Page 1 of 2

Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:00 am
by axew3
v3 iframe phpBB Wordpress template integration code
Js code of overall_footer.html:
changed:

Code: Select all

//parent.w3all_ajaxup_from_phpbb(w3appendevents);
into

Code: Select all

parent.w3all_ajaxup_from_phpbb(w3appendevents);
it was wrongly commented out, so on iframe user login/out for example, wp page not reload to update the state of the user on both cms.
This is the main little fix, but there is another too:

Also the part to add into header.html has been changed to correctly assign a var: the code seem was working fine also with this little error, by the way may some browser will not correctly process it.
Better change to the new patched code and avoid any possible issue.

Also changed into another little part, together with page-forum.php code to prevent and resolve a possible (secondary) security issue.
The secondary security issue resolved here explained:
let suppose that an admin access phpBB ACP or UCP via iframe: what happen is that phpBB by default append a sid to the URLs: so the code as was, naturally passing this string to be encoded and so pushed or passed as url to load the resource.
So, now let suppose that a mod or an admin or an user with a sid appended, copy the link on address bar, that is encoded and contain the sid, so may he is not noticed of this because can't see what really the string encoded contain, and he go to paste it elsewhere.
SO hard to reproduce and that happen, in theory only the sid should not be sufficient to gain access as another user. By the way, there are so skilled guys around you know, and could be a little mess. Fixed/resolved.

p.s the same problem (encoded url containing sid) was so coming out also on right/click/copy or open link action, if as on the very last step of v3 iframe procedure, the part of code for overall_footer.html (where indicated that right/click copy links encoded are not necessary if oveall_header.html code has been added) wasn't removed.

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:35 pm
by xray
I changed and commented out, now it just redirects logging out automatically!

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 9:46 pm
by axew3
but maybe it is related to the fact that you did not resolved the previous problem login/out?
Because activating the line, when the user not result logged in in phpBB, and in wordpress result logged in, then the page will reload and logout also from wordpress.
I assume that it is not working by the way the iframe integration, because still there are login problems with cookies?

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Fri Jan 04, 2019 10:19 pm
by xray
Right, the login/logout was still causing intermittent problems. Now I cannot get logged into the forums to even purge the cache. I can login to WP no problems its only when I click on the forum link and try to login there that I have the issue. If I am already logged in with WP and click the forum link (iframe mode) it will automatically logged me out of both.

I am stumped as I put the code back how it was before I added the patch code you suggested and the resulted behavior is redirect/logout

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Sat Jan 05, 2019 6:19 am
by xray
It s a localhost install or we can see online?
You take a PM?

Re: Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code

Posted: Sat Jan 05, 2019 8:53 am
by axew3
No PM! Problems with iframe and PM? let check ...
just sent one to you and no, no problems, but no PM by you