
phpCOIN Main Site · Forum Guidelines |
![]() ![]() ![]() ![]() |
Other phpCOIN Sites: [Live Demo] [Downloads] [Docs] [Bugs] [Wall of Shame] |
Welcome Guest ( Log In | Register ) | Resend Validation Email |
![]() ![]() |
lightman |
Posted: December 16, 2010 09:17 am
|
![]() The Janitor ![]() ![]() ![]() Group: Admin Posts: 3,641 Member No.: 3 Joined: August 25, 2006 ![]() |
As a result of a small number of users reporting that their phpCOIN installation was being used as the vector for a web server compromise, we have reviewed the handling routines in the ~/coin_includes/security.php file and revised them.
My great thanks to azcappy who worked tirelessly in helping to test and refine this code. This HotFix is rated : PATCH NOW ! Instructions: 1) Download the file and unzip it as security.php 2) Change the file permissions if required 3) Upload the file to your phpCOIN installation OVERWRITING the file in ~/coin_includes/security.php Known Issues: 1) This may break passwords that are set to use auto-generated password that utilize the full alphanumeric character set and symbols, in the ASCII range 33 to 126 - Solution - switch this to utilize only lowercase letters This HotFix is rated : PATCH NOW ! Note: This file is deliberately aggressive in the way it sanitizes input as passed by a GET or POST URL. This file has been tested on a variety of live phpCOIN v1.6.5 installations and appears to work fine. Older installations may also be able to use this file if it already exists in the fileset but users should be aware that no testing has been performed on versions older than v1.6.5 so apply it with care or upgrade to the v1.6.5 version first. If you encounter any loss of functionality after applying this file - please let us know. This HotFix is rated : PATCH NOW ! Download file : HotFix_v165_1_2010_12_16.zip MD5sum efff3185820acac9e1d1b4d60aae0ab0 This HotFix is rated : PATCH NOW ! -------------------- ***** Unless otherwise stated, all replies refer to the following *****
==================================================================== --- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post. --- All relevant HotFix files applied - One of the four included unmodified themes - The original language files . --- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :) |
lightman |
Posted: December 28, 2010 05:08 pm
|
||
![]() The Janitor ![]() ![]() ![]() Group: Admin Posts: 3,641 Member No.: 3 Joined: August 25, 2006 ![]() |
NOTES * A user reported problems with the format of menu external links Add
into the # Some variables are allowed to contain html section of the security.php file to resolve this
* Users have reported difficulties when using HTML emails and the wysiwyg editor - there is no solution at this time - if you are experiencing difficulties with HTML emails - switch to plain-text email mode. -------------------- ***** Unless otherwise stated, all replies refer to the following *****
==================================================================== --- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post. --- All relevant HotFix files applied - One of the four included unmodified themes - The original language files . --- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :) |
||
ahouse |
Posted: January 07, 2011 09:06 am
|
||||
Advanced Member ![]() ![]() ![]() Group: Members Posts: 34 Member No.: 4,263 Joined: June 03, 2010 ![]() |
where you want to add the code? sorry 4 my english |
||||
ahouse |
Posted: January 07, 2011 09:10 am
|
Advanced Member ![]() ![]() ![]() Group: Members Posts: 34 Member No.: 4,263 Joined: June 03, 2010 ![]() |
thanks, I figured. file security.php line 94
|
4u2cnnv |
![]() |
Newbie ![]() Group: Probation Posts: 1 Member No.: 4,400 Joined: January 14, 2011 ![]() |
Hi, I have,
1. downloaded the patch zip file 2. extracted on my windows 7 machine 3. made the suggested amended in the posts above 4. uploaded to my server 5. change permission to be same as previous version of security.php I get a blank page when I load the site, althought when I remove the suggested amendment the site loads again, but yet it still writes "Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26" Fix-File 2010-12-16 for version 1.6.5 * HotFixs are available for this version * Security : Input Parsing - *** PATCH NOW !! *** * Security : Mail Archive Of Password Resets - Optional * Security : Captcha Exploit, Ddos And Handling - Recommended * BugFix : Google Webmaster Verification Tag - Recommended am I doing it right please help in this regard |
lightman |
Posted: January 15, 2011 06:39 am
|
![]() The Janitor ![]() ![]() ![]() Group: Admin Posts: 3,641 Member No.: 3 Joined: August 25, 2006 ![]() |
The HotFix will NOT remove the notification in the admin or summery page !!!
See http://forums.phpcoin.com/index.php?showtopic=3222 If you are getting a blank page, it is probably because of a parse error caused by a corrupted or partially uploaded file, or the file has had the wrong permissions set. -------------------- ***** Unless otherwise stated, all replies refer to the following *****
==================================================================== --- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post. --- All relevant HotFix files applied - One of the four included unmodified themes - The original language files . --- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :) |
qtriangle |
Posted: February 26, 2011 01:41 pm
|
Member ![]() ![]() Group: Members Posts: 19 Member No.: 3,942 Joined: August 19, 2009 ![]() |
even after applying this patch, the update notice reads this:
Your phpCOIN installation is v1.6.5 with fix-file 2009-09-26 Fix-File 2010-12-16 for version 1.6.5 * HotFixs are available for this version * Security : Input Parsing - *** PATCH NOW !! *** * Security : Mail Archive Of Password Resets - Optional * Security : Captcha Exploit, Ddos And Handling - Recommended * BugFix : Google Webmaster Verification Tag - Recommended Is it normal? |
lightman |
Posted: February 26, 2011 02:01 pm
|
||
![]() The Janitor ![]() ![]() ![]() Group: Admin Posts: 3,641 Member No.: 3 Joined: August 25, 2006 ![]() |
Oh dear ![]()
-------------------- ***** Unless otherwise stated, all replies refer to the following *****
==================================================================== --- The latest unmodified version of phpCOIN available from the phpCOIN download page on the date and time of this post. --- All relevant HotFix files applied - One of the four included unmodified themes - The original language files . --- Help will be given to install/configure/use phpCOIN, but not programming help to modify phpCOIN operations. If you are competent enough to make programming changes, you should be competent enough to read the source code and figure things out :) |
||
mrsdonovan |
![]() |
||||
Newbie ![]() Group: Probation Posts: 1 Member No.: 4,563 Joined: June 04, 2012 ![]() |
I realize this post is a couple years old, but I for one, still use php_coin... One solution is to fix the security.php file to white-list an IP address like this: in "clean_input_array" function under "$res = array" add the following:
and change the "127.0.0.1" ip address to your own. I tested this code and it works for my purposes... Of course, the better solution is to not have sanitization didn't strip out ALL the HTML, and return a relevant error if it did. But, alas, another dying project... |
||||
![]() |
![]() ![]() |