e107, nothing else comes close
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Blog Hosting Reviews
Welcome
Username:

Password:


Remember me

[ ]
[ ]
[ ]
e107 Project Tracker
Changelog Changelog | Stats
Bugtracker Bugtracker
     67 open | 4900 total | Stats
Feature Requests Feature Requests
     1280 open | 2031 total
CVS Tree CVS Tree
Released Files Released Files
Download Stats Download Stats
How to get CVS version How to get CVS version

e107 on IRC
freenode.net
For real-time help and friendly chat please join #e107 on the Freenode Network

It's a friendly channel so please drop in and say hello regardless of your e107 or IRC experience

If you're new to IRC please click [here] for an explanantion of what to do.

Web Hosting

e107 0.617 Security patches + fixes (0.6171)

I think I have all the security holes plugged that were reported in the bugtracker and in the forum.

While I was into the code, I figured I'd throw a few bugfixes in there. I used the bug snippet page from e107faq.org to decided which to fix. All fixes that are posted there are in this upgrade. I'd like to thank bkwon for that wonderful page, it made adding the bugfixes very easy.

There are no database changes, simply unzip/overwrite your old files with these. Please BACKUP your site first, just in case! You can never be too careful.

If anyone has any problems with anything related to these files, please let me know immediately.

There will be no future bug fix releases for .617, unless they are security related.

You can get the file here: click to open link in new window

posted by jalist on Friday 13 May 2005 - 08:25:16


Comments

fumtu on 13 May : 10:21

Good job! You may want to remove e107_config.php from the download.

McFly on 13 May : 11:27

Thank you...file removed!

Krater on 13 May : 11:35

Thanks!

joriz on 13 May : 12:11

Update the system and it worked!

ThX!

ThePhoEniX on 13 May : 12:48

but.. is v0.7 so far from publishing? i've modified some files, and i would like to port my code to a new ver oly once

njeske on 13 May : 16:13

if we've already uploaded the .618 files from CVS will these files break anything?

McFly on 13 May : 16:41

njeske, I really have no idea. These fixes are based off of the .617 release.

BigWolf on 14 May : 02:50

Very nice job MyFly

asperon on 14 May : 04:39

njeske, i tried downgrading from the .618 to .617 and the applied this patch, from what i can tell nothing broke.

NoOz on 14 May : 05:27

could you update the different cvs repositery with this fix plz?

Raitsa on 14 May : 08:31

The update is working smoothly on 2 of my e107 .617 sites, tnx McFly.

rxlord on 14 May : 14:01

thank you McFly...all great

PHPautH on 15 May : 20:49

perfect the update! congratulations!!

austonia on 16 May : 00:06

Thanks man!

em@il on 16 May : 00:59

I see that the $query var from search.php (which is used in all search handlers) wasn't "slashed".
    $query = $_POST['searchquery'];

If the server don't add slashes (magic_quotes_gpc is not set) this permit to inject SQL in search handlers where the query is used whitout any checks.

Why don't used addslashes? (for example)
        if (get_magic_quotes_gpc()) $query = stripslashes($_POST["searchquery"]);     else $query=$_POST["searchquery"];     $query = mysql_real_escape_string($query);

amikes on 18 May : 01:05

huh?
What is the diference between CVS 0.618 and this bugfix version 0.6171?

doa on 19 May : 18:02

617 was a public release. 618 wasnt. Then off to .7

Other than that comment, I have updated 10 e107 site with this update. WAY TO GO!!!

Thank you again. You folks work hard even if it appears you dont.

streaky on 19 May : 18:17

em@il: mysql_real_escape_string() is better for that - addslashes is just no protection at all tbh..

GoG33 on 20 May : 12:03

Mcfly, I updated.. but the counter got br03ked. Now it's always,

Counter
Today: 0 (unique:0)

Anyway to fix this?

Thanks.

Stunts on 21 May : 07:45

On Download page :: after click on next page -> Acces Denied (for Head Admin ) ...

BalooDK on 21 May : 13:26

Signup won't work if i use this patch

em@il on 22 May : 06:14

@streaky, of course! You can see in the code above (in my post). I sugest "mysql_real_escape_string" even the browser add slashes (in this case I remove slashes added by browser)


[offtopic]
I see that the "code" part from my post is unreadable (when I post, the code was OK). (a new e107 "update"?)
[/offtopic]

[ edited 22 May : 06:24 ]

GoG33 on 27 May : 16:31

Should I post my problem in the forums?

sunsuron on 29 May : 00:58

After I patched my old files, signup failed to add details intto DB.


You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup


All product names mentioned herein are the trademarks of their respective owners. In addition, images, logos, pictures or other material may be trademarks or registered trademarks of their respective owners. Emote images by seb, released under the GPL licence.
e107 recommends Mozilla Firefox
Render time: 0.5716 sec, 0.4669 of that for queries. Memory Usage: 3,057kB