×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Files affected by fixes

Files affected by fixes 14 years 4 months ago #10251

  • Owen
  • Owen's Avatar Topic Author
  • Offline
  • Junior Boarder
  • Junior Boarder
  • Posts: 22
  • Thank you received: 0
Hi Daniel, in continuation with my PM, here are some of the fixes made in version 4.1.7.
If it's possible, I would appreciate if you could please write below each of them
which files exactly were changed (since version 4.1.4) for each of these fixes:

# updated com_content plugin

# fixed wrong SEF urls with sef components

# some fixes for php 5.3 compatability

# Fixed persistent XSS vulnerability

# Fixed reflective XSS vulnerabitlity

# Fixed LFI vulnerability

# Fixed CSRF vulnerability

# Fixed frontend XSS vulnerability

# Fixed backend XSS vulnerabitlity


This way I could compare the changes in the files and verify what I can replace "manually" without affecting my own changes.

Thanks!
Owen

Files affected by fixes 14 years 4 months ago #10258

  • Daniel Dimitrov
  • Daniel Dimitrov's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 9618
  • Karma: 155
  • Thank you received: 1081
# updated com_content plugin
- when you see something with a plugin, then it can be 99% found in:
administrator/components/com_comment/plugin (search for com_content there)

# fixed wrong SEF urls with sef components
- this is also in the above plugin - the plugins create the links

# some fixes for php 5.3 compatability
- this was something in the backend - a fatal error was shown with 5.3 because we used an outdated version of a function or so. I'm not sure anymore in which file you can find this

# Fixed persistent XSS vulnerability
# Fixed reflective XSS vulnerabitlity
# Fixed frontend XSS vulnerability
- those are all in components/com_comment/classes/joscomment/josc_ubbcode.php

# Fixed backend XSS vulnerabitlity
- I think the fixes were in administrator/components/com_comment/views/comment/tmpl/default.php

# Fixed LFI vulnerability
# Fixed CSRF vulnerability
for those 2 you will have to search a lot.
components/com_comment/comment.php
components/com_comment/classes/joscomment/josc_post.php
components/com_comment/classes/joscomment/josc_visual.php
components/com_comment/classes/joscomment/josc_board.php

In generally about the above 2 fixes - in the past we were using our own method in josc_utils to fetch data send to the server.
Now we use JRequest and we explicitly specify what type the data have to be and where it is coming from GET/POST.
Cheers,
Daniel

Files affected by fixes 14 years 4 months ago #10261

  • Owen
  • Owen's Avatar Topic Author
  • Offline
  • Junior Boarder
  • Junior Boarder
  • Posts: 22
  • Thank you received: 0
Thank you, Daniel. That helped me greatly.
I'm using sh404sef but I'm not sure if I noticed the problem with the SEF URLs.
Can you please give an example how a wrong URL looked before and how it's supposed to look now?

Thanks

Files affected by fixes 14 years 4 months ago #10262

  • Daniel Dimitrov
  • Daniel Dimitrov's Avatar
  • Offline
  • Administrator
  • Administrator
  • Posts: 9618
  • Karma: 155
  • Thank you received: 1081
the problems was that my sef component was creating duplicate links, because the com_content sef function was adding some query strings to the query and the component was thinking that it is a different url.
Now the only string appended to the url is the anchor with comment and that doesn't trigger a duplicate url.
Cheers,
Daniel
  • Page:
  • 1
Time to create page: 0.154 seconds