• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • ๐Ÿ˜Œ This community is user driven. Be polite with other users.
    • ๐Ÿ‘‰ Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • ๐Ÿ’ธ Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Chevereto 2.1.1

Status
Not open for further replies.
Rodolfo

Rodolfo

๐Ÿ‘‘ Chevereto Godlike
Chevereto Staff
Administrator
Chevereto 2.1.1 (2012-05-20) release notes
- Update the uploader to Uploadify 3.1
- Added Czech lang
- Fixed get codes (thumbnails) on the File Manager
- Fixed pages links when you where on a virtualfolder
- Fixed API when uploading base64 image string
- Improved API
- Show uploader IP on admin via Get Codes
- Added configurable value for the flood prevention
- Added check all the bcmath functions
- Added check for missing .htaccess rules

Upgrade from 2.1 | Affected files & folders
- includes/chevereto.php
- includes/functions.php
- includes/template.functions.php
- content/themes/Peafowl/uploadify.css
- content/system/js
- content/lang/cs
- admin/content/system/js/admin.js
- DON'T REPLACE includes/definitions.php

Config.php add
- There is a new config value, add anywhere this:
PHP: 
/**
 * flood_protection
 * Switch for enable/disable the flood protection
 * default: true
 */
$config['flood_protection'] = true; // Values: true|false

For more info please read the upgrade guide.
 
I'm still on 2.0.18, and I'm assuming I update to 2.1 THEN 2.1.1. If so, how will I do that? The download link is always to the latest version.

Just assuming since most of the upgrade instructions go from 2.1 to 2.1.1 only.
 
sp3ctr3 said:
I'm still on 2.0.18, and I'm assuming I update to 2.1 THEN 2.1.1. If so, how will I do that? The download link is always to the latest version.

Just assuming since most of the upgrade instructions go from 2.1 to 2.1.1 only.
Click to expand...

You can baypass 2.1 and update to 2.1.1 from 2.0.18
 
russhimi said:
I got this error:

No image has been uploaded

but the image stored in file manager
Click to expand...

open a new topic in tech support ๐Ÿ™‚
 
I've just looked over getlist in class.filelist.php and I'm really disappointing , Rodolfo. You have very very limited checks which are easy to bypass on user supplied parameters which lead to sql injection. I was able to see the problem within 2 minutes. Now I am skeptical about the rest of the script, maybe there are other vulnerabilities. ๐Ÿ˜ก

Fix your script to use prepared statements, like you seem to be doing in other places.

Also in class.db.php in get_key you shouldn't use $table variable like that. I didn't see a way to exploit it but it could become a problem later if more functions are added.
 
I'm using PDO and Chevereto uses PDO prepare statements.

Please try to investigate further before posting this kind of things. This is where PDO do the prepare statement:

PHP: 
public function query($sql, $array=array())
	{
		$query = $this->db->prepare($sql);

And Chevereto do this prepare on every single db query.

By the way, mysqli and PDO are not the same. They are similar but is not the same ๐Ÿ˜‰
 
imger said:
Also in class.db.php in get_key you shouldn't use $table variable like that. I didn't see a way to exploit it but it could become a problem later if more functions are added.
Click to expand...

MMmm nope. Because it passes through a switch and if you put whatever on it it doesn't declarate the $where clause. This mean that the query will be wrong at it won't pass the prepare statement.

imger said:
Thanks for getting back quickly.
Here is a simple POC, http://demo.chevereto.com/admin/json?action=filelist&type=all&sort=size_desc&limit=1,2
I can control the limit parameter which is not checked at all.
Click to expand...

Yeah, that is the idea. Is supposed that if you are on the admin panel is because you have the pass to be on it and then you can do the queries freely. If we got user accounts then that will be limited but at this time we don't need it.
 
Rodolfo said:
MMmm nope. Because it passes through a switch and if you put whatever on it it doesn't declarate the $where clause. This mean that the query will be wrong at it won't pass the prepare statement.
Click to expand...

You are correct.

Rodolfo said:
Yeah, that is the idea. Is supposed that if you are on the admin panel is because you have the pass to be on it and then you can do the queries freely. If we got user accounts then yeah, that will be limited but at this time we don't need it.
Click to expand...

Yes you do need an admin password to access that page, but that doesn't mean admin page should allow someone to run queries in DB
 
imger said:
Yes you do need an admin password to access that page, but you that doesn't mean admin page should allow someone to run queries in DB
Click to expand...

A limit statement won't cause problem to the database but since you are concern I can tell you that I can limit it because Chevereto admin do queries in segments and saves the previous results... But, even PDO and MYSQL have native functions to tell when a query will take too much job and it just shutdown the query. So I really don't know why you are so scared about this. I will do some benchmarks on my old PC and see if there is the need of this limit.
 
how do I disable the messagebox when the queue completes?
onQueueComplete window.location

vi content/system/js/peafowl.php?
 
Status
Not open for further replies.
Back
Top