Topic: Security Update (Read 11730 times)

Orstio · « **on:** July 17, 2006, 07:58:12 PM »

If you are still running bridge 3.19a, please edit your smf.php, and add this near the top (right under the comments):

/** ensure this file is being included by a parent file and stop direct linking */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

If you are running SMF 1.1RC2, and bridge 1.1.x, please upgrade to bridge 1.1.5a:

http://www.simplemachines.org/community/index.php?topic=97649.0

mic · « **Reply #1 on:** July 23, 2006, 04:48:55 PM »

Hi Orstio,

long time ago that i've done some for SMF.
Because of the security issues which are around, i had to look for newer files or if there are the SMF.Files from the bridge are not affected.

Not nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

Code: [Select]

defined( '_VALID_MOS' ) or die( 'No Direct Access' );
And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

I have downloaded the latest version of your bridge a few minutes ago and missing the above codeline!

cheers - michael

Orstio · « **Reply #2 on:** July 23, 2006, 05:34:44 PM »

Quote

Not nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

...And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

Since none of those files contains an include() with the variable $mosConfig_absolute_path, they are not susceptable to the script-kiddie attack for which this update was intended.

Imago · « **Reply #3 on:** July 24, 2006, 02:55:25 AM »

Thank you for the tip, Orstio!

It just solved my problem with the sporadic access of the standallone forum - opened /smf/index.php and added what you suggest. Now only the "componential" SMF can be accessed

tingtong · « **Reply #4 on:** August 14, 2006, 04:19:33 AM »

Sadly that I can't CHMOD my directory com_smf to 777 and thus not able to upload the modified file smf.php.

Trimud · « **Reply #5 on:** August 14, 2006, 05:51:36 AM »

Have you tried JoomlaXplorer or shell access?

tingtong · « **Reply #6 on:** August 14, 2006, 09:22:27 AM »

I will try it soon, thanks.

By the way, my new installed SMF is version 1.0.7 and I found that there is version 1.1 RC2, which version is latest? Is that I suppose to install 1.1 RC2 because my SMF forum not yet start? Is very easy for me to reinstall.

If using 1.1 RC2, I prefer to install to different database, will that work with Joomla SMF Bridge 1.1.5a?

News:

Author Topic: Security Update (Read 11730 times)

Orstio

Security Update

mic

Re: Security Update

Orstio

Re: Security Update

Imago

Re: Security Update

tingtong

Re: Security Update

Trimud

Re: Security Update

tingtong

Re: Security Update