Change
DIV.postright, DIV.postfootright {BORDER-LEFT-COLOR: #FFFFFF}to
DIV.postright, DIV.postfootright {BORDER-LEFT-COLOR: #F3F3F3}301 2005-09-08 12:53
Re: FAO Paul (5 replies, posted in PunBB 1.2 troubleshooting)
302 2005-09-08 12:38
Re: problem with parser.php since last upagrade (7 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Ludo wrote:
it works good now
Just because I'm curious, what was the problem with the new parser.php ?
Ludo,
To be honest... I have no idea 
I didn't notice anything particular about the mod that could be causing this, but there was a few missing } in your parser.php file.
Anyway, seeing as it's such a simple tweak to add, I just re-wrote it to be sure 
303 2005-09-08 11:41
Re: problem with parser.php since last upagrade (7 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Ok, here's the new code:
Open ./include/parser.php
Find, line 282:
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$img_tag = '<a href="'.$url.'"><'.$lang_common['Image link'].'></a>';
if ($is_signature && $pun_user['show_img_sig'] != '0')
$img_tag = '<img class="sigimage" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
else if (!$is_signature && $pun_user['show_img'] != '0')
$img_tag = '<img class="postimg" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
return $img_tag;
}Add after:
function handle_img_tag_left($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$img_tag = '<a href="'.$url.'"><'.$lang_common['Image link'].'></a>';
if ($is_signature && $pun_user['show_img_sig'] != '0')
$img_tag = '<img class="sigimage_left" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
else if (!$is_signature && $pun_user['show_img'] != '0')
$img_tag = '<img class="postimg_left" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
return $img_tag;
}
function handle_img_tag_right($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$img_tag = '<a href="'.$url.'"><'.$lang_common['Image link'].'></a>';
if ($is_signature && $pun_user['show_img_sig'] != '0')
$img_tag = '<img class="sigimage_right" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
else if (!$is_signature && $pun_user['show_img'] != '0')
$img_tag = '<img class="postimg_right" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
return $img_tag;
}Find, line 406:
$text = preg_replace('#\[img\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag(\'$1$3\')', $text);Add after:
$text = preg_replace('#\[img=left\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag_left(\'$1$3\')', $text);
$text = preg_replace('#\[img=right\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag_right(\'$1$3\')', $text);Find, line 467:
$text = preg_replace('#\[img\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag(\'$1$3\', true)', $text);Add after:
$text = preg_replace('#\[img=left\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag_left(\'$1$3\', true)', $text);
$text = preg_replace('#\[img=right\]((ht|f)tps?://)([^\s<"]*?)\[/img\]#e', 'handle_img_tag_left(\'$1$3\', true)', $text);Save & upload.
304 2005-09-08 11:30
Re: OLD TOPIC TO DELETE (133 replies, posted in PunBB 1.2 modifications, plugins and integrations)
mastiland wrote:
hey why cant also allow external images
plz do something so we can allow external uploaded images
like we could upload images on imageshack and put the link in the gallery
is it possible
Possible with a mod yes, but it could compromise the security of your forum.
305 2005-09-07 22:35
Re: Automatic version checking. (6 replies, posted in Feature requests)
Connorhd wrote:
well people with out it need to change host or upgrade
Hehe, that's true
306 2005-09-07 22:32
Re: problem with parser.php since last upagrade (7 replies, posted in PunBB 1.2 modifications, plugins and integrations)
I'll look into it tomorrow, and if needed, fix the code
307 2005-09-07 22:29
Re: Automatic version checking. (6 replies, posted in Feature requests)
Good idea for those who need it. The only problem is that it'll fail on any PHP versions below 4.3.0 (on win32), and also those without 'allow_url_fopen' enabled.
EDIT: I didn't see that you've already added a check for allow_url_open
308 2005-09-07 22:25
Re: User created with invalid email when Verify registrations is on (9 replies, posted in PunBB 1.2 bug reports)
The problem is, there is absolutely no bullet-proof way to check if a e-mail address is valid until after sending a mail. Sure, you could check if the server responds, but the problem is (as mentioned), what if it was temporarily unavailable? Also, a check like you suggested keldar wouldn't really help, other than to verify the existence of the domain.
There are other, better ways to do it (google it), but by using those, you'd exclude a whole bunch of valid servers as well.
309 2005-09-07 14:24
Re: Html Emails (18 replies, posted in Feature requests)
Tobi wrote:
Rickard wrote:HTML e-mail is pure evil
So I spent hours thinking how to say it in a polite manner - just to read this.
Agreed, HTML mails are products of some very evil forces. As already mentioned, if the content of a mail requires HTML, it would be much better to just send out a link... HTML in mails == Potential security problems, and also, much cussing from 56k users
310 2005-09-07 14:18
Re: User created with invalid email when Verify registrations is on (9 replies, posted in PunBB 1.2 bug reports)
keldar wrote:
I recently changed the signup options on my board by changing the "Verify registrations" to yes. Now, when I test using an email address which is not valid, I get the following error:
Error: Unable to send e-mail. Please contact the forum administrator with the following error message reported by the SMTP server: "550 5.1.1 User unknown; rejecting ".
The user account is still created despite rejecting the address.
FYI I did a search through the forums but didn't find a workaround / fix to this possible issue.
rgds
Si
I might be wrong here (don't think I am though), but that's the way it's supposed to work. The user account will be created no matter if it's a valid e-mail or not, but the user won't be able to use that account until logging in with the password supplied in the e-mail...
311 2005-09-07 14:10
Re: OLD TOPIC TO DELETE (133 replies, posted in PunBB 1.2 modifications, plugins and integrations)
Just a small suggestion. The quality of the thumbnails could be a lot better, and it's very easy to change. Just open up gallery_post.php in a editor, and use "search and replace" to change the following:
imagecopyresized to imagecopyresampled
The difference is quite dramatic, and here's an example:
With imagecopyresized: 
With imagecopyresampled:
312 2005-09-06 17:27
Re: my small "security" code (8 replies, posted in PunBB 1.2 discussion)
Tobi wrote:
Yeah, sure.
My point was just:
Since punBB doesn't use the GET array anyway it doesn't matter what clever stuff a hacker wants to try there, it will be ignored anyway.I might be wrong there though...
PunBB uses GET quite a bit in search.php & to a lesser degree in index.php, viewforum.php + viewtopic.php
313 2005-09-06 15:22
Re: flood control (2 replies, posted in PunBB 1.2 discussion)
pen wrote:
okay, so ive been searching the options and such, cant find anywhere to change it.
any ideas?
User groups
314 2005-09-06 15:18
Re: upgrading from PunBB 1.1.5 to latest 1.2.4. (4 replies, posted in PunBB 1.2 troubleshooting)
Italiano wrote:
Currently running 1.1.5 and I want to upgrade do 1.2.7.
Can I directly upgrade to 1.2.7 or I need to go 1.1.5 to 1.2 to 1.2.7 or is there another procedure?
Please response thanks
You'll have to do 1.1.5 -> 1.2 -> 1.2.7...
315 2005-09-06 13:50
Re: protected links (8 replies, posted in Feature requests)
Fakhruddin2005 wrote:
is it possible ?
Absolutely, and in fact, very simple I didn't see this topic until just recently, so you may already have figured out how to make it work, but in any case, here's how to do it:
Open ./include/parser.php
Find, line 265:
global $pun_user;Replace with:
global $pun_user, $cur_post;Find, line 278:
return '<a href="'.$full_url.'">'.$link.'</a>';Replace with:
if ($pun_user['id'] != $cur_post['poster_id'] && $pun_user['g_id'] > PUN_MOD )
return '<span class="warntext">[private link]</span>';
else
return '<a href="'.$full_url.'">'.$link.'</a>';Save & Upload
This will hide posted links for everyone but the original poster, or admins/mods.
316 2005-09-06 10:24
Re: hide user from userlist (12 replies, posted in Feature requests)
Forgot about viewtopic.php in my prev. post... I've updated my previous post with the instructions for that file as well.
317 2005-09-06 10:09
Re: hide user from userlist (12 replies, posted in Feature requests)
Aikimaniac wrote:
Hmmm....its something like this for the newest version ?
No, but here's a little mod I just wrote that lets users hide their online status from the privacy page in their profile:
Run the following query in phpmyadmin, or the db managment plugin:
ALTER TABLE `users` ADD `hide_online` TINYINT( 1 ) DEFAULT '0' AFTER `activate_key` ;Open ./index.php
Find, line 182:
$result = $db->query('SELECT user_id, ident FROM '.$db->prefix.'online WHERE idle=0 ORDER BY ident', true) or error('Unable to fetch online list', __FILE__, __LINE__, $db->error());Replace with:
$result = $db->query('SELECT o.user_id, o.ident, u.hide_online FROM '.$db->prefix.'online AS o LEFT JOIN '.$db->prefix.'users AS u ON o.user_id=u.id WHERE idle=0 AND u.hide_online=0 ORDER BY o.ident', true) or error('Unable to fetch online list', __FILE__, __LINE__, $db->error());Open ./profile.php
Find, line 802:
$form = extract_elements(array('email_setting', 'save_pass', 'notify_with_post'));Replace with:
$form = extract_elements(array('email_setting', 'save_pass', 'notify_with_post', 'hide_online'));Find, line 808:
if (!isset($form['notify_with_post']) || $form['notify_with_post'] != '1') $form['notify_with_post'] = '0';Add after:
if (!isset($form['hide_online']) || $form['hide_online'] != '1') $form['hide_online'] = '0';Find, line 877:
$result = $db->query('SELECT u.username, u.email, u.title, u.realname, u.url, u.jabber, u.icq, u.msn, u.aim, u.yahoo, u.location, u.use_avatar, u.signature, u.disp_topics, u.disp_posts, u.email_setting, u.save_pass, u.notify_with_post, u.show_smilies, u.show_img, u.show_img_sig, u.show_avatars, u.show_sig, u.timezone, u.language, u.style, u.num_posts, u.last_post, u.registered, u.registration_ip, u.admin_note, g.g_id, g.g_user_title FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());Replace with:
$result = $db->query('SELECT u.username, u.email, u.title, u.realname, u.url, u.jabber, u.icq, u.msn, u.aim, u.yahoo, u.location, u.use_avatar, u.signature, u.disp_topics, u.disp_posts, u.email_setting, u.save_pass, u.notify_with_post, u.show_smilies, u.show_img, u.show_img_sig, u.show_avatars, u.show_sig, u.timezone, u.language, u.style, u.num_posts, u.last_post, u.registered, u.registration_ip, u.admin_note, g.g_id, g.g_user_title, u.hide_online FROM '.$db->prefix.'users AS u LEFT JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id WHERE u.id='.$id) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());Find, line 1452:
<div class="rbox">
<label><input type="checkbox" name="form[notify_with_post]" value="1"<?php if ($user['notify_with_post'] == '1') echo ' checked="checked"' ?> /><?php echo $lang_profile['Notify full'] ?><br /></label>
</div>Add after:
<p>Enabling this setting will hide you from the online users information on the index page</p>
<div class="rbox">
<label><input type="checkbox" name="form[hide_online]" value="1"<?php if ($user['hide_online'] == '1') echo ' checked="checked"' ?> /><?php echo 'Hide online status?' ?><br /></label>
</div>Open ./viewtopic.php
Find, line 186:
$result = $db->query('SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'users AS u ON u.id=p.poster_id INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id='.$id.' ORDER BY p.id LIMIT '.$start_from.','.$pun_user['disp_posts'], true) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());Replace with:
$result = $db->query('SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, u.hide_online, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM '.$db->prefix.'posts AS p INNER JOIN '.$db->prefix.'users AS u ON u.id=p.poster_id INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id='.$id.' ORDER BY p.id LIMIT '.$start_from.','.$pun_user['disp_posts'], true) or error('Unable to fetch post info', __FILE__, __LINE__, $db->error());Find, line 207:
$is_online = ($cur_post['is_online'] == $cur_post['poster_id']) ? '<strong>'.$lang_topic['Online'].'</strong>' : $lang_topic['Offline'];Replace with:
$is_online = ($cur_post['is_online'] == $cur_post['poster_id'] && $cur_post['hide_online'] == 0) ? '<strong>'.$lang_topic['Online'].'</strong>' : $lang_topic['Offline'];Save & upload.
Tested on punbb 1.2.7.
Enjoy!
EDIT: In case anyone wants it, here's the .patch file: [Right-click & save as...]
How to use:
patch -ul -d <your forum directory> -p1 < online_mod.patch
318 2005-09-03 21:20
Re: PunBB 1.2.7 (33 replies, posted in News)
D9r wrote:
How do you type '»'? I noticed it's used in the breadcrumb trail. I thought there might be an ascii code for it, but everytime I find it on a website and view source it's simply typed in. What's the secret keyboard combination for typing it?
It's HTML entity is: »
319 2005-09-03 18:28
Re: A way to not show "Moderate by..." (8 replies, posted in PunBB 1.2 troubleshooting)
MEstk wrote:
thanx but where is it ?
Open up index.php, and find (line 132):
<?php echo $forum_field."\n".$moderators ?>Replace with:
<?php echo $forum_field ?>No more "moderated by.." text
320 2005-09-02 15:23
Re: PunBB 1.2.7 (33 replies, posted in News)
Nice to see a new version... Now to start modding it again
321 2005-09-01 08:06
Re: 1.2.6: Vulnerabilities ? (17 replies, posted in PunBB 1.2 discussion)
Jacq wrote:
While it seems quite hard to redirect the browser with an image (as if the exploit doesn't work as described) it was quite easy to pass that exif_imagetype test as it checks only for three characters in the path (which happens to be a directory this time) and with supplying an authentic image when the exif data and the image data is correct. I believe with getimagetype the result would be same.
If the redirect worked you would get the phishing example shortly, but some things can be made with the exploit I just made. In the forums which use php sessions the users with cookies off will publish their session id in the address bar. By checking referrer in the "image" it is possible to steal that info and the identity with it. Not in punbb, but perhaps in phpbb.
CodeXP and Smartys: you'll have an email inbound shortly.
I've just read your e-mail, and you're right, it could possibly be used to exploit phpbb, but definetely not PunBB. Seeing as the image is in fact an image, it would make no sense to block it, just because it was produced by a directory w. an index.php file. Of course, as you mentioned, you could get session data passed to the URL, but that does not apply to PunBB
I could add an additional check to check if the URL is a directory, but as the fix is for PunBB only, it's not really needed.
EDIT: If you'd like to make sure using a directory name, containing an index file that in turn returns a valid image, is impossible, just add the following to the IF statement:
else if(@fopen(''.$url.'/', 'r') !== FALSE) {
$url = 'img/warning.png';
}Be aware that this could result in some linked images failing where certain remote servers uses some special 404 error documents.
322 2005-09-01 06:05
Re: 1.2.6: Vulnerabilities ? (17 replies, posted in PunBB 1.2 discussion)
Jacq wrote:
It would be better to check which extensions are allowed because it is still possible to use perl, asp, php3, python or domino scripts and if you have access to the server you can change the extension to whatever you wish. .jpg for that matter.
That's where the get_imagetype check comes in. It's impossible to bypass that check, no matter what you do. The only reason I added that filetype check, was to ensure that a potential .php (only?) exif exploit couldn't happen.
323 2005-09-01 00:12
Re: 1.2.6: Vulnerabilities ? (17 replies, posted in PunBB 1.2 discussion)
Almost forgot. If someone wants to use the image cache function, this admin panel plugin might prove useful
324 2005-08-31 20:32
Re: 1.2.6: Vulnerabilities ? (17 replies, posted in PunBB 1.2 discussion)
Smartys wrote:
CodeXP: No it doesn't
I'll email you about it
Actually, yes, it does Just sent you a mail about why it does...
325 2005-08-31 19:30
Re: 1.2.6: Vulnerabilities ? (17 replies, posted in PunBB 1.2 discussion)
I think I've posted this before, but in case I didn't, here's a modification of parser.php that ensures that any potential img tag vurnabilities is a thing of the past. This version is the one I'm using on my site, so you may want to remove the image caching function I've written if you don't have enough storage space + bandwidth.
It does have some drawbacks, and will not work on every server, but if you're really concerned about this, then I don't think there's many other ways to do it.
1. Open include/parser.php
2. Find, line 282:
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$img_tag = '<a href="'.$url.'"><'.$lang_common['Image link'].'></a>';
if ($is_signature && $pun_user['show_img_sig'] != '0')
$img_tag = '<img class="sigimage" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
else if (!$is_signature && $pun_user['show_img'] != '0')
$img_tag = '<img class="postimg" src="'.$url.'" alt="'.htmlspecialchars($url).'" />';
return $img_tag;
}3. Replace with:
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$expire = '604800'; // How long should we wait to download the image again? Defaults to 1 week.
$remove = array('://www.', '://', '%20', ' ', '/', '\\', ':'); // Remove unwanted characters etc. from our URL's...
$file = str_replace($remove, '_', $url); // ...and replace them with a underscore
$localfile = 'cache/img/'.$file.''; // This is the filename of the local cached copy.
$AltTextName = basename($url); // Get the remote filename, for use as the ALT text in the <img> tags.
if(file_exists($localfile) && (time()-filemtime($localfile) < $expire)) { // Check it image exists, and if it's expired.
$url = $localfile; // Local copy is OK, and not expired, thus we provide don't need to do anything more right now.
} else {
switch(@exif_imagetype($url)):
case 1: // GIF \
case 2: // JPG - For more image types: http://www.php.net/manual/en/function.exif-imagetype.php
case 3: // PNG /
$pos = strrpos($url, '.');
$ext = substr(strtolower($url), $pos+1, 3); // Get the file extension
$NotAllowed = array('php', 'cgi', 'htm'); // Even though we know it's a valid image, we still check the extension just in case the image contains any EXIF exploits
if($is_signature) {
break; // Allow dynamic signatures (Don't cache them), but we'll still check if it's a valid image.
}
else if(in_array($ext, $NotAllowed)) {
$url = 'img/warning.png'; // The file was not a valid image, or a dead link, so we'll show a warning image
} else {
$remote = @file_get_contents($url); // Get contents of the remote file
$fh = @fopen($localfile , 'w' ); // Create a local file, ready for writing
@fwrite ($fh, $remote); // Do the actual writing
@fclose ($fh); // Done, let's close the file
@chmod($localfile, 0777); // Don't want to run into permission problems later on, so let's chmod the file
$url = $localfile;
}
break;
default:
$url = 'img/warning.png'; // The file was not a valid image, or a dead link, so we'll show a warning image
break;
endswitch;
}
$img_tag = '<a href="'.$url.'"><'.$lang_common['Image link'].'></a>';
if ($is_signature && $pun_user['show_img_sig'] != '0')
$img_tag = '<img class="sigimage" src="'.$url.'" alt="'.htmlspecialchars($AltTextName).'" />';
else if (!$is_signature && $pun_user['show_img'] != '0')
$img_tag = '<img class="postimg" src="'.$url.'" alt="'.htmlspecialchars('Cached version of the file "'.$AltTextName.'"').'" />';
return $img_tag;
}4. Create the following folder, and chmod it to 777:
<forum directory>/cache/img
5. Create a new file named .htaccess containing the contents below, and upload it to the directory you created in step 4.
<Limit GET POST PUT>
Order Allow,Deny
Allow from All
</Limit>6. Create a warning image (for invalid images, or dead links) named warning.png, and upload it to:
<forum directory>/img/
7. Save & upload.
EDIT: Updated to protect against any potential EXIF exploits, as recommended by Smartys
EDIT 2: As requested, I updated with a version that doesn't cache the signature images (so you'll be able to use dynamic sigs). It still checks if it's a valid image type though, so you're still protected against exploits.