Advertisement:

Author Topic: SMF 2.0.4 and 1.1.18 critical security patches released  (Read 2373240 times)

Offline NekoJonez

  • Full Member
  • ***
  • Posts: 503
  • Gender: Male
  • Stuff
    • @NekoJonez on Twitter
    • My blog
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #120 on: May 02, 2013, 06:15:19 AM »
Question: is it safe to remove the 2.0.3 patch from the package manager after the 2.0.4 patch is installed?
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

Offline mashby

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,394
  • Gender: Male
  • badass beer hound
    • Choppix
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #121 on: May 02, 2013, 06:42:40 AM »
Question: is it safe to remove the 2.0.3 patch from the package manager after the 2.0.4 patch is installed?
Yes. :)
Always be a little kinder than necessary.
- James M. Barrie

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #122 on: May 02, 2013, 06:55:38 AM »
NO IT IS NOT.

You can *delete* the patch provided you do NOT uninstall it. (Deleting the package will just remove the uninstall instructions. If you uninstall it, the vulnerabilities will be returned, regardless of whether the 2.0.4 patch is installed or not)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline NekoJonez

  • Full Member
  • ***
  • Posts: 503
  • Gender: Male
  • Stuff
    • @NekoJonez on Twitter
    • My blog
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #123 on: May 02, 2013, 06:59:46 AM »
NO IT IS NOT.

You can *delete* the patch provided you do NOT uninstall it. (Deleting the package will just remove the uninstall instructions. If you uninstall it, the vulnerabilities will be returned, regardless of whether the 2.0.4 patch is installed or not)

I won't uninstall it :P
I'm not one of those idiots x)
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

Offline mashby

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,394
  • Gender: Male
  • badass beer hound
    • Choppix
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #124 on: May 02, 2013, 07:07:41 AM »
Remove=delete
:)
Always be a little kinder than necessary.
- James M. Barrie

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #125 on: May 02, 2013, 07:09:00 AM »
We should not be blasé about this.

How often do we tell people not to delete things but to uninstall them first? This happens... what... once a week that we have to deal with someone who's deleted a mod without uninstalling.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline mashby

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,394
  • Gender: Male
  • badass beer hound
    • Choppix
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #126 on: May 02, 2013, 07:11:44 AM »
Yes, for that I am sorry. Wasn't clear enough. At least JonezJeA understood remove wasn't uninstall.
Always be a little kinder than necessary.
- James M. Barrie

Offline pacefalu

  • Newbie
  • *
  • Posts: 1
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #127 on: May 25, 2013, 01:39:07 AM »
I am new to managing a website forum.  I am using version SMF 2.0.4 and I am trying to down load and install the patches...  I have gone to the down load area but can not find where the security patches are and how to down load and install...  I only see third party updates...  Is there a button I can press that will simply down load and install my security patches...

All so I am getting the "Unable to verify referring url. Please go back and try again." error message and I have search your community and have been told about the url values have to match exactly...  How do I check this information and how do I correct it...  I have been through all of the options in the admin area...  I would like to apologize for the newbie requests, but I am at the end of my rope.


Offline Gary

  • Sorceress's Knight
  • Customizer
  • SMF Super Hero
  • *
  • Posts: 18,205
  • Gender: Male
  • So this is the luck of the draw...
    • Gazmanafc on Facebook
    • garygadsdon on LinkedIn
    • @Gazmanafc on Twitter
    • The Bongo Comics Fan Forum
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #128 on: May 25, 2013, 03:18:37 AM »
You're running 2.0.4, you do not need to update.
Gary M. Gadsdon
Do NOT PM me unless I say so

War of the Simpsons
Bongo Comics Fan Forum
Youtube Let's Plays

^ YT is changing monetisation policy, help reach 1000 sub threshold.

Offline zlotowinfo

  • Semi-Newbie
  • *
  • Posts: 10

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #130 on: May 26, 2013, 03:43:07 PM »
*yawn* Not this one AGAIN.

Quote
to successfully exploit smf 2.0.4 we need correct admin's cookie

As in, if they already have your admin details, shock horror they can break things. If they don't have your admin details, nothing can be done to cause any damage.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline zlotowinfo

  • Semi-Newbie
  • *
  • Posts: 10
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #131 on: May 26, 2013, 06:23:44 PM »
what you mean "have your admin details" & how he can get?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #132 on: May 26, 2013, 06:28:04 PM »
In order for this to be exploited, the hacker must either 1) have managed to grab your session details or 2) have figured out your password.

Having obtained session or password, he can log in as you, and do whatever he was going to do anyway, like install mods, install themes, modify theme code... all things that carry the exact same 'risk' as that vulnerability.

The dev team are aware of this and are well aware of the low risk of it.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Burke ♞ Knight

  • SMF Hero
  • ******
  • Posts: 3,534
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #133 on: May 26, 2013, 06:43:13 PM »
2) have figured out your password.


That is why you should always use at least 8 characters in your passwords. Also, you should use a mixture of characters, as well as making it a habit to change your password every now and then. That should be more than enough to prevent something like that from happening.

Offline emanuele

  • SMF Super Hero
  • *******
  • Posts: 14,156
  • Gender: Male
  • THERE'S JUST ME


Take a peek at what I'm doing! ;D



Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Offline Daniellei

  • Newbie
  • *
  • Posts: 1
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #135 on: May 29, 2013, 01:49:33 PM »
Very nice!!
Thanks

Offline Colin

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 7,880
  • Gender: Male
  • SMF Developer
    • colinschoen on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #136 on: June 05, 2013, 03:10:00 PM »
Thanks for the nice words. I am glad everything is working for both of you.
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Offline krittin98

  • Jr. Member
  • **
  • Posts: 181
  • Gender: Male
  • The Team K Developers
    • theteamkdevelopers on Facebook
    • @theteamk on Twitter
    • The Team K Developers
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #137 on: June 07, 2013, 07:32:11 AM »
i am using smf 2.0.4
can any1 tll me from where can i download this

The Team K Developers
www.theteamk.co.nr

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,747
  • Gender: Male
    • Kindred-999 on GitHub
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #138 on: June 07, 2013, 07:35:37 AM »
if you are using 2.0.4, you do not need to download anything.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline DamselStruction

  • Newbie
  • *
  • Posts: 6
Re: SMF 2.0.4 and 1.1.18 critical security patches released
« Reply #139 on: June 11, 2013, 09:32:57 PM »
Hello,

Thank you in advance for any assistance you may be able to provide.

The admin panel identifies my current version as 1.1.17

I have always listened to the reminders about updates in my admin panel, but just recently my board started to function badly and at the same time I recieved a reminder about "Updating my forum". This has never been a problem in the past, but this time, when I click on the link to ["Update your forum" it only takes a few minutes!"] it will not update, but instad always displays this error -

2: unlink(C:\Inetpub\vhosts\damselstruction.ieasysite.com\httpdocs\Belly_Punching_and_Navel_Love/Packages/temp/$auto_0.txt) [<a href='function.unlink'>function.unlink</a>]: Permission denied
File: C:\Inetpub\vhosts\damselstruction.ieasysite.com\httpdocs\Belly_Punching_and_Navel_Love\Sources\Subs-Package.php
Line: 1174

The way the problem originally presented itself was that my "Stop Spammer" stop forum spam feature stopped working, when you check a list of spam accounts to delete, and try to "Reject" them, the same error appears and the operation will not complete.

Thanks,

Jim