Security Vulnerability Part 2

Pligg CMS Forum > Questions and Comments
Register an Account

Login

User Name:

Password:

Remember Me?
Reply
Page 2 of 2 1 2
 
Thread Tools Display Modes
  #11 (permalink)  
Old 05-29-2007, 04:32 AM
New Pligger
  
Join Date: Mar 2007
Posts: 22
Thnx. No problem.
Pligg 9.1 and first patch installed.
Reply With Quote
  #12 (permalink)  
Old 05-29-2007, 05:27 AM
New Pligger
  
Join Date: Mar 2007
Posts: 4
Hello,

I'm using 8.2. I did the previous upgrade. Now i upload new upgrade file, but it says,
Quote:
SQL/DB Error -- [Duplicate column name 'last_reset_code']
I'm guessing this is not a problem and changing my login.php. Is that okay?
Reply With Quote
  #13 (permalink)  
Old 05-29-2007, 06:27 AM
savant's Avatar
Constant Pligger
  
Join Date: Apr 2006
Location: UK
Posts: 1,181
yup, you just have to replace login.php
Reply With Quote
  #14 (permalink)  
Old 05-29-2007, 04:16 PM
New Pligger
  
Join Date: May 2007
Posts: 1
Thanks for all the help...much appreciated!!
Reply With Quote
  #15 (permalink)  
Old 06-10-2007, 08:40 AM
New Pligger
  
Join Date: Jun 2007
Posts: 13
Thank you !
No problems with 9.1
Reply With Quote
  #16 (permalink)  
Old 06-11-2007, 10:45 PM
New Pligger
  
Join Date: Jun 2007
Posts: 9
I thought all was well until someone told me that the registration form did not work. It just shows a blank screen.
http://autistichealth.com/register.php

It worked before.

Any ideas?
Reply With Quote
  #17 (permalink)  
Old 06-12-2007, 05:50 AM
savant's Avatar
Constant Pligger
  
Join Date: Apr 2006
Location: UK
Posts: 1,181
the patch it self is only login.php and has no connection to register.php

can you post a new thread with your bug report.

thanks
Reply With Quote
  #18 (permalink)  
Old 06-17-2007, 03:28 PM
Casual Pligger
  
Join Date: Jun 2006
Location: Dover, NH
Posts: 49
Hey Ash, I really appreciate you taking the time to go back and fix this bug in versions as old as 7.2 for those of us stuck in the past...

I wanted to let you know though, that there are a couple of bugs in the 8.2_login.php and 7.2_login.php files you have posted here. I don't know how many people are still using these versions, but just in case you may want to update the files with these changes:

8.2_login.php line 72 change to:
Code:
$db->query('UPDATE `users` SET `last_reset_code` = "'. $saltedlogin . '" WHERE `user_login` = "'.$username.'"');
8.2_login.php line 105 change to:
Code:
$confirmationcode = $_POST["confirmationcode"];
(Optional) 8.2_login.php line 108 change to:
Code:
if($DBconf == trim($confirmationcode) && !empty($confirmationcode)){
I say this one's optional because it's not required to fix the issues like the other two changes. However I've found that depending on the email client, a straight copy and paste of the confirmation code will some times result in an extra space at the end of the code, which then fails the comparison check with the one stored in the database. Adding the trim() alleviates this issue.

The changes for 7.2_login.php are the same, just on different lines: 67, 97 and 100. Let me know if you have any questions... I have this fix up and running on 7.2 with the changes presented above.
Reply With Quote
Reply
Page 2 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pligg Security Vulnerability - Password Change Request sunstardude Questions and Comments 19 06-01-2007 02:53 PM
Security Vulnerability AshDigg Questions and Comments 36 05-28-2007 08:10 PM


Pligg Modules and Pligg Templates from Pligg Pro Find support on the Pligg CMS Forum - 24 hours a day! Make a donation to support Pligg CMS development