PDA

View Full Version : v.1.8.5 member comments


vinyl-junkie
12-12-2004, 02:31 PM
First of all, I had no problems upgrading to 1.8.5. No worries there.

Charter, on behalf of all the phpdig community, I just want to say thanks for moving so quickly on this security issue. Your hard work is very much appreciated!

There is something that is kind of liberating in a way to just trash a production application like this and rebuild it from the ground up. :D No, I'm not being sarcastic when I say that. It really was fun to do this, as I didn't have to worry about all my customized code not working. With a temporary "search engine not available" page in place, I was free to do what I needed to get the upgrade in place and working properly. Plus, I didn't have to worry about my site's visitors getting some blank screen or a cryptic error message.

Anyway, thanks again, Charter, for doing such a great job in taking care of this problem. :)

p.s. - I forgot to add that as I was going through the upgrade process, I decided to empty my database tables and start from scratch. While doing that, I decided to try the "spider from a list" functionality. That was sooo much quicker than just letting it spider from the root. I was able to spider over 1,000 pages in about 15 minutes. I don't think I've ever been able to spider that many pages in that length of time before. Anyway, I am a very happy camper!

renehaentjens
12-13-2004, 05:55 AM
I agree with vinyl-junkie in his appreciation of Charter's quick and hard work as a response to a security issue.

Forgive me though to sigh: I'll have to upgrade the DB and I'll have to carefully review the 5 PhpDig scripts that I have customized for my site, because they are all affected by this upgrade. That is going to take more than a couple of hours...

I understand that careful wording is required in this forum concerning a security issue, but it sort of leaves me in the fog, not understanding exactly what risk there is, from where I might expect an attack and what I should do first to secure my system.

Is it thát serious that I should shutdown search for my user community? Or should I even remove all PhpDig 1.8.3 scripts from the system? I'm not going to do anything before I understand at least a little bit what's going on. I'm a developer, not a security expert, so I do not immediately see what might be happening...

cjones
12-13-2004, 06:41 AM
well done charter, a very fast response i only wish ms was just as fast. great idea sending via email too

i think charter didnt disclose the fault, because if he did a guest may see it and be able to take advantage of the issue. i dont mind aslong as i could get the quick fix code.

renehaentjens
12-13-2004, 07:51 AM
[I've removed what I wrote here earlier because it was wrong. Sorry!]

The DB update seems to be related to the 1.8.4 functionality mainly and not at all related to the security fix.

If I want to stay with 1.8.3 for a little while, can I survive with just the insertion of EXTR_SKIP in search.php as mentioned elsewhere?

Charter
12-13-2004, 08:25 AM
@ vinyl-junkie: Glad you are happy, but your "current mood" is still sad. :D

@ renehaentjens: See this (http://www.phpdig.net/forum/showthread.php?t=1604) and this (http://www.phpdig.net/forum/showthread.php?t=1608). Also update the DB tables 1.8.3 -> 1.8.4 -> 1.8.5.

@ cjones: That is precisely why details are not given.

Since I took over this project, there have been two security issues. IMHO, the first was worse than the second, but they are both bad. :cry: Regardless of what I do or do not mention, the method of exploit will get out, so if you haven't done the upgrade, please do.

BTW, the first snow of the season has arrived. :deer:

vinyl-junkie
12-13-2004, 07:07 PM
renehaentjens: I feel your pain with having to re-incorporate your customized code into a new version of phpdig. The first time I upgraded phpdig, which was a few versions ago now, I hadn't fully documented the code changes I had made. That upgrade was so traumatic for me that I decided to change that. Now when an upgrade happens, I know exactly how to keep my customized code and have the new version work with a minimum of effort. I would urge you to make yourself some detailed notes on what you've done as you go through the current upgrade. Believe me, you'll be glad you took the time to do that.

Charter: "Mood" has been upgraded right along with phpdig. :D

renehaentjens
12-15-2004, 08:23 AM
Thank you Charter, but I had already seen these forum entries. Not that I understood them completely...
And I fail to understand why the DB table upgrade is needed for the security problem.
Where are you, that you already get snow?

Thank you, vinyl-junkie. I know my customizations and have documented them, I have quite some experience in customizing code. Still it takes time to check the PHP code around my customizations (old vs. new) and to re-test everything.

I may have to delay this until after new year...

renehaentjens
12-16-2004, 12:17 AM
I do not want to shutdown functionality for our users. That also means that I cannot upgrade immediately, because a non-customized new version would also mean a shutdown of functionality. I find it a pity that there is no security fix advise for the existing stable version 1.8.3.

I have inserted EXTR_SKIP in search.php and clickstats.php and I have asked the colleagues to do similar updates to admin/files.php, index, limit_upd, spider, statistics, update and update_frame, because I do not have enough rights on the PhpDig server to do these myself. If that is not enough, I would appreciate if someone told me, either here or by e-mail.

Siava
12-16-2004, 05:25 AM
Sorry for offtop, but 1.8.6 is great!
Big respekt! :D