You are not logged in. Please login or register.
PunBB Forums → Posts by Tobi
ya guys do something or maybe ourforums get an attack soon
Know what?
I really like your Do something! approach.... 
Anyway, I think first we'd have to know if the latest hack of Rod's board was due to a missing update or not.
If the latter we have a problem.
If not then it just means that everybody should update.
Does anybody has an answer to this?
I am of course assuming that there is a simple way to detect the presence of GD on the server..
There is.
But I think once you start with "exceptions" you will find a board sooner or later that has all kinds of conditions so it's more or less a matter of good luck getting a complete install depending on your system.
I think punBB should try to run on all systems matching minimum conditions in the same way.
And offer a captcha mod (that already exists) to those who can and want to implement it.
This mod is terribly easy to implement by the way.
Everybody seems to install all those mods that are a lot more difficult to handle because they look funky or add some kind of candy to the board - what do I know - so don't come and tell me it's too much asked installing a captcha mod 
I found a very simple way to add Basic authentication to your admin scripts without moving anything.
1. Open include/common_admin.php
In Line 25, add
function authenticate() {
header('WWW-Authenticate: Basic realm="punBB Administration"');
header('HTTP/1.0 401 Unauthorized');
echo "You must enter a valid login ID and password to access this resource\n";
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
authenticate();
}
else {
$auth = file("./admin_pass.pwd");
list($user, $password) = split(":", trim($auth[0]));
if($_SERVER['PHP_AUTH_USER'] != $user || md5($_SERVER['PHP_AUTH_PW']) != $password) {
authenticate();
}
}Now, create a file in your pun installation root and call it admin_pass.pwd
In this file you only put one line with a username and a md5 encoded Password that you want to use for authentication.
File admin_pass.pwd example
Tester:0cbc6611f5540bd0809a388dc95a615bDone.
Now you will be prompted for this extra username/password pair in all admin areas.
Note1: You can and should (if you can ) move the password file out of your document root.
Then change the line
$auth = file("./admin_pass.pwd");accordingly
Note2:
If you have no md5 encoded password at hand you can generate one here
Apparently this forum was hacked way back in July.
Shall we go and wake up the admin?
You can send mails to single users by getting to their profile and click on "Send email..."
There is AFAIK no way to send mass emails to a definable list of users.
I found something while playong around a bit.
If you take the address
http://www.dankster.org/indie/
or even
http://www.dankster.org/indie/index.php
but NOT
http://www.dankster.org/indie
then everything is OK!
Note the trailing slash after "indie"
Anyway: this indicates that is has to do with the apache settings.
So if you really have to live without the trailing slash you will have to contact your provider.
Google says it's for the actual clients:
"When you target your ads to geographic locations, you have the following three options:
* Countries: Your ads will appear to customers located in or searching for results in the country or countries you select. This option is best suited for global businesses and merchants who serve specific countries."
Same should go for the languages.
I hope there's a simple way to turn off the eye candy.
Yes, there is a very simple way but I think we shouldn't start a flame war here
Tobi wrote:I think you can chose in your google ads profile for which countries/languages the ads shall be targeted, at least that's what I could chose.
Just go there and make sure that "Swedish" is not appearing there . Should help.Where?
Here's a screenshot from my adwords account that may tell you where to look.
Well, this just says that captcha is not 100% secure.
Surprise.
Nothing is absolutely secure.
However, it takes more than a lame script kid to break a good captcha installation so it's definitely worth it.
Maybe you - just to be sure - delete your cache files?
And check your apache config? Or let your host do it?
I figure it's more an apache problem (OR even DNS though that's rather unlikely)
why not make captcha standard on punbb?
If you browse the board for ideas what should be standard in punBB, and if Rickard had done all this then punBB would be bigger than phpBB today. Bigger, not better...
I think captcha is a good thing but since it's so easy to mod why not leave it to people to just do it?
plus, it depends on GD2 which is not implemented on all servers.
Are any non-Swedes seeing Swedish ads?
As I told you before, yes.
I repeatedly am invited to take taxi driving lessons in Sweden although I am in Greece.
I think you can chose in your google ads profile for which countries/languages the ads shall be targeted, at least that's what I could chose.
Just go there and make sure that "Swedish" is not appearing there . Should help.
That is a bit problematic.
The query that gives you these variables does not look for the user id. But that's what you need for a link to profile.php.
You can solve that by adding a join to the user table but I would not do that as it causes a good deal of extra DB activity.
Yeah, very colourful as you might have expected.
But KDE can be even more extreme...
And I read the other day that there is the first virus out for vista.
The bloody thing is still beta and there is already a virus. Amazing.. but then again why am I surprised?
Thx,
I blocked my one forum for now, the other one is invitation only anyway (and I do not think this guy'll get one )
If this is really an issue in 1.2.6 still - that's bad news....
maybe you post the relevant parts of your access log here? (only the relevant parts of course...)
The more people can have a look the sooner maybe a solution can be found.
Depends on how you set up your index.php.
Any more info?
Great. Thanks Tobi... but I still think it should be considered as part of the standard install for v1.3.
Well, I also think it would be a good idea but then again it's not up to us to decide..
For the time being just spend the 10 minutes and fix it manually.
There's a lot of handwork involved. I found a lot of parts to change, hope that's all.
So, here we go:
1. create a directory "admin" in your pun root and move all file sthere that start with "admin_"
2. open function.php and replace the complete function confirm_referer() with
function confirm_referrer($script)
{
global $pun_config, $lang_common;
## ADMIN DIR CHANGE
if(ereg("/admin/",$_SERVER['HTTP_REFERER'])) {
$ref_url = $pun_config['o_base_url'].'/admin';
}
else $ref_url = $pun_config['o_base_url'];
if (!preg_match('#^'.preg_quote(str_replace('www.', '', $ref_url)."/".$script, '#').'#i', str_replace('www.', '', (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''))))
message($lang_common['Bad referrer']);
}3. still in function.php,
find the function generate_navlinks() (somewhere around line 230)
In this function, replace ALL occurences of
<a href="with
<a href="' . PUN_ROOT . '4. Around line 887 in function.php, replace
<link rel="stylesheet" type="text/css" href="style/<?php echo $pun_user['style'].'.css' ?>" />with
<link rel="stylesheet" type="text/css" href="<?php echo PUN_ROOT ?>style/<?php echo $pun_user['style'].'.css' ?>" />5. Open ALL admin_ files and replace everywhere
define('PUN_ROOT', './');with
define('PUN_ROOT', '../');It's always on top of the scripts.
6. Open header.php and find around line 66
<link rel="stylesheet" type="text/css" href="style/<?php echo $pun_user['style'].'.css'replace it with
<link rel="stylesheet" type="text/css" href="<?php echo PUN_ROOT ?>style/<?php echo $pun_user['style'].'.css'7. and around line 70, replace
echo '<link rel="stylesheet" type="text/css" href="style/imports/base_admin.css" />'."\n";with
echo '<link rel="stylesheet" type="text/css" href="'.PUN_ROOT.'style/imports/base_admin.css" />'."\n";Let's hope that's it. If not let me know.
(It's basically about adding PUN_ROOT before most of the links...)
You are right.
Elzar kept this secret so far.
I want to do the same so I'll try to find a solution myself and post it then.
I think it is at least an option for extra security and I agree it should be standard.
Not alone for the security reason but also because it makes the directory structure more readable.
Try the search function.
Somebody has done and explained this somewhere here AFAIK
I think it's more a design question.
The function you are talking about still shows all the punBB framework.
I think he just wants a blank page with a login form.
Look up the table PREFIXconfig with phpMyAdmin and see what value "o_base_url" has.
No.
That's no real exploit.
I mean for this you need access to the board folder AND you have to know your userid.
This is not possible for people from the outside.
What I was trying was to do that from a remote folder on another machine and withoutr the userid.
If this is not possible at all then we don't have a leak
Your version is more like going to my board directory in the shell and type
# rm -Rf ./*
It doesn't prove that the board is insecure...
I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no database
Btw I tried to hack myself with that method and it didn't work 
PunBB Forums → Posts by Tobi
Powered by PunBB, supported by Informer Technologies, Inc.