Twocents security

A place to report and discuss bugs - please mention CMSimple-version, server, platform and browser version
lck
Posts: 2634
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Sun Jul 19, 2020 5:45 pm

cmb wrote:
Sun Jul 19, 2020 1:12 pm
Aber warum?
Gute Frage :?
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Sun Oct 24, 2021 7:41 am

cmb wrote:
Sun Jul 19, 2020 11:32 am
cmb wrote:
Fri Jul 17, 2020 7:04 am
(even the minimal built-in CAPTCHA may help)
Hmm, there is no built-in CAPTCHA in Twocents_XH (Advancedform_XH has one, though).

Eine Alternative zu Recaptcha_XH ist Cryptographp_XH 1.0beta6. Weniger elegant als Recaptcha, aber dafür kommt man ohne Registrierung und Schlüssel aus. Allerdings sollte man noch diesen Fix vornehmen.
I set cryptograph in setting of twocents, but can not see captcha in comments. Any solution?
Aleksei

lck
Posts: 2634
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Sun Oct 24, 2021 9:17 am

ustalo wrote:
Sun Oct 24, 2021 7:41 am
I set cryptograph in setting of twocents, but can not see captcha in comments. Any solution?
The captcha is only displayed when you are logged out, not in the backand.

Download the master version of Cryptograph_XH (right at "Code" > "Download ZIP").
Direct download: https://github.com/cmb69/cryptographp_x ... master.zip
There are some problems already fixed.

Also delete the complete browser cache and reload the page.
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Mon Oct 25, 2021 5:19 pm

thx a lot
i will do
Aleksei

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Mon Oct 25, 2021 5:21 pm

i download
reinstall crypt
change browser
captcha is on, but the is no images with code
https://ustalo.ru/?Пробуем/Коментарии-Два-цента
Aleksei

cmb
Posts: 14016
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: Twocents security

Post by cmb » Mon Oct 25, 2021 10:41 pm

ustalo wrote:
Mon Oct 25, 2021 5:21 pm
i download
reinstall crypt
change browser
captcha is on, but the is no images with code
https://ustalo.ru/?Пробуем/Коментарии-Два-цента
It seems there is a fundamental flaw regarding the internal variable $su, because it may not be URL decoded. While https://www.cmsimple-xh.org/?About-CMSimple_XH works as expected, https://www.cmsimple-xh.org/?%41bout-CMSimple_XH does not, although it is the same. Maybe replacing this line with

Code: Select all

$su = utf8_substr(urldecode($su), 0, $cf['uri']['length']);
is a proper fix?

This needs more investigation by the CMSimple_XH developers! There might be issues with external services encoding the URL (?foo/bar → ?foo%2Fbar).
Christoph M. Becker – Plugins for CMSimple_XH

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Tue Oct 26, 2021 7:16 am

no fix
error 404
Aleksei

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Tue Oct 26, 2021 7:23 am

Exuse my bad& horrible English
it does not works on ciryllic
on site with latin translit it help
but it is not right solution. because change ciryllic to translit on many sites not human decision.

http://www.sima.spb.ru/?Nachalo/skazatmz_paru_slov
Aleksei

lck
Posts: 2634
Joined: Wed Mar 23, 2011 11:43 am
Contact:

Re: Twocents security

Post by lck » Tue Oct 26, 2021 4:27 pm

cmb wrote:
Mon Oct 25, 2021 10:41 pm
It seems there is a fundamental flaw regarding the internal variable $su, because it may not be URL decoded. While https://www.cmsimple-xh.org/?About-CMSimple_XH works as expected, https://www.cmsimple-xh.org/?%41bout-CMSimple_XH does not, although it is the same. Maybe replacing this line with

Code: Select all

$su = utf8_substr(urldecode($su), 0, $cf['uri']['length']);
is a proper fix?

This needs more investigation by the CMSimple_XH developers! There might be issues with external services encoding the URL (?foo/bar → ?foo%2Fbar).
ustalo wrote:
Tue Oct 26, 2021 7:16 am
no fix
error 404
I can confirm this.
ustalo wrote:
Mon Oct 25, 2021 5:21 pm
i download
reinstall crypt
change browser
captcha is on, but the is no images with code
https://ustalo.ru/?Пробуем/Коментарии-Два-цента
The problem is that the guestbook is called on a subpage (level-2). Somewhere here we had this before, but can't find it right now.

Set the plugin call in a level-1 page, then it should work. With me it works!
Example-URL: https://ustalo.ru/?Коментарии-Два-цента
„Bevor du den Pfeil der Wahrheit abschießt, tauche die Spitze in Honig!“   👉 Ludwig's XH-Templates for MultiPage & OnePage

ustalo
Posts: 161
Joined: Mon Aug 16, 2010 7:42 am
Location: Russia
Contact:

Re: Twocents security

Post by ustalo » Tue Oct 26, 2021 5:50 pm

if i change code
$su = utf8_substr(urldecode($su), 0, $cf['uri']['length']);
site stop works
all menu get 404
Aleksei

Post Reply