Beschreibung: Avatar Upload Modul f│r PHPNuke 6.0 gegen│ber V.0.2: => Security Fix: Man kann von nun an Typ des Bildes (voreingestellt auf .gif) und GR═SSE des Bildes festlegen! (voreingestellt auf ca. 5kb) Und zwar nicht mehr in der index.php des Modules sondern in der upload.php! (d.h. von aussen kann nicht mehr die gr«sse des Bildes/der Datei bestimmt werden!) => Erweiterte Fehlererkennung (z.B wenn man kein Bild hochgeladen hat, oder wenn das Bild zu gross bzw. im falschen Format vorliegt) => Anzeige des Avatares nach dem Upload!
Beschreibung: Original phpBB Group changelog:
* Added confirm table to admin_db_utilities.php
* Prevented full path display on critical messages
* Fixed full path disclosure in username handling caused by a PHP 4.3.10 bug - AnthraX101
* Added exclude list to unsetting globals (if register_globals is on) - SpoofedExistence
* Fixed arbitrary file disclosure vulnerability in avatar handling functions - AnthraX101
* Fixed arbitrary file unlink vulnerability in avatar handling functions -AnthraX101
* Removed version number from powered by line
* Merged database update files to update_to_latest.php file
* Fixed path disclosure bug in search.php caused by a PHP 4.3.10 bug (related to AnthraX101's discovery)
* Fixed path disclosure bug in viewtopic.php caused by a PHP 4.3.10 bug - matrix_killer
The changelog (contained within this release) is as follows:
* Prevent login attempts from incrementing for inactive users * Do not check maximum login attempts on re-authentication to the admin panel - tomknight * Regenerate session keys on password change * retrieving category rows in index.php (Bug #90) * improved index performance by determining the permissions before iterating through all forums (Bug #91) * Better handling of short usernames within the search (bug #105) * Send a no-cache header on admin pages as well as normal board pages (Bug #149) * Apply word censors to the message when quoting it (Bug #405)
* Improved performance of query in admin_groups (Bug #753) * Workaround for an issue in either PHP or MSSQL resulting in a space being returned instead of an empty string (bug #830) * Correct use of default_style config value (Bug #861) * Replace unneeded unset calls in admin_db_utilities.php - vanderaj * Improved error handling in modcp.php * Improved handling of forums to which the user does not have any explicit permissions - vanderaj * Assorted fixes and cleanup of admin_ranks.php, now requires confirmation of deletions * Assorted fixes and cleanup of admin_words.php, now requires confirmation of deletions * Addition and editing of smilies can no longer be performed via GET, now requires confirmation of deletions * Escape group names in admin_groups.php * Replace strip_tags with htmlspecialchars in private message subject * Some changes to HTML handling if enabled * Escape any special characters in reverse dns - Anthrax101 * Typecast poll id values - Anthrax101 * Added configurable search flood control to reduce the effect of DoS style attacks * Changed the way we create "random" values for use as keys - chinchilla/Anthrax101 * Enabled Visual Confirmation by default * Changed handling of the case where a selected style doesn't exist in the database * Changed handling of topic pruning to improve performance * Changed default forum permissions to only allow registered users to post in new forums
The changelog (contained within this release) is as follows:
* Prevent login attempts from incrementing for inactive users * Do not check maximum login attempts on re-authentication to the admin panel - tomknight * Regenerate session keys on password change * retrieving category rows in index.php (Bug #90) * improved index performance by determining the permissions before iterating through all forums (Bug #91) * Better handling of short usernames within the search (bug #105) * Send a no-cache header on admin pages as well as normal board pages (Bug #149) * Apply word censors to the message when quoting it (Bug #405)
* Improved performance of query in admin_groups (Bug #753) * Workaround for an issue in either PHP or MSSQL resulting in a space being returned instead of an empty string (bug #830) * Correct use of default_style config value (Bug #861) * Replace unneeded unset calls in admin_db_utilities.php - vanderaj * Improved error handling in modcp.php * Improved handling of forums to which the user does not have any explicit permissions - vanderaj * Assorted fixes and cleanup of admin_ranks.php, now requires confirmation of deletions * Assorted fixes and cleanup of admin_words.php, now requires confirmation of deletions * Addition and editing of smilies can no longer be performed via GET, now requires confirmation of deletions * Escape group names in admin_groups.php * Replace strip_tags with htmlspecialchars in private message subject * Some changes to HTML handling if enabled * Escape any special characters in reverse dns - Anthrax101 * Typecast poll id values - Anthrax101 * Added configurable search flood control to reduce the effect of DoS style attacks * Changed the way we create "random" values for use as keys - chinchilla/Anthrax101 * Enabled Visual Confirmation by default * Changed handling of the case where a selected style doesn't exist in the database * Changed handling of topic pruning to improve performance * Changed default forum permissions to only allow registered users to post in new forums
Beschreibung: Note: Make a backup of the files to be replaced before upgrading, files have not yet been tested. PHP-Nuke 7.x and BbtoNuke 2.0.10 are required
Changes since 2.0.10
Fixed unsetting global vars - Matt Kavanagh
Fixed XSS vulnerability in username handling - AnthraX101
Fixed not confirmed sql injection in username handling - warmth
Added check for empty topic id in topic_review function
Added visual confirmation mod to code base
Beschreibung: The changelog (contained within this release) is as follows:
* Hardened author and keyword search a bit to not allow very server intensive searches
* Fixed full path disclosure in bad word parsing
* Resetting complete userdata array in session code if authentication fails
* Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
* Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
* Fixed html handling in signatures if html is turned off globally
* Fixed install.php problem with PHP5 register_long_arrays option turned off
* Fixed potential issues with styling system
* Added correct class to login_body template file
* Removed file db/oracle.php from package
* Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
* Fixed case-sensitivity issues in postgres7.php - R45
Beschreibung: For Nuke Patched 2.9 or higher Only!!
The changelog (contained within this release) is as follows:
* Hardened author and keyword search a bit to not allow very server intensive searches
* Fixed full path disclosure in bad word parsing
* Resetting complete userdata array in session code if authentication fails
* Fixed bug in moderator control panel where certain parameters could lead to an "error creating new session" sql error
* Fixed bug in session code where empty page ids could lead to an "error creating new session" sql error
* Fixed html handling in signatures if html is turned off globally
* Fixed install.php problem with PHP5 register_long_arrays option turned off
* Fixed potential issues with styling system
* Added correct class to login_body template file
* Removed file db/oracle.php from package
* Removed version number from message body page in /admin (if user is not an admin) - mikelbeck
* Fixed case-sensitivity issues in postgres7.php - R45
* [Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
* [Fix] retrieving category rows in index.php (Bug #90)
* [Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
* [Fix] wrong topic redirection after login redirect (Bug #94)
* [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
* [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
* [Fix] correctly preview signature if editing other users posts (Bug #101)
* [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
* [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
* [Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
* [Fix] set page title on summary page of groupcp.php (bug #125)
* [Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
* [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
* [Fix] handling of both forms of translation information used in language packs (Bug #159)
* [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
* [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
* [Fix] incorrect handling of move stubs (Bug #179)
* [Fix] wrong mode_type in memberlist (Bug #187)
* [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
* [Fix] removed unused variable from topic_notify email template (Bug #210)
* [Fix] removed unset variable from smilies popup window title (Bug #224)
* [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
* [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
* [Fix] all users removed from topics watch table on special occassions (Bug #271)
* [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
* [Fix] correctly display username in private message notification (Bug #278)
* [Fix] fixed "var-by-ref" errors (Bug #322)
* [Fix] changed redirection to installation (Bug #325)
* [Fix] added timout of 10 seconds to version check (Bug #348)
* [Fix] fixed user_level default in postgresql schema file (Bug #444)
* [Fix] multiple minor HTML issues with subSilver
* [Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
* [Change] added 60 days limit for grabbing unread topics in index.php
* [Sec] backport of session keys system from olympus
* [Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
* [Sec] fixed validation of topic type when posting
* [Sec] unset database password once it is no longer needed
* [Sec] fixed potential to select images outside the specified path as avatars or smilies
* [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
* [Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
* [Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
* [Sec] check to_username and ownership when editing a PM (AnthraX101)
* [Sec] fixed ability to edit PM's you did not send (depablo84)
* [Sec] compare imagetype on avatar uploading to match the file extension from uploaded file
Beschreibung: BBtoNuke 2.0.18 for Nuke Patched 2.9 and up
* [Fix] incorrect handling of password resets if admin activation is enabled (Bug #88)
* [Fix] retrieving category rows in index.php (Bug #90)
* [Fix] improved index performance by determining the permissions before iterating through all forums (Bug #91)
* [Fix] wrong topic redirection after login redirect (Bug #94)
* [Fix] improved handling of username lists in admin_ug_auth.php (Bug #98)
* [Fix] incorrect removal of bbcode_uid values if bbcode has been turned off (Bug #100)
* [Fix] correctly preview signature if editing other users posts (Bug #101)
* [Fix] incorrect alt tag on generated search images in groupcp.php, viewtopic.php and usercp_viewprofile.php (Bug #102)
* [Fix] consistent forum ordering in all dropdown boxes (Bug #106)
* [Fix] correctly get compression status in page_tail.php and page_footer_admin.php (Bug #117)
* [Fix] set page title on summary page of groupcp.php (bug #125)
* [Fix] correctly test style and avatar in usercp_register.php (bug #129 and #317)
* [Fix] handling of reactivation notifications if admin activation is enabled (Bug #145)
* [Fix] handling of both forms of translation information used in language packs (Bug #159)
* [Fix] key length for activation keys fixed in usercp_sendpassword.php (Bug #171)
* [Fix] use GENERAL_MESSAGE constant in message_die instead of MESSAGE (Bug #176)
* [Fix] incorrect handling of move stubs (Bug #179)
* [Fix] wrong mode_type in memberlist (Bug #187)
* [Fix] SQL errors when setting maximum PMs to 0 (Bug #188)
* [Fix] removed unused variable from topic_notify email template (Bug #210)
* [Fix] removed unset variable from smilies popup window title (Bug #224)
* [Fix] removed duplicate template assignment from admin_board.php (Bug #226)
* [Fix] incorrect search link for guest posts in modcp.php (Bug #254)
* [Fix] all users removed from topics watch table on special occassions (Bug #271)
* [Fix] correctly check returned value from strpos in append_sid function (Bug #275)
* [Fix] correctly display username in private message notification (Bug #278)
* [Fix] fixed "var-by-ref" errors (Bug #322)
* [Fix] changed redirection to installation (Bug #325)
* [Fix] added timout of 10 seconds to version check (Bug #348)
* [Fix] fixed user_level default in postgresql schema file (Bug #444)
* [Fix] multiple minor HTML issues with subSilver
* [Change] deprecated the use of some PHP 3 compatability functions in favour of the native equivalents
* [Change] added 60 days limit for grabbing unread topics in index.php
* [Sec] backport of session keys system from olympus
* [Sec] fixed email bans to use the same pattern as email validation and allow wildcard domain bans
* [Sec] fixed validation of topic type when posting
* [Sec] unset database password once it is no longer needed
* [Sec] fixed potential to select images outside the specified path as avatars or smilies
* [Sec] fix globals de-registration code for PHP5 - (Stefan Esser/Matt Kavanagh)
* [Sec] changed avatar gallery code sections to prevent possible injection points (AnthraX101)
* [Sec] signature field is not properly sanitised for user input when an error occurs while accessing the avatar gallery (AnthraX101)
* [Sec] check to_username and ownership when editing a PM (AnthraX101)
* [Sec] fixed ability to edit PM's you did not send (depablo84)
* [Sec] compare imagetype on avatar uploading to match the file extension from uploaded file
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest (c) 2004-2012 by phpnuker.de.
Alle Besucher
Nur Mitglieder
Information
