more? (7 replies, posted in General discussion)
Rickard is active, there's more to activity than posting in the forums.
313 2008-04-11 21:01
Re: Making a new skin, CSS changes only! (2 replies, posted in PunBB 1.2 show off)
Nice
314 2008-04-11 20:59
Re: No email registration (3 replies, posted in PunBB 1.2 troubleshooting)
You can't use SMTP with SSL with PunBB 1.2 by default.
try this:
http://punbb.org/forums/viewtopic.php?id=14179
315 2008-04-11 20:56
Re: feeds to all forum content (56 replies, posted in PunBB 1.3 troubleshooting)
You don't seem to understand two fundamental things:
1. How cookies actually work.
2. That the system proposed here would authenticate the user IN THE EXACT SAME WAY that the rest of PunBB does.
Now then, how cookies work. Your browser sends a request to log in to PunBB, PunBB sends a reply. That reply contains a line telling the browser to create a cookie on the computer with certain data in it. On each subsequent pageview, that cookie is used to authenticate the user: if it weren't, the user would have to enter his/her username/password for every pageview. When the user logs out, the cookie is removed from the browser. If the user has not enabled permanent logins, the cookie is removed from the browser when the browser is closed as well. If the user has enabled permanent logins, the cookie stays in the browser for a period of one year. No new logins required.
316 2008-04-11 20:53
Re: [extension release] Domain.PunBB (28 replies, posted in PunBB 1.3 extensions)
Do not use this code on a live site. Just in a quick glance at it I can see it opens a site up to the execution of arbitrary PHP files.
Also, just as a general compatibility note, do not use PHP short tags (<?).
And if you're not sure how to use the CSRF prevention system, take a look at how PunBB uses it.
317 2008-04-11 20:48
Re: PunBB 1.2.17 (69 replies, posted in News)
"Hello, if I do this upgrade will I lose my colour scheme etc? Im running 1.2.14"
No, styles are separate
"Also how bad are the security holes in the version I have? Do I really need to do this upgrade?"
Bad. Yes.
"These updates seem very messy for novice like me & not explained very well."http://punbb.org/docs/install.html
http://punbb.org/docs/install.html
Replace the references to 1.2.16 on that page to 1.2.17 and everything should be clear to you.
And what you quoted up there seems to be the PHP code for the update script.
318 2008-04-11 10:28
Re: Query Failing (5 replies, posted in Programming)
matt: No, that code is perfectly fine.
StevenBullen: You need to give us context, what file/around what line?
319 2008-04-11 10:27
Re: redirect to rss feed (17 replies, posted in PunBB 1.3 troubleshooting)
Hmm, then that's not the issue.
320 2008-04-11 10:26
Re: language for installation (3 replies, posted in PunBB 1.3 troubleshooting)
He's talking about install.php, which has neither hooks nor extensions.
321 2008-04-11 02:24
Re: language for installation (3 replies, posted in PunBB 1.3 troubleshooting)
Yup, that is yet to be done.
322 2008-04-10 23:30
Re: feeds to all forum content (56 replies, posted in PunBB 1.3 troubleshooting)
You're missing something very important. The cookie would be authenticated IN THE EXACT SAME WAY. Right now, we do so anyway and then ignore the results and treat the user as a guest. Instead, we would just use the data that we already have.
323 2008-04-10 23:26
Re: Is PunBB Copyleft? (1 replies, posted in PunBB 1.2 discussion)
PunBB is released under the GPL, yes.
324 2008-04-10 22:46
Re: feeds to all forum content (56 replies, posted in PunBB 1.3 troubleshooting)
"The presumption I'm working upon is that the cookie stores, under normal conditions, the user id, password hash, etc. Upon login, the information is checked, verified against the login details, and any necessary cookie alterations/updates are then made. Is that correct?"
Upon login a cookie is set with the proper details. That cookie is then used to authenticate the user on each page.
"PunBB doesn't use sessions, does it?"
No, but it works the same except without the URL part. And without a session ID.
325 2008-04-10 21:19
Re: feeds to all forum content (56 replies, posted in PunBB 1.3 troubleshooting)
...I'm not understanding you