The AnimeFanlistings Network
The AnimeFanlistings Network Message Board

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Jonathan

Pages: 1
1
News and Announcements / Viewed threads and auto-refresh problems fixed now.
« on: March 15, 2007, 07:52:40 PM »
Problem description: http://board.animefanlistings.org/index.php?showtopic=12784

After investigating the database that runs IPB, we found a problem and applied a fix that should take care of this problem. "Threads Viewed" data might be missing between March 7th and today, but no posts have been removed.

If you are still experiencing the problems described above, post in that thread to let me know and I'll look into it.

2
News and Announcements / IPB "Portal" system disabled
« on: February 23, 2007, 07:14:50 PM »
The "portal" setup our message board vendor added with recent updates has been disabled. Server resources are tight enough as it is without the added overhead this caused. Besides, this is a message board, not a social-networking site. We do apologize for the inconvenience of taking away this interesting board feature. You can still view member profiles as you did before the portal system was added.

3
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 14, 2005, 03:41:45 PM »
An error in several GodeGrrl PHP scripts has been found that can potentially let a malicious web user read any file on your website, upload their own files, or otherwise cause mischief and mayhem. The vulnerable scripts are:

PHPCurrently version 2.0 and prior
PHPQuotes version 1.0 and prior
PHPCalendar version 1.0 and prior
PHPClique version 1.0 and prior
PHPFanBase version 2.1 and prior

Quote
Input passed to the "siteurl" parameter in "protection.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.

REMEDIES:

If you have the ability to edit the php.ini file (PHP configuration file) on your webserver, set the "register_globals" variable to "off".*

If you do not have the ability to edit the configuration file, consider using an alternate script system until a new version is provided that fixes the vulnerability.

OR, if you are an uber PHP guru, you can edit protection.php yourself to make sure the siteurl variable has not been tainted.

References:
http://secunia.com/advisories/17542/
http://www.frsirt.com/english/advisories/2005/2402


*NOTE: I do not know if setting "register_globals" to "off" will break any of the scripts.

EDIT: That will teach me to multi-task while trying to process someone else's code. I incorrectly diagnosed the problem from the security advisories above. Text of post changed to reflect actual threat. Thread opened for discussion and sharing of suggestions of how to ensure the siteurl variable is not tainted.

Pages: 1