BoardMod Mirror - [DONE] More Board/Category Options 2.0 SP1.1

(UTC)

Choose Language:

BoardMod Mirror › YaBB 1 Mods › FINAL Mods for YaBB 1 SP1/1.1 › [DONE] More Board/Category Options 2.0 SP1.1

‹ Previous Topic | Next Topic ›

Page Index Toggle

Pages: 1 ... 8 9 [10] 11

Very Hot Topic (More than 25 Replies)

[DONE] More Board/Category Options 2.0 SP1.1 (Read 56336 times)

mx5gr Junior Member Offline I love YaBB 1G - SP1! Posts: 55 Joined: Jan 22^nd, 2003	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #135 - Jun 2^nd, 2003 at 4:40pm	Print Post
	The version on boardmod using the link you provided is for SP1 & SP1.1 only. The SP1.3.1 is still undercover 8)


	IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #136 - Jun 2^nd, 2003 at 5:56pm	Print Post
	Quote: (or the final mods for SP1.3/1.3.1 board depending on your YaBB version.) MBCO2 for SP1.3

	World Domination, one smiley at a time!
	IP Logged

mx5gr Junior Member Offline I love YaBB 1G - SP1! Posts: 55 Joined: Jan 22^nd, 2003	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #137 - Jun 3^rd, 2003 at 8:52am	Print Post
	Thanx!


	IP Logged

Jander New Member Offline I love YaBB 1G - SP1! Posts: 5 Joined: Jun 10^th, 2002	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #138 - Jun 13^th, 2003 at 7:09am	Print Post
	Hi! I am the admin of a YaBB1SP1-Board. I use the MBCO2-mod and like it very much, but I think I found a serious security leak! If I want to give access to a board only to a certain membergroup, it works fine from within the board. But, if one uses the link to the board and adds a special sign after the link (for example: > or ~), it is possible even for Guests to read in this board! an example: if I use the link http://myserver/YaBB.cgi?board=adminmod_forum and the board is only for a certain membergroup, guests or other members who do not belong to the group cannot get in the board. but if you type http://myserver/YaBB.cgi?board=adminmod_forum>; or YaBB.cgi?board=adminmod_forum~ or something similar, the board opens even for guests. I hope you understand the problem and maybe you could give me an answer on how to fix this leak! Greetings, Jander


	IP Logged

Dummy Proof God Member Offline I hate Bosses! Now get to work! Posts: 991 Location: Outside L.A. Joined: Aug 8^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #139 - Jun 13^th, 2003 at 8:49am	Print Post
	Because of Janders above post I looked into this problem on a "base" YaBB SP1.3 install. You might want to check out this thread: http://www.yabbforum.com/community/YaBB.pl?board=Y1GoldSPs;action=display;num=10... Dummy

	Ya can Idiot proof it... Ya can Dummy proof it... But ya can never... ...Blonde proof it!
	WWW IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #140 - Jun 13^th, 2003 at 10:12am	Print Post
	I've tried putting non-standard characters at the ends of the urls for boards protected by either YaBB's standard catagory access and mbcoo2's board access. The result was either a cgi error, or when dummy proof's fix was applied, an invalid board string error. At no time did I actually see the contents of the board. So Jander, what exactly are you doing to get access? and is there anything different about your board that we should know about? Is this something that's restricted to SP1? (I tried on SP1.3.1 and a modified SP1.1)

	World Domination, one smiley at a time!
	IP Logged

Jander New Member Offline I love YaBB 1G - SP1! Posts: 5 Joined: Jun 10^th, 2002	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #141 - Jun 13^th, 2003 at 10:53am	Print Post
	Hi! the YaBB standard catagory access can not be fooled with this trick. I get a message that I am not allowed to view this forum when I try to access it as a guest with the "special-character"-trick. I also would expect that trying to access a board with a special character added to its original name would result in a "board not found" error, but somehow the board IS found and the MBOC2-access check is not executed on it. This happens - I think - because the lists of the allowed members and groups for a board with the special signs is empty, as the board does not exist. So, the board is treated as if there was no access restriction and guests may read it, too. If you try to post in such a board as a guest, you get an error message, by the way! The problem is, I think, that somehow the special character is ignored when the boards .dat file is opened, so the correct file is found, but when looking for the access restrictions for the board, the special sign is NOT ignored and therefore no restrictions are found of course... try the following links: http://www.paratties.at/cgi-bin/YaBB/YaBB.cgi?board=rattcom_allgemein will not let you in http://www.paratties.at/cgi-bin/YaBB/YaBB.cgi?board=rattcom_allgemein~ will let you in!


	IP Logged

Jander New Member Offline I love YaBB 1G - SP1! Posts: 5 Joined: Jun 10^th, 2002	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #142 - Jun 13^th, 2003 at 10:59am	Print Post
	Code sub LoadBoard { my $threadid = $INFO{'num'} \|\| $INFO{'thread'} \|\| $FORM{'threadid'}; if($currentboard ne '') { unless( &BoardAccessGet($currentboard) ) { &fatal_error( $txt{'1'} ); } [b]fopen(FILE, "$boardsdir/$currentboard.dat") \|\| &fatal_error("400 $txt{'106'}: $txt{'23'} $currentboard.dat");[/b] @yyBoardInfo =<FILE>; fclose(FILE); the bold line above does not seem to work if you add a special character, the file IS found. I will try the following solution: Code sub LoadBoard { my $threadid = $INFO{'num'} \|\| $INFO{'thread'} \|\| $FORM{'threadid'}; if($currentboard ne '') { [b] #### unless ($currentboard =~ /^[a-z0-9_]+$/i) { &fatal_error( $txt{'1'} ); } #### [/b] unless( &BoardAccessGet($currentboard) ) { &fatal_error( $txt{'1'} ); } fopen(FILE, "$boardsdir/$currentboard.dat") \|\| &fatal_error("400 $txt{'106'}: $txt{'23'} $currentboard.dat"); @yyBoardInfo =<FILE>; fclose(FILE); this should give me an error message when a special sign is used...


	IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #143 - Jun 13^th, 2003 at 11:20am	Print Post
	From Subs.pl (SP1.3.1) Code $currentboard = $INFO{'board'}; if ($currentboard =~ m~/~){ &fatal_error($txt{'399'}); } if ($currentboard =~ m~\\~){ &fatal_error($txt{'400'}); } if ($currentboard ne '' && [highlight size=1 color=red background=]$[/highlight]currentboard !~ /\A[\s0-9A-Za-z#%+,-\.:=?@^_]+\Z/){ &fatal_error($txt{'399'}); } The last line here is the line that generates an error if a board name contains an inappropriate character. I've also checked the SP1 version of this code, and it appears to contain a typo which was fixed in the SP1-> SP1.1 upgrade (the "$" character highlighted is missing from the SP1 code!)

	World Domination, one smiley at a time!
	IP Logged

Jander New Member Offline I love YaBB 1G - SP1! Posts: 5 Joined: Jun 10^th, 2002	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #144 - Jun 13^th, 2003 at 11:27am	Print Post
	You are right! Will try this tonight, THANKS A LOT!!!


	IP Logged

MzBeanz Full Member Offline Life is...... What you make it! Posts: 241 Location: Texas Joined: Jun 22^nd, 2003 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #145 - Jul 17^th, 2003 at 8:52pm	Print Post
	I get this error when i try to download ERROR 404 /error.php?num=404 This page cannot be found... it might have been removed, had its name changed, or is temporarily unavailable.


	ICQ IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #146 - Jul 17^th, 2003 at 11:02pm	Print Post
	what download link are you trying exactly?

	World Domination, one smiley at a time!
	IP Logged

MzBeanz Full Member Offline Life is...... What you make it! Posts: 241 Location: Texas Joined: Jun 22^nd, 2003 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #147 - Jul 17^th, 2003 at 11:36pm	Print Post
	in firstr message of this thread Download: Ok, use this zip file: http://boardmod.yabbforum.com/yabb/attachments/mbc2.zip thanks


	ICQ IP Logged

BHRA Webmaster God Member Offline Mod Author of the Year 2002 Posts: 5238 Location: BHRA Headquarters Joined: Jan 18^th, 2002 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #148 - Jul 18^th, 2003 at 10:37am	Print Post
	If you're using SP1/1.1, try getting it from the mods database instead: http://boardmod.yabbforum.com/mods.php?searchfor=mbc2.zip

	World Domination, one smiley at a time!
	IP Logged

MzBeanz Full Member Offline Life is...... What you make it! Posts: 241 Location: Texas Joined: Jun 22^nd, 2003 Gender:	Re: [DONE] More Board/Category Options 2.0 SP1.1 Reply #149 - Jul 18^th, 2003 at 12:31pm	Print Post
	I am using SP1.3.1....


	ICQ IP Logged

Page Index Toggle

Pages: 1 ... 8 9 [10] 11

‹ Previous Topic | Next Topic ›

« Board Index ‹ Board Top

Top

BoardMod Mirror » Powered by YaBB 2.6.12!
YaBB Forum Software © 2000-2024. All Rights Reserved.

Valid XHTML

Valid CSS

Powered by Perl

Source Forge