The SMF File Management Tool

Started by Marcus Forsberg, November 17, 2009, 02:03:50 PM

Previous topic - Next topic

Arantor

Unfortunately, a security hole was discovered in this mod, a subtle one, but a serious one allowing arbitrary file uploads (which of course isn't a good idea)

I would ask that you uninstall this mod for the time being while a security patch is prepared. I have removed the mod from the mod site pending a patch.
Holder of controversial views, all of which my own.


Marcus Forsberg

#21
Thought I'd update you on this.

First of all, I apologize for this lack of security checks, and I'm glad it was discovered before someone was hit by it.
I'm putting a patch together right now, and I'll send the mod back so that my fellow Customizers can look at it again.

Once it's out, it should be perfectly safe to use this mod again. I apologize for the inconvenience.
I actually never knew that it was possible to hack the script this way, uploading dangerous files to the server without using the ACP form, which proves yet again that you learn something new every day.

Edit: New package uploaded and awaiting review.

Marcus Forsberg

The patch is out. The mod should now be secure to use. Again, I apologize for this.

Arantor

Just to follow up here, if you have already used this mod, you would be strongly advised to update to the current version.

I'd like to thank Nas for resolving this issue so promptly. It just reminds us that the Customizer team are human, they do make mistakes like everyone else, but they're prepared to deal with them :)
Holder of controversial views, all of which my own.


islam2hamy

Nice Mod ,Thank You.

Arabic File Attached

Arabic Translator - Web Designer
My Mods / My Themes  //  GfxLand





clewis789

So this is pretty much most of the things in the server but you can now change it in the admin panel so admins who do not have the server info can change stuff around ?

if so i am downloading right now :)
My Mods:

Playstation 3 Avatars - http://custom.simplemachines.org/mods/index.php?mod=2150

Xbox 360 Avatars - Will be up very soon.

Nintendo Wii Avatars - Coming Soon

Arantor

This lets you view, edit and otherwise manage files without FTP, yes.
Holder of controversial views, all of which my own.


Sabre™

#27
Fantastic Mod Nas!!
This will surely help with assisting others, as well as ourselves :P
I agree something similar for the db would be great.

Is there a way to make this accessible 'only' to the admin with id=1 ?

Cheers champ :)

edit:
When I go to edit a template, only the lines before 91 have the highlights(colours), and the rest are normal(black) text.
Is this how it should function?
Do NOT give admin and/or ftp details to just anybody, see if they are trust worthy first!!  Do your homework ;)


king kratos

Quote from: Sabre™ on November 19, 2009, 01:45:53 AM
Is there a way to make this accessible 'only' to the admin with id=1 ?


I have not looked at the code yet, but from what Arantor has taught me about permissions, you should be able to. Just find the lines that say something like "allowedTo(admin_forum)" (or something like that) and replace it with an array for 1.

Like I said, I have not looked at the code yet, so I cannot tell you what exactly those permissions say.

On a different note, I like this mod. It is very useful for when I do not have my file editor available. Thank you for this mod.

Kratos

Marcus Forsberg

Quote from: Sabre™ on November 19, 2009, 01:45:53 AM
Fantastic Mod Nas!!
This will surely help with assisting others, as well as ourselves :P
I agree something similar for the db would be great.

Is there a way to make this accessible 'only' to the admin with id=1 ?

Cheers champ :)

edit:
When I go to edit a template, only the lines before 91 have the highlights(colours), and the rest are normal(black) text.
Is this how it should function?

Thanks :)

Permissions are one of the features I'll add to FM 1.1.

The highlight bug is known, probably an error in the third-party tool it uses. I will look at it (Though, it's always been working for me).
Btw, a customizer mentioned something about javascript memory limit causing it. Try looking at your settings for that.

Sabre™

Cheers kratos,
I already knew that and was indirectly making a suggestion lol ;)
As always, it is already being considered.(permissions)

Thanks for the info Nas, but I'll wait for your update, for even though I have installed it, I have yet to actually use it.
My notepad is hard to let go of lol ;)
Do NOT give admin and/or ftp details to just anybody, see if they are trust worthy first!!  Do your homework ;)


Diamond1444

Leave it to me  :-\

Uploaded this and it said everything was installed successfully.  But it shows the following (with all the red x's) and I've got four pages of the same error in the log.  How can I fix this, please?

Marcus Forsberg

Looks like some sort of issue with your package manager, not this mod. Can you use the file manager properly or do you get that error every time you do something with it?

Arantor

That's an installation error, probably means there's no temp directory.
Holder of controversial views, all of which my own.


Marcus Forsberg

That's what I was thinking. (Installation error, I never thought of the temp dir :P)

c23_Mike

Hi there !

This mod is once I waited long time ago for SMF 2! A must need for every installation i think!
Thanks a lot for this piece of software!!
So long, Mike

http://www.c23.at
c23 - DER Computer Club
~ never play alone ~

Diamond1444

Quote from: Nas on November 19, 2009, 10:18:15 AM
Looks like some sort of issue with your package manager, not this mod. Can you use the file manager properly or do you get that error every time you do something with it?

It seems to work - no new errors when I try to use it.  I even tried uninstalling this and two mods that I had installed before this one and then just re-installing this one only, thinking it had an issue with one of them.  Same errors as the first time.  The other two mods showed as installing properly and no errors showed up in the logs for those.

Marcus Forsberg

If you clear your error log there should be no problem. But you might want to post a topic in the support boards to see if there are issues with your package manager (Copying files and directories from a mod to the server).

Diamond1444


Sudhakar Arjunan

Working on New Mods & Themes for SMF... Will update soon... My Blog page
My Smf forum : Discuss ITAcumens :: My SMF Forum

Advertisement: