Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Aktuelle Sicherheitsupdates und Plugins  (Read 4323 times)

0 Members and 1 Guest are viewing this topic.

T.Gauck

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 42
Aktuelle Sicherheitsupdates und Plugins
« on: March 06, 2009, 08:50:32 am »

Hallo.

ich nutze folgende Plugins und Ergänzungen:

Multiline comments v1.1
User Gallery Alphabetic Tabbing

theme.php
Code: [Select]
//ANFANG Navigation Titel und Autor anzeigen//
function theme_html_img_nav_menu()
{
    global $CONFIG, $CURRENT_PIC_DATA, $meta_nav, $THEME_DIR ; //$PHP_SELF,
    global $album, $cat, $pos, $pic_count, $lang_img_nav_bar, $lang_text_dir, $template_img_navbar;

    $cat_link = is_numeric($album) ? '' : '&cat=' . $cat;
        $uid_link = is_numeric($_GET['uid']) ? '&uid=' . $_GET['uid'] : '';

    $human_pos = $pos + 1;
    $page = ceil(($pos + 1) / ($CONFIG['thumbrows'] * $CONFIG['thumbcols']));
    $pid = $CURRENT_PIC_DATA['pid'];

    $start = 0;
        $start_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&pos=$start";
        $start_title = $lang_img_nav_bar['go_album_start'];
        $meta_nav .= "<link rel=\"start\" href=\"$start_tgt\" title=\"$start_title\" />
        ";
        $end = $pic_count - 1;
        $end_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$end";
        $end_title = $lang_img_nav_bar['go_album_end'];
        $meta_nav .= "<link rel=\"last\" href=\"$end_tgt\" title=\"$end_title\" />
        ";

    if ($pos > 0) {
        $prev = $pos - 1;
        $prev_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$prev$uid_link";
        $prev_title = $lang_img_nav_bar['prev_title'];
                                $meta_nav .= "<link rel=\"prev\" href=\"$prev_tgt\" title=\"$prev_title\" />
                                ";
    } else {
        $prev_tgt = "javascript:;";
        $prev_title = "";
    }

    if ($pos < ($pic_count -1)) {
        $next = $pos + 1;
        $next_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$next$uid_link";
        $next_title = $lang_img_nav_bar['next_title'];
                                $meta_nav .= "<link rel=\"next\" href=\"$next_tgt\" title=\"$next_title\"/>
                                ";
    } else {
        $next_tgt = "javascript:;";
        $next_title = "";
    }

    if (USER_CAN_SEND_ECARDS) {
        $ecard_tgt = "ecard.php?album=$album$cat_link&amp;pid=$pid&amp;pos=$pos";
        $ecard_title = $lang_img_nav_bar['ecard_title'];
    } else {
        template_extract_block($template_img_navbar, 'ecard_button'); // added to remove button if cannot send ecard
        /*$ecard_tgt = "javascript:alert('" . addslashes($lang_img_nav_bar['ecard_disabled_msg']) . "');";
        $ecard_title = $lang_img_nav_bar['ecard_disabled'];*/
    }

                //report to moderator buttons
    if (($CONFIG['report_post']==1) && (USER_CAN_SEND_ECARDS)) {
        $report_tgt = "report_file.php?album=$album$cat_link&amp;pid=$pid&amp;pos=$pos";
    } else { // remove button if report toggle is off
        template_extract_block($template_img_navbar, 'report_file_button');

    }

                    $thumb_tgt = "thumbnails.php?album=$album$cat_link&amp;page=$page$uid_link";
        $meta_nav .= "<link rel=\"up\" href=\"$thumb_tgt\" title=\"".$lang_img_nav_bar['thumb_title']."\"/>
        ";

    $slideshow_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link$uid_link&amp;pid=$pid&amp;slideshow=".$CONFIG['slideshow_interval'];

    $pic_pos = sprintf($lang_img_nav_bar['pic_pos'], $human_pos, $pic_count);

    if (defined('THEME_HAS_NAVBAR_GRAPHICS')) {
            $location= $THEME_DIR;
        } else {
            $location= '';
        }

($CURRENT_PIC_DATA['title'] != '') ? $CURRENT_PIC_DATA['title'] : $CURRENT_PIC_DATA['title']='No name';
    $params = array('{THUMB_TGT}' => $thumb_tgt,
        '{THUMB_TITLE}' => $lang_img_nav_bar['thumb_title'],
        '{PIC_INFO_TITLE}' => $lang_img_nav_bar['pic_info_title'],
        '{SLIDESHOW_TGT}' => $slideshow_tgt,
        '{SLIDESHOW_TITLE}' => $lang_img_nav_bar['slideshow_title'],
        '{PIC_POS}' => $pic_pos,
        '{ECARD_TGT}' => $ecard_tgt,
        '{ECARD_TITLE}' => $ecard_title,
        '{PREV_TGT}' => $prev_tgt,
        '{PREV_TITLE}' => $prev_title,
        '{NEXT_TGT}' => $next_tgt,
        '{NEXT_TITLE}' => $next_title,
        '{PREV_IMAGE}' => ($lang_text_dir=='ltr') ? 'prev' : 'next',
        '{NEXT_IMAGE}' => ($lang_text_dir=='ltr') ? 'next' : 'prev',
        '{REPORT_TGT}' => $report_tgt,
        '{REPORT_TITLE}' => $lang_img_nav_bar['report_title'],
        '{LOCATION}' => $location,
        '{OWNER_NAME}' => $CURRENT_PIC_DATA['owner_name'],
        '{OWNER_ID}' => $CURRENT_PIC_DATA['owner_id'],
        '{PIC_TITLE}' => $CURRENT_PIC_DATA['title'],
        );

    return template_eval($template_img_navbar, $params);
}


$template_img_navbar = <<<EOT

        <tr>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{THUMB_TGT}" class="navmenu_pic" title="{THUMB_TITLE}"><img src="{LOCATION}images/thumbnails.gif" align="middle" border="0" alt="{THUMB_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="javascript:;" class="navmenu_pic" onclick="blocking('picinfo','yes', 'block'); return false;" title="{PIC_INFO_TITLE}"><img src="{LOCATION}images/info.gif" border="0" align="middle" alt="{PIC_INFO_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{SLIDESHOW_TGT}" class="navmenu_pic" title="{SLIDESHOW_TITLE}"><img src="{LOCATION}images/slideshow.gif" border="0" align="middle" alt="{SLIDESHOW_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenutitel" width="100%">
                        {PIC_TITLE} von: <a href="profile.php?uid={OWNER_ID}">{OWNER_NAME}</a>
                </td>
<!-- BEGIN report_file_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{REPORT_TGT}" class="navmenu_pic" title="{REPORT_TITLE}"><img src="{LOCATION}images/report.gif" border="0" align="middle" alt="{REPORT_TITLE}" /></a>
                </td>
<!-- END report_file_button -->
<!-- BEGIN ecard_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{ECARD_TGT}" class="navmenu_pic" title="{ECARD_TITLE}"><img src="{LOCATION}images/ecard.gif"  border="0" align="middle" alt="{ECARD_TITLE}" /></a>
                </td>
<!-- END ecard_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{PREV_TGT}" class="navmenu_pic" title="{PREV_TITLE}"><img src="{LOCATION}images/prev.gif"  border="0" align="middle" alt="{PREV_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{NEXT_TGT}" class="navmenu_pic" title="{NEXT_TITLE}"><img src="{LOCATION}images/next.gif"  border="0" align="middle" alt="{NEXT_TITLE}" /></a>
                </td>
        </tr>

EOT;
//ENDE Navigation Titel und Autor anzeigen//




Muss da wegen den Sicherheitsupdates etwas überarbeitete werden?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • ****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15764
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #1 on: March 06, 2009, 09:00:46 am »

In deiner theme.php geringfügig:
Code: [Select]
//ANFANG Navigation Titel und Autor anzeigen//
function theme_html_img_nav_menu()
{
    global $CONFIG, $CURRENT_PIC_DATA, $meta_nav, $THEME_DIR ; //$PHP_SELF,
    global $album, $cat, $pos, $pic_count, $lang_img_nav_bar, $lang_text_dir, $template_img_navbar;

    $cat_link = is_numeric($album) ? '' : '&amp;cat=' . $cat;
    $uid_link = (isset($_GET['uid']) && is_numeric($_GET['uid'])) ? '&amp;uid=' . $_GET['uid'] : '';

    $human_pos = $pos + 1;
    $page = ceil(($pos + 1) / ($CONFIG['thumbrows'] * $CONFIG['thumbcols']));
    $pid = $CURRENT_PIC_DATA['pid'];

    $start = 0;
        $start_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$start";
        $start_title = $lang_img_nav_bar['go_album_start'];
        $meta_nav .= "<link rel=\"start\" href=\"$start_tgt\" title=\"$start_title\" />
        ";
        $end = $pic_count - 1;
        $end_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$end";
        $end_title = $lang_img_nav_bar['go_album_end'];
        $meta_nav .= "<link rel=\"last\" href=\"$end_tgt\" title=\"$end_title\" />
        ";

    if ($pos > 0) {
        $prev = $pos - 1;
        $prev_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$prev$uid_link";
        $prev_title = $lang_img_nav_bar['prev_title'];
                                $meta_nav .= "<link rel=\"prev\" href=\"$prev_tgt\" title=\"$prev_title\" />
                                ";
    } else {
        $prev_tgt = "javascript:;";
        $prev_title = "";
    }

    if ($pos < ($pic_count -1)) {
        $next = $pos + 1;
        $next_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link&amp;pos=$next$uid_link";
        $next_title = $lang_img_nav_bar['next_title'];
                                $meta_nav .= "<link rel=\"next\" href=\"$next_tgt\" title=\"$next_title\"/>
                                ";
    } else {
        $next_tgt = "javascript:;";
        $next_title = "";
    }

    if (USER_CAN_SEND_ECARDS) {
        $ecard_tgt = "ecard.php?album=$album$cat_link&amp;pid=$pid&amp;pos=$pos";
        $ecard_title = $lang_img_nav_bar['ecard_title'];
    } else {
        template_extract_block($template_img_navbar, 'ecard_button'); // added to remove button if cannot send ecard
        /*$ecard_tgt = "javascript:alert('" . addslashes($lang_img_nav_bar['ecard_disabled_msg']) . "');";
        $ecard_title = $lang_img_nav_bar['ecard_disabled'];*/
    }

    //report to moderator buttons
    $report_tgt = '';
    if (($CONFIG['report_post']==1) && (USER_CAN_SEND_ECARDS)) {
        $report_tgt = "report_file.php?album=$album$cat_link&amp;pid=$pid&amp;pos=$pos";
    } else { // remove button if report toggle is off
        template_extract_block($template_img_navbar, 'report_file_button');

    }

                    $thumb_tgt = "thumbnails.php?album=$album$cat_link&amp;page=$page$uid_link";
        $meta_nav .= "<link rel=\"up\" href=\"$thumb_tgt\" title=\"".$lang_img_nav_bar['thumb_title']."\"/>
        ";

    $slideshow_tgt = "{$_SERVER['PHP_SELF']}?album=$album$cat_link$uid_link&amp;pid=$pid&amp;slideshow=".$CONFIG['slideshow_interval'];

    $pic_pos = sprintf($lang_img_nav_bar['pic_pos'], $human_pos, $pic_count);

    if (defined('THEME_HAS_NAVBAR_GRAPHICS')) {
            $location= $THEME_DIR;
        } else {
            $location= '';
        }

($CURRENT_PIC_DATA['title'] != '') ? $CURRENT_PIC_DATA['title'] : $CURRENT_PIC_DATA['title']='No name';
    $params = array('{THUMB_TGT}' => $thumb_tgt,
        '{THUMB_TITLE}' => $lang_img_nav_bar['thumb_title'],
        '{PIC_INFO_TITLE}' => $lang_img_nav_bar['pic_info_title'],
        '{SLIDESHOW_TGT}' => $slideshow_tgt,
        '{SLIDESHOW_TITLE}' => $lang_img_nav_bar['slideshow_title'],
        '{PIC_POS}' => $pic_pos,
        '{ECARD_TGT}' => $ecard_tgt,
        '{ECARD_TITLE}' => $ecard_title,
        '{PREV_TGT}' => $prev_tgt,
        '{PREV_TITLE}' => $prev_title,
        '{NEXT_TGT}' => $next_tgt,
        '{NEXT_TITLE}' => $next_title,
        '{PREV_IMAGE}' => ($lang_text_dir=='ltr') ? 'prev' : 'next',
        '{NEXT_IMAGE}' => ($lang_text_dir=='ltr') ? 'next' : 'prev',
        '{REPORT_TGT}' => $report_tgt,
        '{REPORT_TITLE}' => $lang_img_nav_bar['report_title'],
        '{LOCATION}' => $location,
        '{OWNER_NAME}' => $CURRENT_PIC_DATA['owner_name'],
        '{OWNER_ID}' => $CURRENT_PIC_DATA['owner_id'],
        '{PIC_TITLE}' => $CURRENT_PIC_DATA['title'],
        );

    return template_eval($template_img_navbar, $params);
}

$template_img_navbar = <<<EOT

        <tr>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{THUMB_TGT}" class="navmenu_pic" title="{THUMB_TITLE}"><img src="{LOCATION}images/thumbnails.gif" align="middle" border="0" alt="{THUMB_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="javascript:;" class="navmenu_pic" onclick="blocking('picinfo','yes', 'block'); return false;" title="{PIC_INFO_TITLE}"><img src="{LOCATION}images/info.gif" border="0" align="middle" alt="{PIC_INFO_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{SLIDESHOW_TGT}" class="navmenu_pic" title="{SLIDESHOW_TITLE}"><img src="{LOCATION}images/slideshow.gif" border="0" align="middle" alt="{SLIDESHOW_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenutitel" width="100%">
                        {PIC_TITLE} von: <a href="profile.php?uid={OWNER_ID}">{OWNER_NAME}</a>
                </td>
<!-- BEGIN report_file_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{REPORT_TGT}" class="navmenu_pic" title="{REPORT_TITLE}"><img src="{LOCATION}images/report.gif" border="0" align="middle" alt="{REPORT_TITLE}" /></a>
                </td>
<!-- END report_file_button -->
<!-- BEGIN ecard_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{ECARD_TGT}" class="navmenu_pic" title="{ECARD_TITLE}"><img src="{LOCATION}images/ecard.gif"  border="0" align="middle" alt="{ECARD_TITLE}" /></a>
                </td>
<!-- END ecard_button -->
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{PREV_TGT}" class="navmenu_pic" title="{PREV_TITLE}"><img src="{LOCATION}images/prev.gif"  border="0" align="middle" alt="{PREV_TITLE}" /></a>
                </td>
                <td align="center" valign="middle" class="navmenu" width="48">
                        <a href="{NEXT_TGT}" class="navmenu_pic" title="{NEXT_TITLE}"><img src="{LOCATION}images/next.gif"  border="0" align="middle" alt="{NEXT_TITLE}" /></a>
                </td>
        </tr>

EOT;
//ENDE Navigation Titel und Autor anzeigen//


Für die beiden Plugins wären Links hilfreich, wenn du das überprüft haben möchtest. Ansonsten kannst du die Originalfunktionen mit den Pluginfunktionen mittels WinMerge o.ä. vergleichen.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #2 on: March 06, 2009, 09:32:39 am »

Ohne auf die Plugins einen Blick geworfen zu haben bin ich mir trotzdem zu 99,9 % sicher, dass da nichts zu beachten ist: alle Änderungen betreffen das Handling von bbcode, was in functions.inc.php erfolgt. Da müssten die Plugins schon einen eigenen bbcode-Interpreter mitbringen, was sie sicherlich nicht tun.
Ansonsten ist Deine Anfrage etwas "off scope", also jenseits dessen, was man von regulärem Support so erwarten kann...
Logged

T.Gauck

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 42
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #3 on: March 06, 2009, 10:10:36 am »

In deiner theme.php geringfügig:
Für die beiden Plugins wären Links hilfreich, wenn du das überprüft haben möchtest. Ansonsten kannst du die Originalfunktionen mit den Pluginfunktionen mittels WinMerge o.ä. vergleichen.

Danke für die Hilfe!

Für die beiden Plugins wären Links hilfreich, wenn du das überprüft haben möchtest. Ansonsten kannst du die Originalfunktionen mit den Pluginfunktionen mittels WinMerge o.ä. vergleichen.

Wie ich das interpretiert habe, geht es hauptsächlich um die Kommentarfunktion. Leider sind das minimal abgeänderte Plugins von 2005-2008 und ich bin überfordert/unsicher. Wenn da mal jemand drüber schaue könnte, wäre das sehr NETT.

Siehe Anhang...

Danke!
Logged

T.Gauck

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 42
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #4 on: March 06, 2009, 10:11:31 am »

Ohne auf die Plugins einen Blick geworfen zu haben bin ich mir trotzdem zu 99,9 % sicher, dass da nichts zu beachten ist: alle Änderungen betreffen das Handling von bbcode, was in functions.inc.php erfolgt. Da müssten die Plugins schon einen eigenen bbcode-Interpreter mitbringen, was sie sicherlich nicht tun.
Ansonsten ist Deine Anfrage etwas "off scope", also jenseits dessen, was man von regulärem Support so erwarten kann...

UPS!  :-[

Logged

T.Gauck

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 42
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #5 on: March 06, 2009, 10:55:07 am »

Ansonsten ist Deine Anfrage etwas "off scope", also jenseits dessen, was man von regulärem Support so erwarten kann...

Sorry!? Eine Frage noch…

Hier wird ja offiziell ein Pluginpack "cpg1.4.x_plugin_pack_v3.zip" zum Download angeboten:
http://sourceforge.net/project/showfiles.php?group_id=89658

Wird dieses mit einem offiziellen CPG update…  auf Lauffähigkeit und Sicherheit vom CPG Team überprüft?
Logged

T.Gauck

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 42
Re: Aktuelle Sicherheitsupdates und Plugins
« Reply #6 on: March 06, 2009, 11:14:40 am »

Ojeee :-[,

heute nur Eigentore.

Steht in der ReadMe.txt
Logged
Pages: [1]   Go Up
 

Page created in 0.021 seconds with 19 queries.