Advertisement:

Author Topic: Security Update  (Read 15528 times)

Orstio

  • Guest
Security Update
« on: July 17, 2006, 07:58:12 PM »
If you are still running bridge 3.19a, please edit your smf.php, and add this near the top (right under the comments):

Code: [Select]
/** ensure this file is being included by a parent file and stop direct linking */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );

If you are running SMF 1.1RC2, and bridge 1.1.x, please upgrade to bridge 1.1.5a:

http://www.simplemachines.org/community/index.php?topic=97649.0

Offline mic

  • Semi-Newbie
  • *
  • Posts: 53
    • MGFi - My German Full installation
Re: Security Update
« Reply #1 on: July 23, 2006, 04:48:55 PM »
Hi Orstio,

long time ago that i've done some for SMF.
Because of the security issues which are around, i had to look for newer files or if there are the SMF.Files from the bridge are not affected.

Not nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

Code: [Select]
defined( '_VALID_MOS' ) or die( 'No Direct Access' );
And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

I have downloaded the latest version of your bridge a few minutes ago and missing the above codeline!

cheers - michael

Orstio

  • Guest
Re: Security Update
« Reply #2 on: July 23, 2006, 05:34:44 PM »
Quote
Not nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

...And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

Since none of those files contains an include() with the variable $mosConfig_absolute_path, they are not susceptable to the script-kiddie attack for which this update was intended.

Offline Imago

  • Semi-Newbie
  • *
  • Posts: 27
  • Gender: Male
Re: Security Update
« Reply #3 on: July 24, 2006, 02:55:25 AM »
Thank you for the tip, Orstio! :) It just solved my problem with the sporadic access of the standallone forum - opened /smf/index.php and added what you suggest. Now only the "componential" SMF can be accessed

Offline tingtong

  • Semi-Newbie
  • *
  • Posts: 17
Re: Security Update
« Reply #4 on: August 14, 2006, 04:19:33 AM »
Sadly that I can't CHMOD my directory com_smf to 777 and thus not able to upload the modified file smf.php.

Offline Trimud

  • Semi-Newbie
  • *
  • Posts: 17
Re: Security Update
« Reply #5 on: August 14, 2006, 05:51:36 AM »
Have you tried JoomlaXplorer or shell access?

Offline tingtong

  • Semi-Newbie
  • *
  • Posts: 17
Re: Security Update
« Reply #6 on: August 14, 2006, 09:22:27 AM »
I will try it soon, thanks.

By the way, my new installed SMF is version 1.0.7 and I found that there is version 1.1 RC2, which version is latest? Is that I suppose to install 1.1 RC2 because my SMF forum not yet start? Is very easy for me to reinstall.

If using 1.1 RC2, I prefer to install to different database, will that work with Joomla SMF Bridge 1.1.5a?