Patches V3 code: page-forum.php, overall_footer.html and overall_header.html JS code
Posted: Fri Jan 04, 2019 9:00 am
v3 iframe phpBB Wordpress template integration code
Js code of overall_footer.html:
changed:
into
it was wrongly commented out, so on iframe user login/out for example, wp page not reload to update the state of the user on both cms.
This is the main little fix, but there is another too:
Also the part to add into header.html has been changed to correctly assign a var: the code seem was working fine also with this little error, by the way may some browser will not correctly process it.
Better change to the new patched code and avoid any possible issue.
Also changed into another little part, together with page-forum.php code to prevent and resolve a possible (secondary) security issue.
The secondary security issue resolved here explained:
let suppose that an admin access phpBB ACP or UCP via iframe: what happen is that phpBB by default append a sid to the URLs: so the code as was, naturally passing this string to be encoded and so pushed or passed as url to load the resource.
So, now let suppose that a mod or an admin or an user with a sid appended, copy the link on address bar, that is encoded and contain the sid, so may he is not noticed of this because can't see what really the string encoded contain, and he go to paste it elsewhere.
SO hard to reproduce and that happen, in theory only the sid should not be sufficient to gain access as another user. By the way, there are so skilled guys around you know, and could be a little mess. Fixed/resolved.
p.s the same problem (encoded url containing sid) was so coming out also on right/click/copy or open link action, if as on the very last step of v3 iframe procedure, the part of code for overall_footer.html (where indicated that right/click copy links encoded are not necessary if oveall_header.html code has been added) wasn't removed.
Js code of overall_footer.html:
changed:
Code: Select all
//parent.w3all_ajaxup_from_phpbb(w3appendevents);
Code: Select all
parent.w3all_ajaxup_from_phpbb(w3appendevents);
This is the main little fix, but there is another too:
Also the part to add into header.html has been changed to correctly assign a var: the code seem was working fine also with this little error, by the way may some browser will not correctly process it.
Better change to the new patched code and avoid any possible issue.
Also changed into another little part, together with page-forum.php code to prevent and resolve a possible (secondary) security issue.
The secondary security issue resolved here explained:
let suppose that an admin access phpBB ACP or UCP via iframe: what happen is that phpBB by default append a sid to the URLs: so the code as was, naturally passing this string to be encoded and so pushed or passed as url to load the resource.
So, now let suppose that a mod or an admin or an user with a sid appended, copy the link on address bar, that is encoded and contain the sid, so may he is not noticed of this because can't see what really the string encoded contain, and he go to paste it elsewhere.
SO hard to reproduce and that happen, in theory only the sid should not be sufficient to gain access as another user. By the way, there are so skilled guys around you know, and could be a little mess. Fixed/resolved.
p.s the same problem (encoded url containing sid) was so coming out also on right/click/copy or open link action, if as on the very last step of v3 iframe procedure, the part of code for overall_footer.html (where indicated that right/click copy links encoded are not necessary if oveall_header.html code has been added) wasn't removed.