Page 1 of 1
phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sat Feb 22, 2020 5:53 pm
by axew3
Code: Select all
== Changelog ==
= 2.2.3 =
*Release Date - 22 Feb, 2020*
* Fix: (iframe) page-forum.php security bug
* !important: Update as soon page-forum rebuilding it on plugin admin, or manually substituting it
* Fix: (iframe) page-forum.php: default /wp-content/plugins/wp-w3all-phpbb-integration/addons/page-forum.php has been updated again (and definitively fixed) to correctly process urls, if url coming from a click into WP widgets. To update to the latest page-forum, rebuild it into plugin admin or manually replace with the new one of this release: https://www.axew3.com/w3/2020/01/phpbb-wordpress-template-integration-iframe-v5/
* Fix: PHP Notice: Undefined variable: topics_x_ugroup ON class.wp.w3all-phpbb.php on line 2161
* Fix: secondary notice error on line 1185 class.wp.w3all-phpbb.php
* Fix: the 'Transfer phpBB Users into WordPress' option
* ADD: single phpBB user addition into WordPress option into the 'Transfer phpBB Users into WordPress' page
* Fix: more important fixes
* Notice: Update as soon and report bugs!
Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sat Feb 22, 2020 6:18 pm
by muti
Update as soon page-forum rebuilding it on plugin admin, or manually substituting it
What exact need to do ?
Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sat Feb 22, 2020 6:36 pm
by axew3
Open main WP_w3all plugin page, click into
Create/Rebuild WP_w3all phpBB Page Template button
this will rebuild the page-forum(or whatever named) into the wp active template folder.
If you want to do it manually, just follow instructions on how to update, following just the part about copy/paste the page
https://www.axew3.com/w3/2020/01/phpbb- ... iframe-v5/
If you want to edit into a page-forum that you hardly modified and do not want loose time:
this code
Code: Select all
if( isset($_GET["w3"]) ){ // default
$phpbb_url = trim(base64_decode($_GET["w3"]));
$w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
$w3all_url_to_cms = $w3all_url_to_cms;
}
} elseif ( isset($_GET[$w3all_iframe_custom_w3fancyurl]) && empty($w3forum_id) ){ //fancy
$phpbb_url = trim(base64_decode($_GET[$w3all_iframe_custom_w3fancyurl]));
$w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
$w3all_url_to_cms = $w3all_url_to_cms;
}
}
need to be replaced by this:
Code: Select all
// security/switch
$w3all_url_to_cms0 = $w3all_url_to_cms;
if( isset($_GET["w3"]) && empty($w3forum_id) ){ // default
$phpbb_url = trim(base64_decode($_GET["w3"]));
$w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
$w3all_url_to_cms = $w3all_url_to_cms0;
}
} elseif ( isset($_GET[$w3all_iframe_custom_w3fancyurl]) && empty($w3forum_id) ){ //fancy
$phpbb_url = trim(base64_decode($_GET[$w3all_iframe_custom_w3fancyurl]));
$w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
$w3all_url_to_cms = $w3all_url_to_cms0;
}
}
Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sun Feb 23, 2020 12:56 am
by Dysphoria
This fixed my problem, thank you!
Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sun Feb 23, 2020 8:07 am
by axew3
Dysphoria wrote: ↑Sun Feb 23, 2020 12:56 am
This fixed my problem, thank you!
No!
unfortunately, you still have this into last topics urls widget (you refer to this)
viewtopic.php?f=2&t=1498
links into widget still return something like:
Code: Select all
https://talkatastic.be/index.php/index.php/forum/?forum_id=15&topic_id=59&post_id=343#p343
the
/index.php/index.php/ still is there, and caused by some setting (i assume) that should be changed somewhere into your WordPress, or htaccess or server settings.
should be
Code: Select all
https://talkatastic.be/index.php/forum/?forum_id=15&topic_id=59&post_id=343#p343
or
Code: Select all
https://talkatastic.be/forum/?forum_id=15&topic_id=59&post_id=343#p343
Redirect flow works by the way, but urls result into your widget isn't still correct (and when you point to a topic/post, you're redirected to login page in phpBB, that's maybe due to some other setting into phpBB? Is this what you want?)
If i will note somewhere something that will remind me to your solution i will report you, please do the the same if you discover where the problem is in the while.
Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum
Posted: Sun Feb 23, 2020 12:39 pm
by Dysphoria
I'll look for it, but I don't know which setting that could be. Don't see anything out of the ordinary in wp.
.htaccess could be the one doing this, but than I need another code to force https.
The redirecting to the loginpage is intentional.