PhpDig.net

Go Back   PhpDig.net > General Forums > Feedback & News

Reply
 
Thread Tools
Old 12-12-2004, 02:31 PM   #1
vinyl-junkie
Purple Mole
 
Join Date: Jan 2004
Posts: 694
v.1.8.5 member comments

First of all, I had no problems upgrading to 1.8.5. No worries there.

Charter, on behalf of all the phpdig community, I just want to say thanks for moving so quickly on this security issue. Your hard work is very much appreciated!

There is something that is kind of liberating in a way to just trash a production application like this and rebuild it from the ground up. No, I'm not being sarcastic when I say that. It really was fun to do this, as I didn't have to worry about all my customized code not working. With a temporary "search engine not available" page in place, I was free to do what I needed to get the upgrade in place and working properly. Plus, I didn't have to worry about my site's visitors getting some blank screen or a cryptic error message.

Anyway, thanks again, Charter, for doing such a great job in taking care of this problem.

p.s. - I forgot to add that as I was going through the upgrade process, I decided to empty my database tables and start from scratch. While doing that, I decided to try the "spider from a list" functionality. That was sooo much quicker than just letting it spider from the root. I was able to spider over 1,000 pages in about 15 minutes. I don't think I've ever been able to spider that many pages in that length of time before. Anyway, I am a very happy camper!

Last edited by vinyl-junkie; 12-12-2004 at 02:41 PM. Reason: Added comment about spidering from a file list.
vinyl-junkie is offline   Reply With Quote
Old 12-13-2004, 05:55 AM   #2
renehaentjens
Orange Mole
 
Join Date: Nov 2003
Posts: 69
I agree with vinyl-junkie in his appreciation of Charter's quick and hard work as a response to a security issue.

Forgive me though to sigh: I'll have to upgrade the DB and I'll have to carefully review the 5 PhpDig scripts that I have customized for my site, because they are all affected by this upgrade. That is going to take more than a couple of hours...

I understand that careful wording is required in this forum concerning a security issue, but it sort of leaves me in the fog, not understanding exactly what risk there is, from where I might expect an attack and what I should do first to secure my system.

Is it thát serious that I should shutdown search for my user community? Or should I even remove all PhpDig 1.8.3 scripts from the system? I'm not going to do anything before I understand at least a little bit what's going on. I'm a developer, not a security expert, so I do not immediately see what might be happening...
__________________
René Haentjens, Ghent University

Last edited by renehaentjens; 12-13-2004 at 05:59 AM.
renehaentjens is offline   Reply With Quote
Old 12-13-2004, 06:41 AM   #3
cjones
Green Mole
 
Join Date: Dec 2004
Posts: 13
well done charter, a very fast response i only wish ms was just as fast. great idea sending via email too

i think charter didnt disclose the fault, because if he did a guest may see it and be able to take advantage of the issue. i dont mind aslong as i could get the quick fix code.
cjones is offline   Reply With Quote
Old 12-13-2004, 07:51 AM   #4
renehaentjens
Orange Mole
 
Join Date: Nov 2003
Posts: 69
[I've removed what I wrote here earlier because it was wrong. Sorry!]

The DB update seems to be related to the 1.8.4 functionality mainly and not at all related to the security fix.

If I want to stay with 1.8.3 for a little while, can I survive with just the insertion of EXTR_SKIP in search.php as mentioned elsewhere?
__________________
René Haentjens, Ghent University

Last edited by renehaentjens; 12-13-2004 at 08:13 AM.
renehaentjens is offline   Reply With Quote
Old 12-13-2004, 08:25 AM   #5
Charter
Head Mole
 
Charter's Avatar
 
Join Date: May 2003
Posts: 2,539
@ vinyl-junkie: Glad you are happy, but your "current mood" is still sad.

@ renehaentjens: See this and this. Also update the DB tables 1.8.3 -> 1.8.4 -> 1.8.5.

@ cjones: That is precisely why details are not given.

Since I took over this project, there have been two security issues. IMHO, the first was worse than the second, but they are both bad. Regardless of what I do or do not mention, the method of exploit will get out, so if you haven't done the upgrade, please do.

BTW, the first snow of the season has arrived.
__________________
Responses are offered on a voluntary if/as time is available basis, no guarantees. Double posting or bumping threads will not get your question answered any faster. No support via PM or email, responses not guaranteed. Thank you for your comprehension.
Charter is offline   Reply With Quote
Old 12-13-2004, 07:07 PM   #6
vinyl-junkie
Purple Mole
 
Join Date: Jan 2004
Posts: 694
renehaentjens: I feel your pain with having to re-incorporate your customized code into a new version of phpdig. The first time I upgraded phpdig, which was a few versions ago now, I hadn't fully documented the code changes I had made. That upgrade was so traumatic for me that I decided to change that. Now when an upgrade happens, I know exactly how to keep my customized code and have the new version work with a minimum of effort. I would urge you to make yourself some detailed notes on what you've done as you go through the current upgrade. Believe me, you'll be glad you took the time to do that.

Charter: "Mood" has been upgraded right along with phpdig.
vinyl-junkie is offline   Reply With Quote
Old 12-15-2004, 08:23 AM   #7
renehaentjens
Orange Mole
 
Join Date: Nov 2003
Posts: 69
Thank you Charter, but I had already seen these forum entries. Not that I understood them completely...
And I fail to understand why the DB table upgrade is needed for the security problem.
Where are you, that you already get snow?

Thank you, vinyl-junkie. I know my customizations and have documented them, I have quite some experience in customizing code. Still it takes time to check the PHP code around my customizations (old vs. new) and to re-test everything.

I may have to delay this until after new year...
__________________
René Haentjens, Ghent University
renehaentjens is offline   Reply With Quote
Old 12-16-2004, 12:17 AM   #8
renehaentjens
Orange Mole
 
Join Date: Nov 2003
Posts: 69
I do not want to shutdown functionality for our users. That also means that I cannot upgrade immediately, because a non-customized new version would also mean a shutdown of functionality. I find it a pity that there is no security fix advise for the existing stable version 1.8.3.

I have inserted EXTR_SKIP in search.php and clickstats.php and I have asked the colleagues to do similar updates to admin/files.php, index, limit_upd, spider, statistics, update and update_frame, because I do not have enough rights on the PhpDig server to do these myself. If that is not enough, I would appreciate if someone told me, either here or by e-mail.
__________________
René Haentjens, Ghent University
renehaentjens is offline   Reply With Quote
Old 12-16-2004, 05:25 AM   #9
Siava
Green Mole
 
Join Date: May 2004
Location: Russia (Saint-Petersbrg)
Posts: 16
Sorry for offtop, but 1.8.6 is great!
Big respekt!
__________________
Siava.ru
Siava is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
v.1.8.7 member comments renehaentjens Feedback & News 1 01-18-2005 06:17 AM
v.1.8.4 member comments vinyl-junkie Feedback & News 2 12-08-2004 03:10 PM
phpDoc comments blueyed Mod Requests 0 10-18-2004 02:21 AM
New Member Levels vinyl-junkie The Mole Hole 3 04-11-2004 04:34 PM
New Member PCplayground The Mole Hole 2 08-04-2003 03:14 PM


All times are GMT -8. The time now is 05:07 PM.


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.