News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

SMF 2.0.3, 1.1.17 and 1.0.23 security patches released

Started by emanuele, December 16, 2012, 05:05:30 PM

Previous topic - Next topic

Kindred

basically, you updated the wrong way.  There was no need for you to replace all the files with new copies.  That is the entire purpose of the patch package...   to make file edits without requiring an overwrite.

Do note, if you had any mods, they will have been removed when you did the update in the manner that you did.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Dave Pitman

Quote from: merry mashby on December 20, 2012, 05:21:43 PM
The file you linked to is the whole kit and kaboodle. If you look at the date of Subs.php in the Sources folder, you'll see it's dated 6/6/2011. If you used the file you linked to, you are essentially wiping out any mods/edits you've made since 2.0.2. If you look at the link I provided, you'll see the changes made from 2.0.2 to 2.0.3 of which Sources/Subs.php was not affected.

I don't have to be in the developer group to know this either so I hope you can appreciate what I've written.

Thank you.

I meant no offense. As I also stated above, the security update through the software was unsuccessful. The update package I installed was all that I could find.

If Subs.php is not part of the security update, then great, you have answered my question.
Thank You.

Dave Pitman

Quote from: Kindred on December 20, 2012, 05:39:06 PM
basically, you updated the wrong way.  There was no need for you to replace all the files with new copies.  That is the entire purpose of the patch package...   to make file edits without requiring an overwrite.

Do note, if you had any mods, they will have been removed when you did the update in the manner that you did.

I would have been happy if the update worked from within SM via the Package Manager. Unfortunately, in my case, it did not work.

I'm not blaming anyone for anything. I'm just relating my experience with applying this patch. I am new to this software, but not new to web applications.

I used the official manual to find how to update manually, and followed the steps exactly. Perhaps there should be a link to the security update on the download page, so that when someone follows the manual, the file that they should use will be there. The "what to do if the auto update doesn't work" part at the beginning of this thread was vague to me.

Oldiesmann

Quote from: mikejmac on December 20, 2012, 03:47:02 PM
Quote from: emanuele on December 16, 2012, 05:27:05 PM
Quote from: DeVIL-I386 on December 16, 2012, 05:24:15 PM
Where should this option be hidden? Is it Administration Center » Maintenance » Forum Maintenance » Routine » Check all files against current versions?
Almost but not exactly: admin > maintenance > scheduled tasks > scheduled tasks
Then under the column "run now" select the box corresponding to "Fetch Simple Machines Files", and click the button "run now".

Hi emanuele.  I did the above but I still get this Forbidden message below on a white page whether I click "update your forum" from my main Administration Center or when I click "this patch (click here to install)" from the Package Manager.  I'm trying to get 2.0.3 from 2.0.2.

-------------------

Forbidden

You don't have permission to access /forum/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at --mysite-- Port 80

-------------------

PS  It doesn't have [nofollow] on the white page.  That showed up when I copied it here.


mod edit - removed link.

That is likely a problem with Apache's "mod_security" extension, which seems to have problems with ";id=" in URLs. It's actually pretty easy to get around that for now, so you can install the patch. When you get the "403 forbidden" error, look for ";id=" in the URL and change it to "&id=" instead, then hit enter. This should allow you to bypass the rules, and install the package. After you've done that, you can either try disabling mod_security via .htaccess (see the manual for more info), or ask your host to disable it for you.
Michael Eshom
Christian Metal Fans

emanuele

Quote from: Dave Pitman on December 20, 2012, 05:52:05 PM
I used the official manual to find how to update manually, and followed the steps exactly. Perhaps there should be a link to the security update on the download page, so that when someone follows the manual, the file that they should use will be there. The "what to do if the auto update doesn't work" part at the beginning of this thread was vague to me.
Thank you for the feedback, I updated the first post with additional informations about where to find the package and with the relevant links to the online manual.
I hope that it will help others. :)


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Dave Pitman

Quote from: emanuele on December 20, 2012, 06:09:03 PM
Thank you for the feedback, I updated the first post with additional informations about where to find the package and with the relevant links to the online manual.
I hope that it will help others. :)

You're welcome.

I realize it is sometimes a challenge for experienced users of software to know how an explanation will appear to someone new to the software.

Yes, the update options are more concise now, thank you!


hartiberlin

I am getting the following error:

You cannot download or install new packages because the Packages directory or one of the files in it are not writable!


I looked up the Packages directory,
but all files inclusive the Patch file are set to 0777.

In the Patch file I found just only these 2 files:

List files in package
Files in archive smf_patch_2.0.3.tar.gz:

    package-info.xml (1265 bytes)
    smf_2-0-3_patch.xml (13645 bytes)


Is that correct ?
I already disabled the SEF engine of PortaMX,
but maybe it is a permission thing with the PHP-User or Website owner
for these files.

I recently changed to a new hoster and there I have the possibility to
set files for ownership to PHP-User or web-account owner...

Hmm,
how can I run these 2 XML files if I upload them via FTP ?

Many thanks.

hartiberlin

Okay,
at my site a
/temp
directory was missing in the
/Packages
folder.

So the update went through now...

but at the bottom of my forum it still says:

SMF 2.0.2 | SMF © 2011, Simple Machines

So why is there no
SMF 2.0.3 ?

Hj Ahmad Rasyid Hj Ismail

It should say 2.0.3. The upgrade might not working right. Try to uninstall and delete the package that you have. Then get a new package and reinstall.

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

hartiberlin

Please post the link to the support thread.

It seems I don´t get this Patch installed right...

Many thanks.

mikejmac

Quote from: Oldiesmann on December 20, 2012, 05:55:44 PM
Quote from: mikejmac on December 20, 2012, 03:47:02 PM
Quote from: emanuele on December 16, 2012, 05:27:05 PM
Quote from: DeVIL-I386 on December 16, 2012, 05:24:15 PM
Where should this option be hidden? Is it Administration Center » Maintenance » Forum Maintenance » Routine » Check all files against current versions?
Almost but not exactly: admin > maintenance > scheduled tasks > scheduled tasks
Then under the column "run now" select the box corresponding to "Fetch Simple Machines Files", and click the button "run now".

Hi emanuele.  I did the above but I still get this Forbidden message below on a white page whether I click "update your forum" from my main Administration Center or when I click "this patch (click here to install)" from the Package Manager.  I'm trying to get 2.0.3 from 2.0.2.

-------------------

Forbidden

You don't have permission to access /forum/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at --mysite-- Port 80

-------------------

PS  It doesn't have [nofollow] on the white page.  That showed up when I copied it here.


mod edit - removed link.

That is likely a problem with Apache's "mod_security" extension, which seems to have problems with ";id=" in URLs. It's actually pretty easy to get around that for now, so you can install the patch. When you get the "403 forbidden" error, look for ";id=" in the URL and change it to "&id=" instead, then hit enter. This should allow you to bypass the rules, and install the package. After you've done that, you can either try disabling mod_security via .htaccess (see the manual for more info), or ask your host to disable it for you.

Thanks Oldiesmann but there is no ";id=" in the "403 forbidden" URL.

I read the manual that you posted and it looks like it would be easiest to have my host disable mod_security.  Should that be my next step?  Once my host disables mod_security should I be able to get the 2.0.3 package from my Administration Center?     

hartiberlin

I got it to work.
Was a file permission error.
It seems on my new hoster I can only set CHMOD settings via FTP but not via
the SMF scripts...

Strange...

Regards, Stefan.

Oldiesmann

Quote from: mikejmac on December 20, 2012, 10:39:20 PM
Quote from: Oldiesmann on December 20, 2012, 05:55:44 PM
Quote from: mikejmac on December 20, 2012, 03:47:02 PM
Quote from: emanuele on December 16, 2012, 05:27:05 PM
Quote from: DeVIL-I386 on December 16, 2012, 05:24:15 PM
Where should this option be hidden? Is it Administration Center » Maintenance » Forum Maintenance » Routine » Check all files against current versions?
Almost but not exactly: admin > maintenance > scheduled tasks > scheduled tasks
Then under the column "run now" select the box corresponding to "Fetch Simple Machines Files", and click the button "run now".

Hi emanuele.  I did the above but I still get this Forbidden message below on a white page whether I click "update your forum" from my main Administration Center or when I click "this patch (click here to install)" from the Package Manager.  I'm trying to get 2.0.3 from 2.0.2.

-------------------

Forbidden

You don't have permission to access /forum/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at --mysite-- Port 80

-------------------

PS  It doesn't have [nofollow] on the white page.  That showed up when I copied it here.


mod edit - removed link.

That is likely a problem with Apache's "mod_security" extension, which seems to have problems with ";id=" in URLs. It's actually pretty easy to get around that for now, so you can install the patch. When you get the "403 forbidden" error, look for ";id=" in the URL and change it to "&id=" instead, then hit enter. This should allow you to bypass the rules, and install the package. After you've done that, you can either try disabling mod_security via .htaccess (see the manual for more info), or ask your host to disable it for you.

Thanks Oldiesmann but there is no ";id=" in the "403 forbidden" URL.

I read the manual that you posted and it looks like it would be easiest to have my host disable mod_security.  Should that be my next step?  Once my host disables mod_security should I be able to get the 2.0.3 package from my Administration Center?     

Yes, if they're willing to disable it for you, then it should go through. mod_security is usually the cause of random "403 Forbidden" errors.
Michael Eshom
Christian Metal Fans


themavesite

Hi. I'm running SMF 2.0.2 with a lot of big modifications (such as eZportal).
I don't want to re-install them all :/
What packages should I use?

The small update / large upgrade ?

Please get back to me.
TMS Forums
Since 2008 and still going strong! Join today! http://forums.themavesite.com/index.php

emanuele

Did you try to use the link in the admin panel that says "click here to install"?


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

themavesite

Quote from: emanuele on December 21, 2012, 03:14:59 AM
Did you try to use the link in the admin panel that says "click here to install"?

That link doesn't work, because it requires ftp information and I use SFTP instead of FTP.
TMS Forums
Since 2008 and still going strong! Join today! http://forums.themavesite.com/index.php

emanuele

Did you try that:
Quote from: emanuele on December 16, 2012, 05:05:30 PM
If you are having problems downloading the patch from the admin panel, you can download the package from the upgrades page here:
http://custom.simplemachines.org/upgrades/
and install it like a mod.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Darkness_Black


Translator - Brazilian

Não respondo MP de ajuda, Poste sua duvida no forum!!! Se alguém te Ajudou Agradeça!!!

Advertisement: