[Security Fix] All Pligg versions when extra fields enabled

[beatniak]

I've found a bug that makes all pligg versions vulnerable for deformation hacks and site hijacking when the extra fields are enabled.
In other words, all pligg sites that have extra fields enabled are wide open for hack attacks.

IMPORTANT: PLEASE UPGRADE IMMEDIATELY!!!

Here are the bugfix packages for Pligg 9.6 / 9.5 / 9.1 / 9.0 / 8.2
Upgrade info: Just overwrite your pligg install with the included files

I added the fix for all the official templates, but for fixing your own template:
1) Look in: /templates/<yget or MB>/submit_step_3.tpl
2) copy the code between "Steef 2k7-07 security fix start" and "Steef 2k7-07 security fix end"
3) paste in: /templates/<your template>/submit_step_3.tpl

Fix is already added to the SVN, so 9.7 will be save.

[dollars5]

Thanks.for the patch.

[tbones]

v9.5 users should take the v9.6 fix?

[beatniak]

Quote:

Originally Posted by tbones

v9.5 users should take the v9.6 fix?

Whoops.... forgot that one. Added the fix for 9.5 and 8.2 in the first post.

Here's the fix for pligg 7(rc63). Couldn't attach it in the first, because i have a max 5 files limit when attaching

These are all the official pligg packages i have, so if you want a bugfix of another pligg version, please provide the (official) download link to that version.

[P1mpPanther]

Thank you!

[argh2xxx]

You can post this fix anywhere on submit_step_3.tpl? Or you must post on specific location like the patch instructed? I mean I use a custom template, and so it looks a bit different in submit_step_3.tpl

[beatniak]

RTFA.................................

Quote:

I added the fix for all the official templates, but for fixing your own template:
1) Look in: /templates/<yget or MB>/submit_step_3.tpl
2) copy the code between "Steef 2k7-07 security fix start" and "Steef 2k7-07 security fix end"
3) paste in: /templates/<your template>/submit_step_3.tpl

[P1mpPanther]

k, ill get a few laughs for asking but, what does RTFA mean? (read the ---??)

And I thought i new EVERY acronym on the planet!!! (jk)

[beatniak]

RTFA = Read The Fuçking Article

It's a derivative acronym of RTFM (Read The F***ing Manual). This instruction is given in response to a question when the person being asked believes that the question could be easily answered by reading the relevant "manual" or instructions.

Hence, RTFA... It's often replied in Digg (etc) to questions when the person being asked believes that the question could be easily answered by reading the relevant article.

There are many derivative acronyms of the form "RTF*", where '*' is the appropriate source of information. These include "RTFC" (Read The F***ing Code), "RTFFAQ or "RTFF" (Read The F***ing FAQ) and "RTFW" (Read The F***ing Wiki or Walkthrough). Other geek acronyms of interest are GIYD (Google It You Dumbass) and JFGI (Just F***ing Google It).

PS: Don't get too groggy on the "F", because it isn't supposed to be that rude. If it says RTA, no one understands the acronym

[dollars5]

@Steef: lol, m8, new Web 2.0 acronyms to learn