Security Vulnerability Part 2

[blackpr]

Thnx. No problem.
Pligg 9.1 and first patch installed.

[jango]

Hello,

I'm using 8.2. I did the previous upgrade. Now i upload new upgrade file, but it says,

Quote:

SQL/DB Error -- [Duplicate column name 'last_reset_code']

I'm guessing this is not a problem and changing my login.php. Is that okay?

[savant]

yup, you just have to replace login.php

[jw77]

Thanks for all the help...much appreciated!!

[Mupetz]

Thank you !
No problems with 9.1

[WaterGuy]

I thought all was well until someone told me that the registration form did not work. It just shows a blank screen.
http://autistichealth.com/register.php

It worked before.

Any ideas?

[savant]

the patch it self is only login.php and has no connection to register.php

can you post a new thread with your bug report.

thanks

[Dravis]

Hey Ash, I really appreciate you taking the time to go back and fix this bug in versions as old as 7.2 for those of us stuck in the past...

I wanted to let you know though, that there are a couple of bugs in the 8.2_login.php and 7.2_login.php files you have posted here. I don't know how many people are still using these versions, but just in case you may want to update the files with these changes:

8.2_login.php line 72 change to:

Code:

$db->query('UPDATE `users` SET `last_reset_code` = "'. $saltedlogin . '" WHERE `user_login` = "'.$username.'"');

8.2_login.php line 105 change to:

Code:

$confirmationcode = $_POST["confirmationcode"];

(Optional) 8.2_login.php line 108 change to:

Code:

if($DBconf == trim($confirmationcode) && !empty($confirmationcode)){

I say this one's optional because it's not required to fix the issues like the other two changes. However I've found that depending on the email client, a straight copy and paste of the confirmation code will some times result in an extra space at the end of the code, which then fails the comparison check with the one stored in the database. Adding the trim() alleviates this issue.

The changes for 7.2_login.php are the same, just on different lines: 67, 97 and 100. Let me know if you have any questions... I have this fix up and running on 7.2 with the changes presented above.