News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Security Update

Started by Orstio, July 17, 2006, 07:58:12 PM

Previous topic - Next topic

Orstio

If you are still running bridge 3.19a, please edit your smf.php, and add this near the top (right under the comments):

/** ensure this file is being included by a parent file and stop direct linking */
defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );


If you are running SMF 1.1RC2, and bridge 1.1.x, please upgrade to bridge 1.1.5a:

http://www.simplemachines.org/community/index.php?topic=97649.0

mic

Hi Orstio,

long time ago that i've done some for SMF.
Because of the security issues which are around, i had to look for newer files or if there are the SMF.Files from the bridge are not affected.

Not nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

defined( '_VALID_MOS' ) or die( 'No Direct Access' );

And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

I have downloaded the latest version of your bridge a few minutes ago and missing the above codeline!

cheers - michael

Orstio

QuoteNot nice to see, that they are!
Beside your notice, also the file mod_smf_login.php MUST be updated with:

...And also all language files which are included in the bridge.package [com_smf.zip].
Finally dont forget the config.smf.php which should be also updated.

Since none of those files contains an include() with the variable $mosConfig_absolute_path, they are not susceptable to the script-kiddie attack for which this update was intended.

Imago

Thank you for the tip, Orstio! :) It just solved my problem with the sporadic access of the standallone forum - opened /smf/index.php and added what you suggest. Now only the "componential" SMF can be accessed

tingtong

Sadly that I can't CHMOD my directory com_smf to 777 and thus not able to upload the modified file smf.php.

Trimud

Have you tried JoomlaXplorer or shell access?

tingtong

I will try it soon, thanks.

By the way, my new installed SMF is version 1.0.7 and I found that there is version 1.1 RC2, which version is latest? Is that I suppose to install 1.1 RC2 because my SMF forum not yet start? Is very easy for me to reinstall.

If using 1.1 RC2, I prefer to install to different database, will that work with Joomla SMF Bridge 1.1.5a?

Advertisement: