miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
News miniBB Support Forums / News /  
 

"Who's Online" addon updated - vulnerability fix

 
Author Paul
Lead Developer 
#1 | Posted: 28 Jan 2007 10:39 
As reported by our user, there could be a possibility while register_globals set to ON in php.ini to use an invalid setting of data in this addon.

The update includes change mentioned in the thread above ($tsess=trim($_COOKIE[$cookiename.'_anol']) should be $tsess=trim($_COOKIE[$cookiename.'_anol'])+0), also as the new defs:

$w_anonymous_visits=array(); $w_logged_users=array(); $w_record=array();

pasted on any event before the statement:

include($woDir.'/addon_whosonline_data.php');

Please update your version of the addon.

Author marsbar
Associated Member
#2 | Posted: 3 Feb 2007 16:31 
Hello Paul,

1) The addon_whosonline.php included in the latest version (28 Jan 2007) package shows a last modified date of 17 April 2006. ??

2) The 'Attention' note in the readme for the who-is-online plugin instructs users to stick the who-is-online code close to the top of bb_plugins.php - immediately after <?php , unless CAPTCHA is also installed.

In a setup without CAPTCHA installed, should the bb_plugins.php read like so [excluding the line numbering, of course]:

line 1: <?php
line 2: if (!defined('INCLUDED776')) die ('Fatal error.');
line 3: include($pathToFiles.'addon_whosonline.php');
line 4:?>

If memory serves, line 2 was a recommended addition from some time ago - I assume it is still required?

Cheers,
mb

EDIT: I should have posted my query relating to the readme to the who's online addon thread instead of here. Apologies!

Author Paul
Lead Developer 
#3 | Posted: 4 Feb 2007 09:27 
marsbar

1) thank you again :-) I am getting old and just forgot to put the newest file in the package. Now should be on its place.

2) You're right! This needs to be updated in the README as well.

Now the package should be ok... check out pls.

Author Paul
Lead Developer 
#4 | Posted: 28 Feb 2007 10:21 
Actually, the previous update still contained the bug (it seems PHP is not up to handle big integer numbers correctly)

This bug could cause your guests are not counted correctly. Most probably there will be no more than 2 guests visible in the addon's panel.

So the latest update of today hopefully fixes it. Please get it from Downloads and upgrade on your board. I hope it works finally now (at least tested for a couple of days by me personally with not critical issues found).

News miniBB Support Forums / News /
 "Who's Online" addon updated - vulnerability fix
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑