phpBB WordPress 2.2.3 !important fix security bug on page-forum

User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by axew3 »

Code: Select all

== Changelog ==

= 2.2.3 =
*Release Date - 22 Feb, 2020*
* Fix: (iframe) page-forum.php security bug
* !important: Update as soon page-forum rebuilding it on plugin admin, or manually substituting it
* Fix: (iframe) page-forum.php: default /wp-content/plugins/wp-w3all-phpbb-integration/addons/page-forum.php has been updated again (and definitively fixed) to correctly process urls, if url coming from a click into WP widgets. To update to the latest page-forum, rebuild it into plugin admin or manually replace with the new one of this release: https://www.axew3.com/w3/2020/01/phpbb-wordpress-template-integration-iframe-v5/
* Fix: PHP Notice: Undefined variable: topics_x_ugroup ON class.wp.w3all-phpbb.php on line 2161 
* Fix: secondary notice error on line 1185 class.wp.w3all-phpbb.php
* Fix: the 'Transfer phpBB Users into WordPress' option
* ADD: single phpBB user addition into WordPress option into the 'Transfer phpBB Users into WordPress' page
* Fix: more important fixes
* Notice: Update as soon and report bugs!
muti
User w
User w
Posts: 16
Joined: Thu Dec 26, 2019 5:45 am

Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by muti »

Update as soon page-forum rebuilding it on plugin admin, or manually substituting it
What exact need to do ?
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by axew3 »

Open main WP_w3all plugin page, click into
Create/Rebuild WP_w3all phpBB Page Template button
this will rebuild the page-forum(or whatever named) into the wp active template folder.

If you want to do it manually, just follow instructions on how to update, following just the part about copy/paste the page
https://www.axew3.com/w3/2020/01/phpbb- ... iframe-v5/

If you want to edit into a page-forum that you hardly modified and do not want loose time:

this code

Code: Select all

if( isset($_GET["w3"]) ){ // default
 $phpbb_url = trim(base64_decode($_GET["w3"]));
 $w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
	 if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
    $w3all_url_to_cms = $w3all_url_to_cms;
   }
} elseif ( isset($_GET[$w3all_iframe_custom_w3fancyurl]) && empty($w3forum_id) ){ //fancy
 $phpbb_url = trim(base64_decode($_GET[$w3all_iframe_custom_w3fancyurl]));
 $w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
	 if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
    $w3all_url_to_cms = $w3all_url_to_cms;
   }
}
need to be replaced by this:

Code: Select all

// security/switch
$w3all_url_to_cms0 = $w3all_url_to_cms;

if( isset($_GET["w3"]) && empty($w3forum_id) ){ // default
 $phpbb_url = trim(base64_decode($_GET["w3"]));
 $w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
	 if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
    $w3all_url_to_cms = $w3all_url_to_cms0;
   }
} elseif ( isset($_GET[$w3all_iframe_custom_w3fancyurl]) && empty($w3forum_id) ){ //fancy
 $phpbb_url = trim(base64_decode($_GET[$w3all_iframe_custom_w3fancyurl]));
 $w3all_url_to_cms = $w3all_url_to_cms . '/' . $phpbb_url;
	 if( preg_match('/[^-0-9A-Za-z\._#\:\?\/=&%]/ui',$phpbb_url) ){
    $w3all_url_to_cms = $w3all_url_to_cms0;
   }
}
Dysphoria
User ww
User ww
Posts: 43
Joined: Tue Feb 11, 2020 8:45 am

Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by Dysphoria »

This fixed my problem, thank you!
User avatar
axew3
w3all User
w3all User
Posts: 2689
Joined: Fri Jan 22, 2016 5:15 pm
Location: Italy
Contact:

Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by axew3 »

Dysphoria wrote: Sun Feb 23, 2020 12:56 am This fixed my problem, thank you!
No!
unfortunately, you still have this into last topics urls widget (you refer to this)
viewtopic.php?f=2&t=1498
links into widget still return something like:

Code: Select all

https://talkatastic.be/index.php/index.php/forum/?forum_id=15&topic_id=59&post_id=343#p343
the /index.php/index.php/ still is there, and caused by some setting (i assume) that should be changed somewhere into your WordPress, or htaccess or server settings.
should be

Code: Select all

https://talkatastic.be/index.php/forum/?forum_id=15&topic_id=59&post_id=343#p343
or

Code: Select all

https://talkatastic.be/forum/?forum_id=15&topic_id=59&post_id=343#p343
Redirect flow works by the way, but urls result into your widget isn't still correct (and when you point to a topic/post, you're redirected to login page in phpBB, that's maybe due to some other setting into phpBB? Is this what you want?)
If i will note somewhere something that will remind me to your solution i will report you, please do the the same if you discover where the problem is in the while.
Dysphoria
User ww
User ww
Posts: 43
Joined: Tue Feb 11, 2020 8:45 am

Re: phpBB WordPress 2.2.3 !important fix security bug on page-forum

Post by Dysphoria »

I'll look for it, but I don't know which setting that could be. Don't see anything out of the ordinary in wp.
.htaccess could be the one doing this, but than I need another code to force https.

The redirecting to the loginpage is intentional. :)
Post Reply