Major Security Hole Fixed!

Authored by: Anonymous on Wednesday, January 09 2002 @ 10:57 AM EST

For users not familiar with CVS, could we have an url to
access these files, and/or the url of the web CVS
access?

[ Reply to This | # ]

Authored by: Tony on Wednesday, January 09 2002 @ 11:56 AM EST

For the new system/lib-sessions.php go here

for the new users.php go here

These fixes do address the security hole. I rushed these out ASAP so there may be minor changes to the final fix. I hope to polish any unfinished 1.3.1 work and get that out ASAP.

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, January 09 2002 @ 08:17 PM EST

Thanks Tony... Maybe a link on www.geeklog.net pointing the the top of the cvs tree would help...
Fast work on the fix :-)

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, January 09 2002 @ 10:58 AM EST

SOunds like its time to release 1.3.1 with all the other fixes since 1.3?

What is the status with the static pages plugin?

[ Reply to This | # ]

Authored by: Tony on Wednesday, January 09 2002 @ 11:52 AM EST

Yes, I am scrambling to get 1.3.1 out the door.

The staticpages plugin is pretty much done...just need a decent icon for it and it\'s ready to go.

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, January 09 2002 @ 12:09 PM EST

I tried putting in the files from the cvs server. When a user tries to login to geeklog. They get the following message and the user doesn\'t log in.

Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/geeklog-1.3/system/lib-sessions.php:402) in /usr/local/www/geeklog-1.3/system/lib-sessions.php on line 246

Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/geeklog-1.3/system/lib-sessions.php:402) in /usr/local/www/geeklog-1.3/public_html/users.php on line 395

Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/geeklog-1.3/system/lib-sessions.php:402) in /usr/local/www/geeklog-1.3/public_html/users.php on line 396

Warning: Cannot add header information - headers already sent by (output started at /usr/local/www/geeklog-1.3/system/lib-sessions.php:402) in /usr/local/www/geeklog-1.3/public_html/users.php on line 416

I narrowed the problem down to the lib-sessions.php file (ver 1.5) but I couldn\'t figure out how to fix this.

Any ideas on how to fix this other than putting back the old lib-sessions.php file

[ Reply to This | # ]

Authored by: Tony on Wednesday, January 09 2002 @ 12:53 PM EST

There may be a trailing space at the end of your lib-sessions file after the close php tag \"?>\". If there is delete it and try refreshing.

[ Reply to This | # ]

Authored by: Anonymous on Wednesday, January 09 2002 @ 02:00 PM EST

I believe I received similar errors after transfering a file,
links.php to my server using HTTP upload. Transfering
the file to my server using FTP resolved the error
messages. That was my experience. I don\'t believe I
recieved all the errors you posted, but some of them
certainly.

[ Reply to This | # ]

Authored by: eboni1 on Wednesday, January 09 2002 @ 11:02 PM EST

I corrected the issue by making sure the file had no spaces after the closer.

[ Reply to This | # ]