Serious Security Issue In PHPMyFAQ 1.4

Post by **Thorsten** » Wed Jul 28, 2004 1:42 pm

Hi,

okay, I will look for the problem, too.

bye
Thorsten

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 1:57 pm

Hmm, this is very odd. After clicking on the image button in the WYSIWYG a few times, it started to pop up. But, after the image manager came up, the WYSIWYG went away and doesn't show up anymore. Maybe there is something with java detection? Just guessing as I am not for sure how it all works yet.

Edit: I closed an re-opened IE and it seems to be working now. However, firefox it does not work even though it shows the WYSIWYG.

Post by **Thorsten** » Wed Jul 28, 2004 2:35 pm

Hi,

do you have access to the errorlog from Apache?

bye
Thorsten

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 2:54 pm

Thorsten wrote:Hi,

do you have access to the errorlog from Apache?

bye
Thorsten

Yes, I do. The only errors I am seeing right now are when I create a new entry:

[Wed Jul 28 09:00:31 2004] [error] [client x.x.x.x] File does not exist: /usr/local/www/data/phpmyfaq/admin/editor/plugins/InsertWords/lang/en.js

When I click on the Image Manager in the WYSIWYG editor, no errors show up in the log.

In IE, I do see a script error message. It seems sometimes the HTML Area editor works, other times it doesn't. When it does work, the Image Manager shows up ok. In Firefox, I haven't been able to get it to show up yet although the HTML Area works. Here is a print screen of the IE script message.

I will install this on another server I have also just to see if I have the same problems or not. Let me know if you need any other information.

Thanks

Post by **Thorsten** » Wed Jul 28, 2004 2:58 pm

Hi,

I could send you the pre-release of phpMyFAQ 1.4.1 RC1 with lots of bugfixes.

bye
Thorsten

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 3:16 pm

Thorsten wrote:Hi,

I could send you the pre-release of phpMyFAQ 1.4.1 RC1 with lots of bugfixes.

bye
Thorsten

That sounds good. Just to let you know, I setup the install on a different server and am seeing the same issues. IE reports a script error and doesn't always load the WYSIWYG interface. Firefox always loads the WYSIWYG editor but still shows a blank screen. The error log shows the following:

[Wed Jul 28 09:19:20 2004] [error] [client x.x.x.x] File does not exist: /usr/local/www/data/phpmyfaq/admin/editor/plugins/InsertWords/lang/en.js

If you would like to send me the pre-release version, I can set it up right away and do some testing on it and report back my findings. You can send it to my email address that is listed in my user profile for the forums. I think you can view that by going into the admin control panel.

Thanks

Post by **Thorsten** » Wed Jul 28, 2004 3:25 pm

Hi,

I sent you an e-mail.

bye
Thorsten

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 4:25 pm

Thorsten wrote:Hi,

I sent you an e-mail.

bye
Thorsten

I installed it and it seems to be working fine now in both IE and Firefox. I no longer see the script errors in IE. The image manager now has options to upload images although I am getting "Not authorized" when attempting to upload. I imagine it is probably a config or permission problem with my setup. Otherwise, it seems to be working much better as far as the WYSIWYG and Image Manager showing up in both browsers all the time.

I sent you an email also with this info along with the URL for testing.

Post by **Thorsten** » Wed Jul 28, 2004 4:27 pm

Hi,

this is a pre-release of a release candidate. I'll test this RC the next days and release it next week.

bye
Thorsten

AndrewB · Post by **AndrewB** » Wed Jul 28, 2004 4:49 pm

Chad Beattie wrote:... The image manager now has options to upload images although I am getting "Not authorized" when attempting to upload. I imagine it is probably a config or permission problem with my setup. Otherwise, it seems to be working much better as far as the WYSIWYG and Image Manager showing up in both browsers all the time.

I get the "Not authorized" message also. It is because I have SafeMode on

There is no way around this for me as my host won't turn it off. oh well! I guess I could switch hosts..!

Post by **Thorsten** » Wed Jul 28, 2004 5:06 pm

AndrewB wrote:I get the "Not authorized" message also. It is because I have SafeMode on

That's not correct, this is a bug. I tested it and I have the same problem. Stay tuned for the RC1 of phpMyFAQ 1.4.1!

bye
Thorsten

AndrewB · Post by **AndrewB** » Wed Jul 28, 2004 5:11 pm

I should have said.. "If you have safemode off and you get this message, then it is a bug"

Chad Beattie · Post by **Chad Beattie** » Wed Jul 28, 2004 5:42 pm

AndrewB wrote:I should have said.. "If you have safemode off and you get this message, then it is a bug"

I have safe mode off and get the error also.

Schmoe · Post by **Schmoe** » Wed Jul 28, 2004 9:13 pm

Safemode off here too, but still having the problem.

Chad: If you keep clicking on the Image Manager, it eventually comes up? Even if I click over and over, I never get anything but a blank box...

Post by **Thorsten** » Wed Jul 28, 2004 9:14 pm

Hi,

there's still a bug there: I will fix it the next days and then release RC1 of phpMyFAQ 1.4.1.

bye
Thorsten