Support Forums - All Posts - XOOPS Web Application System

91

Re: tiny content - no url link out?

2004/5/5 18:58
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

Catzwolf wrote:
Sounds like the module is not stripping the slashes when getting the inforamtion from the database.

I can't say that I never make such a silly mistake.

But I've just tested it with magic_quotes_gpc on and off. it works well.
Of course, I know the usage of textsanitizer well.

And TinyD is already a major module in Japan.
It is rapidly unbelievable that such a serious bug remains.

92

Re: XOOPS Dev Team: Would it be hard to propagate module name in all reference to the module?

2004/5/5 9:17
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

I've found this thread now.

Since I have little skill of English, I'm sorry that I didnot read this thread.

In Japan, the coding technique to create "Duplicatable module" has already been well-known.

And two duplicatable modules has been released by now.
One is TinyContent-Duplicatable.
Another is myAlbum-P 2.70.

Quote:

Daigoro wrote:
// At the top of the file: $pathparts = explode("/", realpath(__FILE__)); // Get path to this file.

The code is not usable for Windows, because __FILE__ returns \ separated path.
Use dirname() instead.

Quote:

The way to actualy create dynamical function names are unfortuately rather ugly, but this is the only way I've found to make it work:

You have a good brain!
I did not hit the idea using eval() in that time.
minahito who also has a good brain teach me that.

eval() is also needed in search and notification.
But block is not necessary to use eval().
You can distinguish them by block's option ($options).

The skelton of language file is like this:


if( defined( 'FOR_XOOPS_LANG_CHECKER' ) || ! defined( '(YOUR MODULE)_MB_LOADED') ) {

    define( '(YOUR MODULE)_MB_LOADED' , 1 ) ;

    define( "MB_..." , "..." ) ;

    define( "MB_..." , "..." ) ;

    define( "MB_..." , "..." ) ;

}

The number of sql files and temlate files are needed same as the number of duplicatable.

93

Re: tiny content - no url link out?

2004/5/4 22:03
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

Rjupiter wrote:
I am trying get TinyContent-Duplicatable to have a page with a set of links but for some reason they won't link out. I keep getting 404 errors when I know the links are right.

You can see what I mean here :

http://www.prettybrush.sublevel28.com/x/

it is under tutorials.

Tell me the conditions with detail.

PageWrap or Content?
If PageWrap, which style do you use -original, content base dir or mod_rewrite ?
If Content, which style do you use ?

If you can, write here the HTML source.
Perhaps, this is not a issue of only TinyD, but also original TinyContent.

94

Re: piCal Event Reminders

2004/5/3 20:36
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

hi andrewum.
Quote:

I was attempting to set up Event Reminders for my users. I have piCal set up, and Notifications enabled. I was thinking that the notification could just send an email to users, if they have it enabled. But is there any way that the system would send it to the user 3 days in advance?

Although I have a plan to add Reminders into piCal, I'm sorry that I'm very busy now at another projects.

Quote:

The only idea I had was that I could modify part of the "Today's Event" block, and set it for 3 days ahead of time. Then users could set up a notification. Unfortunately I'm not able to figure out how to manipulate the code to make this work, if it's even possible...

If you want to display events on 3 days ahead, you can hack like this:

blocks/pical_todays_schedule.php


function pical_todays_schedule_show()

{

    global $xoopsConfig , $xoopsDB ;



    // 

    $mod_path = XOOPS_ROOT_PATH."/modules/piCal" ;

    $mod_url = XOOPS_URL."/modules/piCal" ;



    // 

    require_once( "$mod_path/piCal.php" ) ;

    require_once( "$mod_path/piCal_xoops.php" ) ;



    // 

    [color=ff0000]$cal = new piCal_xoops( date( 'Y-n-j' , time() + 86400 * 3 ) , $xoopsConfig['language'] , true ) ;[/color]

    $cal->use_server_TZ = true ;



    // 

    $cal->conn = $xoopsDB->conn ;    // 

    $cal->table = $xoopsDB->prefix( PICAL_EVENT_TABLE ) ;

    include( "$mod_path/read_configs.php" ) ;

    $cal->images_url = "$mod_url/images/$skin_folder" ;

    $cal->images_path = "$mod_path/images/$skin_folder" ;



    $block['content'] = $cal->get_date_schedule( "$mod_url/index.php" ) ;

    return $block ;

}

if you mean 3days in advance, change + to - .

95

Re: Hacking Security?

2004/4/29 20:34
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

AntiDoS-P is one.

This module protects not only from DoS attack,
but also from injecting attack targetting XOOPS variables.

Of course, this module will be useless if you put in the server some modules which have fatal vulnerabilities.

96

Re: TinyContent Questions

2004/4/29 19:34
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

(Only about the first question)
Use TinyContent-Duplicatable.

TinyD has tree type of wrapping.

1) original wrapping
The base path is modules/tinycontent/
You have to put html in modules/tinycontent/content and images in modules/tinycontent separately.

2) same as wrapped page
The base path is modules/tinycontent/content/
Thus you can put them as is.
But you can't turn comment on.

3) using mod_rewrite
The base path is modules/tinycontent/content/
Multiple htmls are wrapped automatically, and thier relative links works perfectly.
And you can use comment feature.
But it is necessary condition that your server allows you to use mod_rewrite

You can select them by each page.

97

Re: A new autologin hack for 2.0.6

2004/4/28 8:53
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

You'd better read this.
Autologin Hack

I don't find any checkbox in login block of your site.

98

Re: A new autologin hack for 2.0.6

2004/4/28 8:13
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

GIJOE wrote:
But, It is a fact that autologin enlarges the holes of such weak modules.
I'm examining whether the redirection is useful or not...

I've examined my hack can prevent from CSRF attack.
Some patterns are OK, but another patterns are NG. (eg. using multiple <img>)

Thus I remade the anti-CSRF code. (see top of this thread)
It can protect against CSRF like multiple <img>.

99

Re: A new autologin hack for 2.0.6

2004/4/27 20:32
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

Quote:

Dave_L wrote:
1) Rather than using a cookie path, wouldn't it be better to have a customizable cookie prefix?

I read the thread at first time.
Of course, autologin should use it when XOOPS core includes such functions,
This hack is for 2.0.6

Quote:

2) What does CSRF mean?

Cross-Site Request Forgeries(CSRF, pronounced "sea surf")
http://www.tux.org/~peterw/csrf.txt

July 2003 php conference at oscon
http://conferences.oreillynet.com/os2003/php/
PHP Under Attack
http://conferences.oreillynet.com/cs/os2003/view/e_sess/4114
PHP Under Attack OSCON 2003 (slide)
http://talks.php.net/show/php-under-attack
http://talks.php.net/show/php-under-attack/11
http://talks.php.net/show/php-under-attack/15

in xoops, the records will be lost if a module exists like this:


if( ! $xoopsUser->isadmin() ) exit ;

if( $delok ) {

    $xoopsDB->queryF('DELETE ...')

}

The check will be no use, if older autologin is turned on and some administrators browse CSRF page.

Of course, this is not an autologin's hole but a module's security hole.
The module should use query() instead of queryF().
If XOOPS session is alive, CSRF attack to the weak modules will be succeed without autologin.

But, It is a fact that autologin enlarges the holes of such weak modules.
I'm examining whether the redirection is useful or not...

100

A new autologin hack for 2.0.6

2004/4/27 8:07
GIJOE
Quite a regular
Posts: 265
Since: 2003/8/13

My autologin (remember me) hack has two problems.

1) The cookie's path is root (='/'). This cause a collision of the cookies from two XOOPS sites running on the same hostname.

2) This hack weakens XOOPS from CSRF attack. (Some modules are defenseless from CSRF. They delete or update its records by GET methods easily.)

I -GIJOE- remade the autologin hack for XOOPS 2.0.6 like this:

line 69 of user.php


if ($op == 'logout') {

    $message = '';

    $HTTP_SESSION_VARS = array();

    session_destroy();

    if ($xoopsConfig['use_mysession'] && $xoopsConfig['session_name'] != '') {

        setcookie($xoopsConfig['session_name'], '', time()- 3600, '/',  '', 0);

    }

    // clear autologin cookies GIJ

    $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

    if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

    setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);

    setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);

    setcookie('autologin_uname', '', time() - 3600, '/', '', 0); //

    setcookie('autologin_pass', '', time() - 3600, '/', '', 0); // for older autologin hack -should be removed-

    // clear entry from online users table

    if (is_object($xoopsUser)) {

        $online_handler =& xoops_gethandler('online');

        $online_handler->destroy($xoopsUser->getVar('uid'));

    }

    $message = _US_LOGGEDOUT.'<br />'._US_THANKYOUFORVISIT;

    redirect_header('index.php', 1, $message);

    exit();

}

line 88 of include/checklogin.php


// set cookie for autologin GIJ

    $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

    if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

    if (!empty($HTTP_POST_VARS['rememberme'])) {

        $expire = time() + $xoopsConfig['session_expire'] * 60;

        setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);

        setcookie('autologin_pass', md5($pass), $expire, $xoops_cookie_path, '', 0);

    }

line 160 of include/common.php


//autologin GIJ

    if(empty($HTTP_SESSION_VARS['xoopsUserId']) && isset($HTTP_COOKIE_VARS['autologin_uname']) && isset($HTTP_COOKIE_VARS['autologin_pass'])) {



        // redirect to Root when query string exists (anti-CSRF)

        if( ! empty( $HTTP_SERVER_VARS['QUERY_STRING'] ) ) {

            redirect_header( XOOPS_URL , 0 , 'Now, logging in automatically' ) ;

            exit ;

        }



        $myts =& MyTextSanitizer::getInstance();

        $uname = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_uname']);

        $pass = $myts->stripSlashesGPC($HTTP_COOKIE_VARS['autologin_pass']);

        $myts =& MyTextsanitizer::getInstance();

        $user =& $member_handler->loginUserMd5(addslashes($uname), addslashes($pass));

        $xoops_cookie_path = defined('XOOPS_COOKIE_PATH') ? XOOPS_COOKIE_PATH : preg_replace( '?http://[^/]+(/.*)$?' , "$1" , XOOPS_URL ) ;

        if( $xoops_cookie_path == XOOPS_URL ) $xoops_cookie_path = '/' ;

        if (false != $user && $user->getVar('level') > 0) {

            // update time of last login

            $user->setVar('last_login', time());

            if (!$member_handler->insertUser($user, true)) {

            }

            //$HTTP_SESSION_VARS = array();

            $HTTP_SESSION_VARS['xoopsUserId'] = $user->getVar('uid');

            $HTTP_SESSION_VARS['xoopsUserGroups'] = $user->getGroups();

            // update autologin cookies

            $expire = time() + $xoopsConfig['session_expire'] * 60 ;

            setcookie('autologin_uname', $uname, $expire, $xoops_cookie_path, '', 0);

            setcookie('autologin_pass', $pass, $expire, $xoops_cookie_path, '', 0);

        } else {

            setcookie('autologin_uname', '', time() - 3600, $xoops_cookie_path, '', 0);

            setcookie('autologin_pass', '', time() - 3600, $xoops_cookie_path, '', 0);

        }

    }

another 4 files are the same as older hack.

modules/system/templates/blocks/system_block_login.html
modules/system/blocks/system_blocks.php
modules/system/language/english/blocks.php
modules/system/language/(your language)/blocks.php

I've updated Xoops Wiki too.

The new hack has not tested sufficiently yet.
Some tests of the charity is waited for.

---------
(28 April updated) fixed which the anti-CSRF code is insufficient

Stats
Goal:	$100.00
Due Date:	May 31
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Forum Index

Re: tiny content - no url link out?

Re: XOOPS Dev Team: Would it be hard to propagate module name in all reference to the module?

Re: tiny content - no url link out?

Re: piCal Event Reminders

Re: Hacking Security?

Re: TinyContent Questions

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

Re: A new autologin hack for 2.0.6

A new autologin hack for 2.0.6

Login

Search

Recent Posts

AdminLTE

Re: Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Rebuilding and Updating a 20 years old Xoops Website from 2.0.18? to 2.5.11

Re: NewBB v 5.1.0 b 6

Re: NewBB v 5.1.0 b 6

NewBB v 5.1.0 b 6

Re: XOOPS 2.5.11 search user is not working

Re: oledrion

Re: oledrion

Re: oledrion

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}