You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 66 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - News Story HTML formatting help. [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

News Story HTML formatting help.
 
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
Author Message
Streamweaver
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2003
Posts: 13
PostPosted: Sun Mar 30, 2003 12:48 pm Reply with quoteBack to top
(Running PHPNuke 6.0 site, on UNIX with PHP version 4.2.3, at this URL:

As recommended at Nuke Resources here( http://www.nukeresources.com/modules.php?name=News&file=article&sid=257), I've applied the Security Fixes for 6.0 with the phpbb port 2.0.6 modules.php file. I also applied the mainfile.php code replacements specified here (http://www.nukeresources.com/modules.php?name=News&file=article&sid=287&mode=&order=0&thold=0.

My problem is that all HTML code in my news stories is now replaced as if using the htmlentries() php function. I understood some simple HTML was still allowed in news stories but it doesn't seem to work for me. What would be the best way to re-enable the HTML in these news stories? If I understand the security hole correctly the problem is with news submissions and posts containing malicious code. I would rather keep the HTML formatting in my news stories, deactivate the submit news module, and include an email news mailto instead (should work for my sites traffic). Would this seem a reasonable solution to you guys, and how can I get my HTML back?

Also, just an observation on that security fix file. I'm running phpbb 2.0.3 and initially in that security fix I did NOT use the specific module.php file specified for phpbb 2.0.6 users (I used the one that came with the secfix), however this broke my phpbb boards and made it could not read logged in users at all. I applied the modules.php 2.0.6 file and the forums seem to work fine now. (I'm probably an idiot and missing something but I wanted to pass that on in case someone is having similar problems).

Can anyone give some advice on the news html issue?

Thanks in advance for any help.

Streamweaver (http://www.swg-datapad.com/)
Find all posts by StreamweaverView user's profileSend private message
chatserv
General
General


Joined: Jan 12, 2003
Posts: 3128

Location: Puerto Rico
PostPosted: Sun Mar 30, 2003 1:38 pm Reply with quoteBack to top
If using PHP-Nuke 6.0 download the secfix patch available at www.phpnuke.org and replace your mainfile.php with the one included in the patch.

_________________
Feed a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.
ScriptHeaven | NukeResources
Find all posts by chatservView user's profileSend private messageVisit poster's website
Streamweaver
Nuke Soldier
Nuke Soldier


Joined: Mar 30, 2003
Posts: 13
PostPosted: Sun Mar 30, 2003 2:03 pm Reply with quoteBack to top
I want to thank you very much for the answer, that fixed the problem. I'm unsure as to why there are two files on two sites both called secfixes6 that give two different results. Thanks again.

As to the submit news module, would you consider it a better security practice to disable "submit news" and use a mailto link instead of a sites news can handle the load?
Find all posts by StreamweaverView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view Nuke Cops Forum Index » Nuke Security
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by · TOGETHER TEAM srl ITALY http://www.togetherteam.it · DONDELEO E-COMMERCE http://www.DonDeLeo.com
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.433 Seconds - 335 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::