Advertisement:

Author Topic: SMF 1.1.19 and 2.0.6 critical security patches released  (Read 1257632 times)

Offline Portugal

  • Jr. Member
  • **
  • Posts: 174
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #40 on: October 24, 2013, 10:15:43 AM »
Thanks all to always improve on security of our forums..



Regards

Offline Joomlamz

  • SMF Hero
  • ******
  • Posts: 2,594
  • Gender: Male
  • Suporte SmfPT
    • apllicmz on Facebook
    • apllicmz on GitHub
    • https://www.linkedin.com/in/aplic on LinkedIn
    • @aplichosting on Twitter
    • Webdesign
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #41 on: October 24, 2013, 10:48:11 AM »
thank you
done



Offline ali[n]

  • Semi-Newbie
  • *
  • Posts: 20
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #42 on: October 24, 2013, 01:00:21 PM »
Thanks :)

Offline brunob

  • Semi-Newbie
  • *
  • Posts: 49
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #43 on: October 24, 2013, 04:03:09 PM »
Thanks all for the upgrade to 2.0.6  :D

Greating Bruno  :laugh:

Offline Kenny01

  • Sr. Member
  • ****
  • Posts: 767
  • Gender: Male
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #44 on: October 25, 2013, 04:09:13 AM »
Great

Offline impreza

  • Sophist Member
  • *****
  • Posts: 1,051
    • Kilka stron a jeden hosting
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #45 on: October 25, 2013, 10:02:13 AM »
nice, nice thans for all
Musisz wiedzieć co to: Przyspieszenie indeksacji tematów oraz istotne  Wewnętrzne odnośniki serwisów one też mają wpływ na  Wyszukiwarkowe wzmacnianie for

Offline Antros22

  • Semi-Newbie
  • *
  • Posts: 55
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #46 on: October 25, 2013, 10:33:12 AM »
nice work smf team :) my forum is update :)  ;D

Offline Mr. Jinx

  • Full Member
  • ***
  • Posts: 476
  • Gender: Male
    • Ziggo Forum Chelloo
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #47 on: October 25, 2013, 12:24:22 PM »
Thanks for this update. Working nice.

Offline rentner

  • Semi-Newbie
  • *
  • Posts: 47
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #48 on: October 25, 2013, 05:24:15 PM »
Thanks for your work.

Update without problems as always.
Good job as usual. 8)


Offline Colin

  • Lead Developer
  • SMF Hero
  • *
  • Posts: 7,767
  • Gender: Male
  • SMF Developer
    • colinschoen on GitHub
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #49 on: October 25, 2013, 05:38:45 PM »
Fantastic!
"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Offline iaccountant

  • Jr. Member
  • **
  • Posts: 191
    • iaccountant
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #50 on: October 26, 2013, 01:23:12 AM »
Well I for one am sad to hear that 1.1.19 is just about the end of the line for 1.

I came in on 1.1.13 and now have one 2.05 installation and a few remaining 1s

Great product team. Thank you for maintaining and growing it so well.


Offline johnpaul2k2

  • Sr. Member
  • ****
  • Posts: 738
  • Gender: Male
  • Okija amaka
    • Mgbenka
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #51 on: October 26, 2013, 01:34:26 AM »
upgrade within seconds  :)

Offline stog

  • Semi-Newbie
  • *
  • Posts: 84
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #52 on: October 26, 2013, 07:53:24 AM »
very good -- i upgraded 5 forums in under 5 minutes (1.1.18 to 19) superb

meanwhile i have a vbully which i am so so scared to upgrade (it has no 1 click package within/testing) and gives me the eeebeegeebees everytime and takes 5 hours to prepare -- reading responses first serious b'ups rewrites etc)

now i am a little worried upgrading to 2.6 from 1.1.19 as we have soi many mods, pretty urls and tp -- but will get a test site running soon

how is import from vbully 4 to 2.6 btw?

thx again great work

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,061
    • Arantor on GitHub
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #53 on: October 26, 2013, 10:52:20 AM »
1.1.19 is seven years old, and will break with PHP 5.5 in nasty ways that we can't fix without a substantial change, most of which already happened in 2.0.

That's why we're telling you now, while it is still supported, that it is time to plan for an upgrade, rather than in a few months time going "Oh and by the way, those of you on 1.1 are screwed"

Many 1.1 mods have 2.0 equivalents, or even 2.0 support, e.g. Pretty URLs does. If there is a mod that you cannot find a 2.0 replacement for, let me know and I'll see what I can do to help.

I haven't touched the converters, no idea what state the vB4 converter is in, sorry.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline Srinib

  • Jr. Member
  • **
  • Posts: 207
    • India Exit Polls
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #54 on: October 26, 2013, 03:22:20 PM »
That was so cool. Upgraded from 2.0.5 to 2.0.6 in just few seconds.
Thanks to everyone who had worked hard on this patch.

Offline fear_the_squirrels

  • Newbie
  • *
  • Posts: 6
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #55 on: October 27, 2013, 08:53:24 AM »
What version is subs-members.php in this version?  After upgrade the file detailed version check shows subs-members.php being version 2.0.6, but the package manager version and the full tgz download both show it as version 2.0.1.  Diffing my running version and the version from the tgz show identical files also.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,061
    • Arantor on GitHub
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #56 on: October 27, 2013, 10:18:49 AM »
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline wwwserfer

  • Semi-Newbie
  • *
  • Posts: 34
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #57 on: October 27, 2013, 12:46:26 PM »
update 1.1.18 ---> 1.1.19

$sourcedir/Profile.php
update replace this
Code: [Select]
    // Now try to find an infection.
    while (!feof($fp))
    {
    if (preg_match('~(iframe|\\<\\?php|\\<\\?[\s=]|\\<%[\s=]|html|eval|body|script\W)~', fgets($fp, 4096)) === 1)
    {
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
    }
    fclose($fp);

to this
Code: [Select]
    // Now try to find an infection.
    $prev_chunk = '';
    while (!feof($fp))
    {
    $cur_chunk = fread($fp, 8192);
     
    // Paranoid check. Some like it that way.
    if (preg_match('~(iframe|\\<\\?|\\<%|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)
    {
    fclose($fp);
    if (file_exists($uploadDir . '/avatar_tmp_' . $memID))
    [at]unlink($uploadDir . '/avatar_tmp_' . $memID);
     
    fatal_lang_error('smf124');
    }
     
    $prev_chunk = $cur_chunk;
    }
    fclose($fp);

after this replacement users can't upload their avatars to server (trying upload animated gif), got message:

Quote
Your attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow.

Please consult your server administrator for more information.

Do not ask me about the settings please! ALL ATTACHMENTS/AVATARS SETTINGS CORRECT!... as a uploaded file requirements...

In my case avatars uploaded to attachments folder.
If I return the update changes in $sourcedir/Profile.php back - all works fine.
Spent a lot of time to understand the problem, but could not solve... it just me?
Maybe PHP? I using PHP 5.2.10 on my server...

Added:

inside test gif there are lines
Code: [Select]
<?xpacket begin="п»ї" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7" xmpMM:DocumentID="xmp.did:9E22335E300211E2A019AE32BE61A756" xmpMM:InstanceID="xmp.iid:9E22335D300211E2A019AE32BE61A756" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7305EF2E0130E2118032A8A02874D8C7" stRef:documentID="xmp.did:7105EF2E0130E2118032A8A02874D8C7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
this can be a problem?

p/s sorry for my language// :-[

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,061
    • Arantor on GitHub
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #58 on: October 27, 2013, 12:52:31 PM »
Yeah, the problem is that there are suspicious looking strings inside your GIF file and SMF's automated protection routines stop them. All I did (since I'm the one that did the patch for 1.1) was have 1.1 brought up to what 2.0 has done for years.

Get Photoshop to strip the rubbish that shouldn't even be in the file in the first place.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.

Offline fear_the_squirrels

  • Newbie
  • *
  • Posts: 6
Re: SMF 1.1.19 and 2.0.6 critical security patches released
« Reply #59 on: October 27, 2013, 01:54:50 PM »
It's 2.0.6, the main install didn't get updated, but the package manager version should have as per http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=2.0.5 where it clearly edits Subs-Members.php

So the main install and the upgrade packages should have 2.0.1?  I did look and it seems that the full install package does have the changes in place, just the file version is 2.0.1.  Going by that it looks as though I should be ok to just replace the top version tag with the correct version (2.0.6) to get rid of the version mismatch in the DB.

-Chris