SMF 2.0.18 has been released! Please update. Read more.
Started by butchs, January 15, 2011, 11:00:37 AM
GET /index.php?action=pm;sa=pmactions;pm_actions=delete;f=inbox;start=0;b5c9d1f=f9386db172f6d1b4743fc971b796f7c1 HTTP/1.1 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729) SearchToolbar/1.2 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;done=sent
GET /index.php?action=pm;sa=pmactions;pm_actions=delete;f=inbox;start=1740;f6dd1f7f0=4ffba150984c26ed3fc2d8af50b28918HTTP/1.0 Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10 http://www.thedemonsden.com/index.php?action=pm;f=inbox;l=-1;sort=date;start=1740
Quote from: butchs on January 17, 2011, 08:31:12 PMOk, version 1.0.1 fixes the blank white page admin screen issue. Those who get this error should uninstall and install the new revision. For all others upgrade is optional.
Quote from: butchs on January 15, 2011, 09:45:56 PMIt was a typo... BB is a separate mod.
Quote from: Arantor on January 18, 2011, 05:05:09 PMThe disallowed characters in the log are [ and ] which wouldn't normally be in URLs but can be. Additionally if it flags that, it might also flag up certain circumstances of searching where stuff is base64 encoded and pushed through the URL that way.
Fatal error: Call to undefined function FFCopyright() in /home/dark/public_html/forum/Sources/Load.php(1733) : eval()'d code on line 373
Quote from: Arantor on January 19, 2011, 02:28:51 AMHey, just pointing out that it is, right now, too sensitive, not trying to dig on your turf or anything...
Quote from: Arantor on January 19, 2011, 02:28:51 AMI really hope that's being pushed through preg_quote first seeing how [, ], $, ? and + are all special characters in regular expressions, but judging by the \- I'm assuming not...
Quote from: Arantor on January 19, 2011, 02:28:51 AMThe practical answer is that the effective change on security is not significant by adding these legitimate URL characters into the mix, when SMF does use them. If you're really paranoid of course you could rewrite where the URLs are generated and processed but that's not really recommended.