SMF 1.1.19 and 2.0.6 critical security patches released

Started by Illori, October 21, 2013, 10:18:01 AM

Previous topic - Next topic

Portugal

Thanks all to always improve on security of our forums..



Regards

Apllicmz





brunob

Thanks all for the upgrade to 2.0.6  :D

Greating Bruno  :laugh:


impreza

Portal ToTemat.pl - treści w postaci artykułów i filmów tematycznych.

Antros22



rentner

Thanks for your work.

Update without problems as always.
Good job as usual. 8)


Colin

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

iaccountant

Well I for one am sad to hear that 1.1.19 is just about the end of the line for 1.

I came in on 1.1.13 and now have one 2.05 installation and a few remaining 1s

Great product team. Thank you for maintaining and growing it so well.



stog

very good -- i upgraded 5 forums in under 5 minutes (1.1.18 to 19) superb

meanwhile i have a vbully which i am so so scared to upgrade (it has no 1 click package within/testing) and gives me the eeebeegeebees everytime and takes 5 hours to prepare -- reading responses first serious b'ups rewrites etc)

now i am a little worried upgrading to 2.6 from 1.1.19 as we have soi many mods, pretty urls and tp -- but will get a test site running soon

how is import from vbully 4 to 2.6 btw?

thx again great work

Arantor

1.1.19 is seven years old, and will break with PHP 5.5 in nasty ways that we can't fix without a substantial change, most of which already happened in 2.0.

That's why we're telling you now, while it is still supported, that it is time to plan for an upgrade, rather than in a few months time going "Oh and by the way, those of you on 1.1 are screwed"

Many 1.1 mods have 2.0 equivalents, or even 2.0 support, e.g. Pretty URLs does. If there is a mod that you cannot find a 2.0 replacement for, let me know and I'll see what I can do to help.

I haven't touched the converters, no idea what state the vB4 converter is in, sorry.

Srinib

That was so cool. Upgraded from 2.0.5 to 2.0.6 in just few seconds.
Thanks to everyone who had worked hard on this patch.

fear_the_squirrels

What version is subs-members.php in this version?  After upgrade the file detailed version check shows subs-members.php being version 2.0.6, but the package manager version and the full tgz download both show it as version 2.0.1.  Diffing my running version and the version from the tgz show identical files also.

Arantor

It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

wwwserfer

update 1.1.18 ---> 1.1.19

$sourcedir/Profile.php
update replace this

    // Now try to find an infection.
    while (!feof($fp))
    {
    if (preg_match('~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~', fgets($fp, 4096)) === 1)
    {
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
    }
    fclose($fp);


to this
    // Now try to find an infection.
    $prev_chunk = '';
    while (!feof($fp))
    {
    $cur_chunk = fread($fp, 8192);
     
    // Paranoid check. Some like it that way.
    if (preg_match('~(iframe|\\<\\?|\\<%|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
    {
    fclose($fp);
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
     
    $prev_chunk = $cur_chunk;
    }
    fclose($fp);


after this replacement users can't upload their avatars to server (trying upload animated gif), got message:

QuoteYour attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.

Please consult your server administrator for more information.

Do not ask me about the settings please! ALL ATTACHMENTS/AVATARS SETTINGS CORRECT!... as a uploaded file requirements...

In my case avatars uploaded to attachments folder.
If I return the update changes in $sourcedir/Profile.php back - all works fine.
Spent a lot of time to understand the problem, but could not solve... it just me?
Maybe PHP? I using PHP 5.2.10 on my server...

Added:

inside test gif there are lines
<?xpacket begin="п»ї" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7" xmpMM:DocumentID="xmp.did:9E22335E300211E2A019AE32BE61A756" xmpMM:InstanceID="xmp.iid:9E22335D300211E2A019AE32BE61A756" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7305EF2E0130E2118032A8A02874D8C7" stRef:documentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

this can be a problem?

p/s sorry for my language// :-[

Arantor

Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.

fear_the_squirrels

Quote from: Arantor on October 27, 2013, 10:18:49 AM
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

So the main install and the upgrade packages should have 2.0.1?  I did look and it seems that the full install package does have the changes in place, just the file version is 2.0.1.  Going by that it looks as though I should be ok to just replace the top version tag with the correct version (2.0.6) to get rid of the version mismatch in the DB.

-Chris

Advertisement: