phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3 ... 12, 13, 14
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
jarkas
Board Member



Joined: 31 Oct 2012

Posts: 4



PostPosted: Fri Dec 25, 2015 8:33 am 
Post subject: Re: The Final phpBB 2 Security Error

i also got ''invalid_session'' error when i try to merge topics ..i have already mentioned this issue hope gonna fix it , becuase of this problem i must have reverted codes to the 20.23 icon_sad.gif

http://phpbb2refugees.com/viewtopic.php?p=8352#8352

JLA wrote:
Found something today and haven't went back into your code to see if it was something we missed when making the changes or something missing for the update.

Found when splitting a post FROM a topic, was getting an invalid session error

Found this in mod cp

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          $s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         



Shouldn't it be this???

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          //$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         


$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';


Back to top
jarkas
Board Member



Joined: 31 Oct 2012

Posts: 4



PostPosted: Fri Dec 25, 2015 8:33 am 
Post subject: Re: The Final phpBB 2 Security Error

jarkas wrote:
i also got ''invalid_session'' error when i try to merge topics ..i have already mentioned this issue hope gonna fix it , becuase of this problem i must have reverted codes to the 20.23 icon_sad.gif

http://phpbb2refugees.com/viewtopic.php?p=8352#8352

JLA wrote:
Found something today and haven't went back into your code to see if it was something we missed when making the changes or something missing for the update.

Found when splitting a post FROM a topic, was getting an invalid session error

Found this in mod cp

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          $s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         



Shouldn't it be this???

Code:

else
      {
         //
         // Set template files
         //
         $template->set_filenames(array(
            'split_body' => 'modcp_split.tpl')
         );

         $sql = "SELECT u.username, p.*, pt.post_text, pt.bbcode_uid, pt.post_subject, p.post_username
            FROM " . POSTS_TABLE . " p, " . USERS_TABLE . " u, " . POSTS_TEXT_TABLE . " pt
            WHERE p.topic_id = $topic_id
               AND p.poster_id = u.user_id
               AND p.post_id = pt.post_id
            ORDER BY p.post_time ASC";
         if ( !($result = $db->sql_query($sql)) )
         {
            message_die(GENERAL_ERROR, 'Could not get topic/post information', '', __LINE__, __FILE__, $sql);
         }

          //$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';
         


$s_hidden_fields = '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" /><input type="hidden" name="p_sid" value="' . $userdata['priv_session_id'] . '" /><input type="hidden" name="' . POST_FORUM_URL . '" value="' . $forum_id . '" /><input type="hidden" name="' . POST_TOPIC_URL . '" value="' . $topic_id . '" /><input type="hidden" name="mode" value="split" />';


This post has been reported for Other. The current status is Closed / No action required.
Moderator phpBB2 Refugees rejected this report Click for Details
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 14 of 14 All times are GMT
Goto page Previous  1, 2, 3 ... 12, 13, 14
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0186 seconds using 15 queries. (SQL 0.0014 Parse 0.0005 Other 0.0167)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo