YaBB SE Community

YaBB SE Info => News From the YaBB SE Team => Topic started by: [Unknown] on January 17, 2004, 03:42:29 PM

Title: YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 17, 2004, 03:42:29 PM
This version contains a few updated over YaBB SE 1.5.4, including one security vulnerability.  This will probably be the last release from the YaBB SE Team, because we are now working on SMF instead.

For more information on that, see this topic:
http://www.yabbse.org/community/index.php?thread=25385

The update package works only for 1.5.4.  The boardmod-style mod files go from several different versions, down to 1.5.1.  To access the package server, please put this URL in your package manager:
http://www.yabbse.org/packages/bugs

Upgrade can be used for any version down to 1.5.1.

The files in this release can be found here:
http://sourceforge.net/project/showfiles.php?group_id=57105&package_id=52789&release_id=210608

And a changelog can be seen here:
http://sourceforge.net/project/shownotes.php?release_id=210608

For upgrade paths and other information, please see:
http://www.yabbse.org/download.php

Thank you,
Unknown W. Brackets
The YaBB SE Team
Title: Re:YaBB SE 1.5.5 Released!
Post by: Killer Possum on January 17, 2004, 04:41:37 PM
coolness....
Title: Re:YaBB SE 1.5.5 Released!
Post by: Black Hawk on January 17, 2004, 04:46:50 PM
Wow, I need to update my forum!!
Title: Re:YaBB SE 1.5.5 Released!
Post by: carhartt on January 17, 2004, 04:57:03 PM
it works...  ;D
Title: Re:YaBB SE 1.5.5 Released!
Post by: Dr_Michael on January 17, 2004, 05:11:49 PM
Where can I find the chnages from 1.5.4 to 1.5.5?
Title: Re:YaBB SE 1.5.5 Released!
Post by: B on January 17, 2004, 05:19:43 PM
There's a mistake in the 1.5.4 -> 1.5.5 Boardmod file. Step #11 should edit Load.php, not RemoveThread.php. :)

B
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 17, 2004, 05:22:18 PM
Where can I find the chnages from 1.5.4 to 1.5.5?
Best bet would be to manually apply the changes from the Boardmod file once Unknown updates it.
Title: Re:YaBB SE 1.5.5 Released!
Post by: pboehi on January 17, 2004, 05:34:38 PM
I tried to run the update mod but before doing so I tested it and got two error messages (string not found). These two strings were not found:

********

$loadphpver = 'YaBB SE 1.5.1';

/* this function is called from index.php - it loads the cookies for the board
                and places the critical variables into the right place
                $username - the username of the logged in person, or 'Guest'
                $password - the doubly encrypted password stored in the cookie*/
function LoadCookie()
{
        global $password, $username, $cookiename;

        if (isset($_COOKIE[$cookiename]))
        {
                list($username, $password) = @unserialize(stripslashes($_COOKIE[$cookiename]));
                $username = ($username != '') ? $username : 'Guest';
        }

**** and ****

unction sendmail($to, $subject, $message, $from = null)
{
        global $mailtype, $webmaster_email, $modSettings;

        $chunkSize = 50;

        $to_array = (is_array($to) ? $to : array($to));

        if ($from == null)
                $from = $webmaster_email;
        $subject = stripslashes($subject);
        $subject = str_replace(array('"', ''', '&', '<', '>'), array('"', '\'', '&', '<', '>'), $subject);
        $message = stripslashes($message);
        $headers = "MIME-Version: 1.0\r\n";
        $headers .= "From: <$webmaster_email>\r\n";
        $headers .= "Return-Path: $webmaster_email";

        if ($modSettings['mail_type'] == 'sendmail')
                foreach ($to_array as $to)
                        $mail_result = mail($to, $subject, $message, $headers);
        else
                smtp_mail($to_array, $subject, $message, $headers);

        return $mail_result;
}

function smtp_mail($mail_to_array, $subject, $message, $headers)
{
        global $modSettings, $webmaster_email;

        if (!$socket = fsockopen($modSettings['smtp_host'], 25, $errno, $errstr, 20))
                fatal_error("Could not connect to smtp host : $errno : $errstr");

        server_parse($socket, '220');

        if ($modSettings['smtp_username'] != '' && $modSettings['smtp_password'] != '')
        {
                fputs($socket, "EHLO $modSettings[smtp_host]\r\n");
                server_parse($socket, '250');
                fputs($socket, "AUTH LOGIN\r\n");
                server_parse($socket, '334');
                fputs($socket, base64_encode($modSettings['smtp_username']) . "\r\n");
                server_parse($socket, '334');
                fputs($socket, base64_encode($modSettings['smtp_password']) . "\r\n");
                server_parse($socket, '235');
        }
        else
        {
                fputs($socket, 'HELO ' . $modSettings['smtp_host'] . "\r\n");
                server_parse($socket, '250');
        }
        foreach($mail_to_array as $mail_to)
        {
                fputs($socket, "MAIL FROM: <$webmaster_email>\r\n");
                server_parse($socket, '250');
                $to_header = "To: <$mail_to>";
                fputs($socket, "RCPT TO: <$mail_to>\r\n");
                server_parse($socket, '250');
                fputs($socket, "DATA\r\n");
                server_parse($socket, '354');
                fputs($socket, "Subject: $subject\r\n");
                if (strlen($mail_to))
                        fputs($socket, "$to_header\r\n");
                fputs($socket, "$headers\r\n\r\n");
                fputs($socket, "$message\r\n");
                fputs($socket, ".\r\n");
                server_parse($socket, '250');
                fputs($socket, "RSET\r\n");
                server_parse($socket, '250');
        }
        fputs($socket, "QUIT\r\n");
        fclose($socket);
}


function server_parse($socket, $response)
{
        while (substr($server_response, 3, 1) != ' ')
                if (!($server_response = fgets($socket, 256)))
                        fatal_error('Couldn\'t get mail server response codes');

        if (!(substr($server_response, 0, 3) == $response))
                fatal_error("Ran into problems sending Mail. Error: $server_response");
}

*****

What am I supposed to do?

Peter
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 17, 2004, 05:41:32 PM
I fixed the problem with Load.php, I'll double check the other problem.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: burglar on January 17, 2004, 05:43:42 PM
i get een error when i will change the language to dutch....

this one

An Error Has Occurred!

Failure in submission of form. Session timeout
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 17, 2004, 05:50:20 PM
This has nothing to do with the 1.5.5 update.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: bostasp on January 17, 2004, 06:01:02 PM
lol, well, at least I wasn't expecting this one  :D
Title: Re:YaBB SE 1.5.5 Released!
Post by: robo47 on January 17, 2004, 06:19:11 PM
are there any important changes? because dont want to make the edit's i made to my yabb all again just because of some things i dont need
Title: Re:YaBB SE 1.5.5 Released!
Post by: Fizzy on January 17, 2004, 06:20:27 PM
Boardmod loaded up fine except for the change over to ARIN, but that was only because I'm using RIPE instead.

Thanks for the update.  ;)
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 17, 2004, 06:26:07 PM
are there any important changes? because dont want to make the edit's i made to my yabb all again just because of some things i dont need
Due to the security patch, yes I would consider this a required patch.  I would try the package manager version first.
Title: Re:YaBB SE 1.5.5 Released!
Post by: tom4stir on January 17, 2004, 06:30:03 PM
Is there any writeup explaing how to upgrade for people that have never done it before?

/me is paranoid of messing up his forum, even with backups.
Title: Re:YaBB SE 1.5.5 Released!
Post by: Patzt on January 17, 2004, 07:53:29 PM
Tom4stir, I'm with you for sure!  I haven't the foggiest idea how to make these changes.  I'm still using 1.5.1 and so scared that I'll lose stuff and I have lots that I don't want to lose.

Title: Re:YaBB SE 1.5.5 Released!
Post by: Ben_S on January 17, 2004, 07:54:43 PM
Andrea has a tutorial here http://www.penthesilea.ch/yabbutils/save-instr/ with details of how to back up your database, though this patch doesn't require any db modifications (I dont think anyway, I havent actually looked at it) so it should be very low risk.

 do back up though, you should always back up just in case your host messes up or something like that.
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 17, 2004, 08:09:41 PM
You can apply the patch with the package manager.  Here's how:

First, go into your admin center.  Now click "YaBBpak Center" under "Forum Controls".  Choose "[ Download new YaBBpaks ]".

If you see "yabbse.org Bugs" in the list, click on "[ Browse ]" next to it.  Otherwise, type "yabbse.org Bugs" in for the server name, and "http://www.yabbse.org/packages/bugs" for the URL. (no slash at the end!)  Now, click on "[ Browse ]" next to it

You should see a list of fixes.  Find the section for the version you currently have installed, and pick the mod titled "YaBB SE YOUR VERSION to YaBB SE 1.5.5 Update" and click "[ Download ]".

Now click "[ Back ]" and then "[ Back ]".  Now click "[ Browse YaBBpaks ]".

Find the mod you downloaded in the list. (it might be the only thing in there...)  Click the "[ Apply Mod ]" next to it.

Click "[ Proceed ]".  Then, "[ Test (recommended) ]".

For every file listed in large print, find it in your FTP.  Make sure it is, TEMPORARILY chmod'd to 777.  This makes it so the package manager can update them.  You will also need to make the folders they are in 777 so it can make backups.

If you don't get any "not found" errors, it should install properly.  Click "[ Apply Mod ]".  If you get any errors, you probably forgot to chmod something to 777.

Afterward, you may wish to chmod things back to 755.  You can read my opinion on this subject here:
http://www.simplemachines.org/community/index.php?topic=2987.0 (http://www.simplemachines.org/community/index.php?topic=2987.0)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Patzt on January 17, 2004, 08:11:23 PM
Thanks Ben and Unknown...

I'm going to print out yours, Unknown, and read the tutorial.  This Grandma is paranoid!  And you guys sure know a lot more than I do.

Pat
Title: Re:YaBB SE 1.5.5 Released!
Post by: proenski on January 17, 2004, 08:55:55 PM
I'm confused ???

I thought version 1.5.4 was going to be the final one and that YABB SE was going to change his name??

Please enlighten me...
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 17, 2004, 08:59:33 PM
I'm confused ???

I thought version 1.5.4 was going to be the final one and that YABB SE was going to change his name??

Please enlighten me...
This was true although the security vulnerability that was reported yesterday warrented another release.
Title: Re:YaBB SE 1.5.5 Released!
Post by: NJBassOnline.com on January 17, 2004, 09:01:15 PM
Hi - according to changelog, only these files are changed:

- Sources/Display.php
 - Sources/Load.php
 - Sources/Profile.php
 - Sources/RemoveThread.php
 - Sources/Subs.php
 - index.php
 - SSI.php
 - ssi_examples.php
 - ssi_examples.shtml

So, does that mean that I can just replace and overwrite those files manually and not worry about all the other files?

Thanks
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 17, 2004, 09:07:28 PM
Those are the only files included in yabbse_1-5-5_update.zip, and yes you can.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 17, 2004, 09:07:33 PM
That is what the update package should do for you, assuming you are coming from 1.5.4.
Title: Re:YaBB SE 1.5.5 Released!
Post by: Spaceman-Spiff on January 17, 2004, 09:07:34 PM
patched 9 forums
phew :P

Quote
So, does that mean that I can just replace and overwrite those files manually and not worry about all the other files?
if you didnt install any mods, go ahead and do that
Title: Re:YaBB SE 1.5.5 Released!
Post by: Adariel on January 18, 2004, 01:35:46 AM
I got 4 "string not found" errors ...

Profile.php
Code: [Select]
<form onsubmit="if (document.creator.oldpasswrd.value == \'\') { alert(\'' . $txt['yse244'] . '\'); return false; }" action="' . $scripturl . '?action=profile2" method="post" name="creator">

Subs.php
Code: [Select]
function sendmail($to, $subject, $message, $from = null)
{
   global $mailtype, $webmaster_email, $modSettings;

   $chunkSize = 50;

   $to_array = (is_array($to) ? $to : array($to));

   if ($from == null)
      $from = $webmaster_email;
   $subject = stripslashes($subject);
   $subject = str_replace(array('"', ''', '&', '<', '>'), array('"', '\'', '&', '<', '>'), $subject);
   $message = stripslashes($message);
   $headers = "MIME-Version: 1.0\r\n";
   $headers .= "From: <$webmaster_email>\r\n";
   $headers .= "Return-Path: $webmaster_email";

   if ($modSettings['mail_type'] == 'sendmail')
      foreach ($to_array as $to)
         $mail_result = mail($to, $subject, $message, $headers);
   else
      smtp_mail($to_array, $subject, $message, $headers);

   return $mail_result;
}

function smtp_mail($mail_to_array, $subject, $message, $headers)
{
   global $modSettings, $webmaster_email;

   if (!$socket = fsockopen($modSettings['smtp_host'], 25, $errno, $errstr, 20))
      fatal_error("Could not connect to smtp host : $errno : $errstr");

   server_parse($socket, '220');

   if ($modSettings['smtp_username'] != '' && $modSettings['smtp_password'] != '')
   {
      fputs($socket, "EHLO $modSettings[smtp_host]\r\n");
      server_parse($socket, '250');
      fputs($socket, "AUTH LOGIN\r\n");
      server_parse($socket, '334');
      fputs($socket, base64_encode($modSettings['smtp_username']) . "\r\n");
      server_parse($socket, '334');
      fputs($socket, base64_encode($modSettings['smtp_password']) . "\r\n");
      server_parse($socket, '235');
   }
   else
   {
      fputs($socket, 'HELO ' . $modSettings['smtp_host'] . "\r\n");
      server_parse($socket, '250');
   }
   foreach($mail_to_array as $mail_to)
   {
      fputs($socket, "MAIL FROM: <$webmaster_email>\r\n");
      server_parse($socket, '250');
      $to_header = "To: <$mail_to>";
      fputs($socket, "RCPT TO: <$mail_to>\r\n");
      server_parse($socket, '250');
      fputs($socket, "DATA\r\n");
      server_parse($socket, '354');
      fputs($socket, "Subject: $subject\r\n");
      if (strlen($mail_to))
         fputs($socket, "$to_header\r\n");
      fputs($socket, "$headers\r\n\r\n");
      fputs($socket, "$message\r\n");
      fputs($socket, ".\r\n");
      server_parse($socket, '250');
      fputs($socket, "RSET\r\n");
      server_parse($socket, '250');
   }
   fputs($socket, "QUIT\r\n");
   fclose($socket);
}

function server_parse($socket, $response)
{
   while (substr($server_response, 3, 1) != ' ')
      if (!($server_response = fgets($socket, 256)))
         fatal_error('Couldn\'t get mail server response codes');

   if (!(substr($server_response, 0, 3) == $response))
      fatal_error("Ran into problems sending Mail. Error: $server_response");
}

SSI.php
Code: [Select]
function topTopicsViews()
{
   global $db_prefix, $txt, $scripturl, $num_topicsViews, $cgi;

   ob_end_clean();
   $request = mysql_query("
and

Code: [Select]
function topTopicsReplies()
{
   global $db_prefix, $txt, $scripturl, $num_topicsReplies, $cgi;
   
   ob_end_clean();
   $request = mysql_query("

Can ya tell me how important these particular ones are and what I should do about them?  This was on a "test install" so there's no harm done but I would like to get the security updated.
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 02:25:47 AM
You would get those errors if you were using the supermod.

You can ignore the missing strings and just apply the other changes.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: pboehi on January 18, 2004, 02:39:34 AM
I just wanted to let you know that after having reported 2 "string not found" messages the script apparently has been fixed. I re-downloaded it and was able to update my forum without any problems.

Peter
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 02:42:40 AM
That's right, I fixed my typo:

I fixed the problem with Load.php, I'll double check the other problem.

-[Unknown]

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: svoa on January 18, 2004, 03:25:56 AM
I'm using YaBB SE 1.5.1, i don't know how to install the new version? ???
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 04:23:59 AM
Please read my post here:

http://www.yabbse.org/community/index.php?thread=27122/15#msg183306 (http://www.yabbse.org/community/index.php?thread=27122/15#msg183306)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Winters on January 18, 2004, 05:04:24 AM
Now that's what I call a surprise! This would be my first upgrade, if I chose to do it... But I'd definitely lose all the mods that changed the files in question, right?

PS: When trying to add the yaBBpak server (upgrade from 1.5.4), I'm getting this error:

2: fopen(Packages/server.list) [function.fopen]: failed to create stream: Permission denied
(/www/htdocs/xxxxxx/forum/Sources/PackageGet.php ln 110)
 
Title: Re:YaBB SE 1.5.5 Released!
Post by: Thollsten on January 18, 2004, 05:18:39 AM
I tried to install the new version from scratch, no upgrade or so. I got the Errormessage
Quote
Unable to find crucial installation files in this script's directory.

Please make sure you uploaded the entire package, and then try again.

I think the Problem is, that the Archives i downloaded (i tried it twice ;)) contains the file "yse151.ya" (yes, i really downloaded the newest Version, the archive is namened yabbse_1-5-5 ;))
Should i rename the ya File or ist it really the old 1.5.1 Version?
Title: Re:YaBB SE 1.5.5 Released!
Post by: bluesyrio on January 18, 2004, 05:37:57 AM
PS: When trying to add the yaBBpak server (upgrade from 1.5.4), I'm getting this error:

2: fopen(Packages/server.list) [function.fopen]: failed to create stream: Permission denied
(/www/htdocs/xxxxxx/forum/Sources/PackageGet.php ln 110)

I'm getting a similar error:

2: file(Packages/installed.list): failed to open stream: No such file or directory
(/home/xxxxxx/public_html/forum/Sources/Packages.php ln 222)
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 06:11:21 AM
Now that's what I call a surprise! This would be my first upgrade, if I chose to do it... But I'd definitely lose all the mods that changed the files in question, right?

PS: When trying to add the yaBBpak server (upgrade from 1.5.4), I'm getting this error:

2: fopen(Packages/server.list) [function.fopen]: failed to create stream: Permission denied
(/www/htdocs/xxxxxx/forum/Sources/PackageGet.php ln 110)

This error is caused by not having Packages and its contents chmod'd to 777.

I tried to install the new version from scratch, no upgrade or so. I got the Errormessage
Quote
Unable to find crucial installation files in this script's directory.

Please make sure you uploaded the entire package, and then try again.

I think the Problem is, that the Archives i downloaded (i tried it twice ;)) contains the file "yse151.ya" (yes, i really downloaded the newest Version, the archive is namened yabbse_1-5-5 ;))
Should i rename the ya File or ist it really the old 1.5.1 Version?

I'll triple check.  I remember double checking before I made the release... but maybe I made a mistake.

[I'm getting a similar error:

2: file(Packages/installed.list): failed to open stream: No such file or directory
(/home/xxxxxx/public_html/forum/Sources/Packages.php ln 222)

You don't even seem to have a Packages directory at all! (forum/Packages, etc.)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Winters on January 18, 2004, 06:20:39 AM
Thanks, I was now able to download the YabbPak. It might make more sense for me to install the 1.5.5 from scratch instead of installing the upgrade, though.  :'(
Title: Re:YaBB SE 1.5.5 Released!
Post by: bluesyrio on January 18, 2004, 06:55:52 AM
Quote
You don't even seem to have a Packages directory at all! (forum/Packages, etc.)

-[Unknown]

We do... :(

/public_html/forum/Packages/

Could it be something else? Should we chmod the files to 777 before doing this? Could it be that?
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 07:20:47 AM
Possibly.  Do you have files inside it, like installed.list and server.list?

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: bluesyrio on January 18, 2004, 07:43:20 AM
I have the following inside the directory:

index.php
server.list
yabbse_1-5-5_update_1-5-4.mod.yp

I have managed to upgrade through Boardmod, anyway.

Thanks. :)
Title: Re:YaBB SE 1.5.5 Released!
Post by: tom4stir on January 18, 2004, 11:49:40 AM
Yey! I've managed to update. ;D

It was a pretty scary few minutes, but it was actually pretty easy.  
Title: Re:YaBB SE 1.5.5 Released!
Post by: haaseg on January 18, 2004, 12:11:13 PM
I'm just curious...  why the switch from $_COOKIE to $HTTP_COOKIE_VARS...  I thought $HTTP_COOKIE_VARS was going to become deprecated like $HTTP_POST_VARS, etc.
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 18, 2004, 02:12:48 PM
I'm just curious...  why the switch from $_COOKIE to $HTTP_COOKIE_VARS...  I thought $HTTP_COOKIE_VARS was going to become deprecated like $HTTP_POST_VARS, etc.
This change was made to be consistant throughout the YSE package.  It also allows YSE to work on older versions of PHP.
Title: Re:YaBB SE 1.5.5 Released!
Post by: charlottezweb on January 18, 2004, 02:46:08 PM
Running the package through admin seems to not work...I keep getting hung up on a permissions issue for index (can't copy) even though I've chmodded everything I can think of to full permissions.... any ideas?

And the mod file fails for me on about 15+ steps...would that be due to prior installed mods?

Jason
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 04:42:36 PM
It tries to back up index.php to index.php~ which means /yabbse needs 777 as well.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: charlottezweb on January 18, 2004, 05:21:03 PM
That did the trick... :)

Now is there a listing of what folders/files should be set to what permissions so I can set it back?

Thanks!
Jason
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 18, 2004, 05:29:17 PM
You can read my opinion on this subject here:
http://www.simplemachines.org/community/index.php?topic=2987.0 (http://www.simplemachines.org/community/index.php?topic=2987.0)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: MAZZA on January 18, 2004, 05:53:43 PM
Just wondering: Can i install the updates manually? I hacked my board big time. Can I just check out the mod file and manually edit the changes into my board?
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 18, 2004, 05:56:22 PM
Basically, yes!
Title: Re:YaBB SE 1.5.5 Released!
Post by: MAZZA on January 18, 2004, 06:09:21 PM
Basically, yes!
Ok thanks :)

Here goes nothing  ;)
Title: Re:YaBB SE 1.5.5 Released!
Post by: charlottezweb on January 18, 2004, 06:26:21 PM
You can read my opinion on this subject here:
http://www.simplemachines.org/community/index.php?topic=2987.0 (http://www.simplemachines.org/community/index.php?topic=2987.0)

-[Unknown]


Thanks!!  Just what I needed

Jason
Title: Re:YaBB SE 1.5.5 Released!
Post by: Spaceman-Spiff on January 18, 2004, 07:43:49 PM
like the previous release, i'm offering my free service to do yabbse upgrade to anyone here...

i also made this package to upgrade your YaBB SE from version 1.5.1 to 1.5.5
someone asked me to make one, so i did, and this might be useful to others
DO NOT use it if you've installed any mods

basically what i did is joined the updates from 1.5.2, 1.5.3, 1.5.4, and 1.5.5
all files are unaltered from the originals

yabbse_upgrade_from_1.5.1_to_1.5.5.zip (http://immortalshades.com/spaceman/mods/yabbse_upgrade_from_1.5.1_to_1.5.5.zip)
Title: Re:YaBB SE 1.5.5 Released!
Post by: MAZZA on January 18, 2004, 07:46:22 PM
Basically, yes!
Ok thanks :)

Here goes nothing  ;)
For anyone else who want's to edit the changes manually into your source: It works just fine :) I didn't have any problems at all.
Title: Re:YaBB SE 1.5.5 Released!
Post by: geber on January 19, 2004, 01:37:13 AM
It works!


thx...
Title: Re:YaBB SE 1.5.5 Released!
Post by: Patzt on January 19, 2004, 02:59:04 AM


THANKS SO VERY MUCH
Spaceman-Spiff!

I appreciate you SO-O-O much!
Title: Re:YaBB SE 1.5.5 Released!
Post by: rpoelking on January 19, 2004, 08:47:36 AM
Just downloaded the Package and chmod the whole darn YaBBSE folder to 777. but I got the following not found errors. Are these serious enough for me to not proceed?

index.php
Code: [Select]
$YaBBversion = 'YaBB SE 1.5.4';
$YaBBphpver = 'YaBB SE 1.5.4';
sources/profiles.php
Code: [Select]
$profilephpver = 'YaBB SE 1.5.4';
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 19, 2004, 01:20:04 PM
Are these serious enough for me to not proceed?

Well, they're not going to stop the board working if nothing else went wrong, but it would be interesting to know why they weren't found...
Title: Re:YaBB SE 1.5.5 Released!
Post by: Grep on January 19, 2004, 05:32:11 PM
Ah. This time I noticed vulnerability in time because of e-mail informed about new update. Last time wasn't that lucky (got ass****ed and had to re-install whole system).

Updated two forums and safe again. Thanks YaBB SE Team! :-*

 -Grep-
Title: Re:YaBB SE 1.5.5 Released!
Post by: NoVi on January 20, 2004, 07:32:29 AM
Tip:
edited the files manually and used the Find/Replace from Dreamweaver, takes 1/2 an hour  ;)

Question:
As the Recent Topics function from SSI.php was changed, it has overwritten my previous setting  :-\, where I didn't show the [Board] column.

What code snippet do I have to delete in order to show:
Topic / Time
<by> Poster
Title: Re:YaBB SE 1.5.5 Released!
Post by: ferdz on January 20, 2004, 05:51:47 PM
This version contains a few updated over YaBB SE 1.5.4, including one security vulnerability.  This will probably be the last release from the YaBB SE Team, because we are now working on SMF instead.

For more information on that, see this topic:
http://www.yabbse.org/community/index.php?thread=25385

The update package works only for 1.5.4.  The boardmod-style mod files go from several different versions, down to 1.5.1.  To access the package server, please put this URL in your package manager:
http://www.yabbse.org/packages/bugs

Upgrade can be used for any version down to 1.5.1.

The files in this release can be found here:
http://sourceforge.net/project/showfiles.php?group_id=57105&package_id=52789&release_id=210608

And a changelog can be seen here:
http://sourceforge.net/project/shownotes.php?release_id=210608

For upgrade paths and other information, please see:
http://www.yabbse.org/download.php

Thank you,
Unknown W. Brackets
The YaBB SE Team


You have started YaBB SE and gathered a thousands of people to use this software. Now you want people pay for SMF to be able to download? Wow!

Quote

Elegant. Effective. Powerful. Free. SMF is all of the above.

I don't think it is free.

Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 20, 2004, 06:06:32 PM
You have started YaBB SE and gathered a thousands of people to use this software. Now you want people pay for SMF to be able to download? Wow!

Quote

Elegant. Effective. Powerful. Free. SMF is all of the above.

I don't think it is free.

http://www.simplemachines.org/community/index.php?topic=5134 (http://www.simplemachines.org/community/index.php?topic=5134) ::)
Title: Re:YaBB SE 1.5.5 Released!
Post by: charlottezweb on January 20, 2004, 06:11:34 PM
damn, beat me to it...  

 ;D
Title: Re:YaBB SE 1.5.5 Released!
Post by: wehbee on January 20, 2004, 09:34:26 PM
 Hi!

 I am using YaBB SE 1.5.5

 How can i install Turkish Language  ???
Title: Re:YaBB SE 1.5.5 Released!
Post by: Winters on January 21, 2004, 02:50:25 PM
Quote
This error is caused by not having Packages and its contents chmod'd to 777.

Thx, the error is gone. I still ended up using boardmod and btw., I didn't lose my mods ;)
Title: Re:YaBB SE 1.5.5 Released!
Post by: Winters on January 22, 2004, 03:09:41 PM
wehbee, I just remembered your question when I stumbled across sourgeforce... I may be mistaken, but it looks like there is not Turkish translation available yet:
http://www.yabbse.org/download.php
Title: Re:YaBB SE 1.5.5 Released!
Post by: Terragen on January 22, 2004, 03:15:50 PM
Does this fix the security vulnerability where people can read your cookies (ie: get your password) if you allow users to upload files?
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 22, 2004, 03:19:44 PM
No, that is fixed by not allowing them to upload PHP, Javascript, or HTML code.

It is also fixed in SMF without this requirement.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Terragen on January 22, 2004, 03:46:40 PM
No, that is fixed by not allowing them to upload PHP, Javascript, or HTML code.

It is also fixed in SMF without this requirement.

-[Unknown]

Well you'd have to totally disable the upload feature unless the code is changed to do some type checking.

You can rename a html file .jpg and then do an <img> tag inside. the uploaded jpg (really html) will not display
but if you make another post and link to it then it will open up and you will see the image and not realize its really an html page showing you a jpg while stealing your cookie information. (This might only work on IE though - I haven't really extensively tested it - just know that its a problem).
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 22, 2004, 03:51:01 PM
There's no real way to fix this except for checking if any file has "<script>" in it and then removing it... which doesn't seem a very simple solution.

SMF, however, fixes it more elegantly.  I recommend you turn off the feature for now, until SMF is released - if you are worried.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Lyne on January 23, 2004, 04:21:17 AM
Just to check that I've not been done over in a more fundamental way, this exploit - would it theoretically permit someone to replace the index.php with a link to a brazillian hackers JPEG of a worryingly deformed George Bush? :)

Just wanted to check ;D
Title: Re:YaBB SE 1.5.5 Released!
Post by: marcnyc on January 23, 2004, 04:20:47 PM
This might sound like a stupid question but I am really curious as to how to update from 1.5.4 to 1.5.5. I downloaded the .mod file from sourceforge, how do I use it? I tried downloading BoardMod because I assumed that's what I needed but I get nowhere from there and besides BoardMod says it is only for YaBB SE versions up to 1.5.1. Can somebody clarify?
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 23, 2004, 04:33:51 PM
You can apply the patch with the package manager.  Here's how:

First, go into your admin center.  Now click "YaBBpak Center" under "Forum Controls".  Choose "[ Download new YaBBpaks ]".

If you see "yabbse.org Bugs" in the list, click on "[ Browse ]" next to it.  Otherwise, type "yabbse.org Bugs" in for the server name, and "http://www.yabbse.org/packages/bugs" for the URL. (no slash at the end!)  Now, click on "[ Browse ]" next to it

You should see a list of fixes.  Find the section for the version you currently have installed, and pick the mod titled "YaBB SE YOUR VERSION to YaBB SE 1.5.5 Update" and click "[ Download ]".

Now click "[ Back ]" and then "[ Back ]".  Now click "[ Browse YaBBpaks ]".

Find the mod you downloaded in the list. (it might be the only thing in there...)  Click the "[ Apply Mod ]" next to it.

Click "[ Proceed ]".  Then, "[ Test (recommended) ]".

For every file listed in large print, find it in your FTP.  Make sure it is, TEMPORARILY chmod'd to 777.  This makes it so the package manager can update them.  You will also need to make the folders they are in 777 so it can make backups.

If you don't get any "not found" errors, it should install properly.  Click "[ Apply Mod ]".  If you get any errors, you probably forgot to chmod something to 777.

Afterward, you may wish to chmod things back to 755.  You can read my opinion on this subject here:
http://www.simplemachines.org/community/index.php?topic=2987.0 (http://www.simplemachines.org/community/index.php?topic=2987.0)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: marcnyc on January 23, 2004, 05:37:10 PM
Thanks a lot for claryfing... It would have been great if a readme came with the file that you can download from the download page, but anyway, thanks for the instructions... It seems to be extremely easy and well thought out... I can't seem to change my permissions to 777 but I guess that's a host-related thing so I should ask my host... Thanks again.
Title: Re:YaBB SE 1.5.5 Released!
Post by: marcnyc on January 23, 2004, 06:26:41 PM
Ok I resolved the issue with my host and I am not able to change the permissions to 777 but I still get an error from the script:

2: Unable to create 'index.php~': Permission denied


Any suggestions?
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 23, 2004, 08:31:25 PM
If you really mean you're 'not able to change the permissions to 777', it's not surprising you're still getting errors. But you should still have the option of downloading the necessary files from your site, making the changes manually (more tedious than difficult!) and uploading them again... :-\
Title: Re:YaBB SE 1.5.5 Released!
Post by: marcnyc on January 23, 2004, 09:50:04 PM
That was a typo... I meant that now I AM ABLE to chmod to 777 and I did before applying the mod but I got that error... What could this depend on? I really don't wanna have to do it manually, especially because I have several installations of YaBB SE...
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 24, 2004, 11:42:26 AM
You need to at least temporarily chmod the /yabbse folder to 777 as well.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: marcnyc on January 25, 2004, 01:53:03 AM
Thank you. That was my problem.
Title: Re:YaBB SE 1.5.5 Released!
Post by: revolver_ocelot200 on January 25, 2004, 10:31:51 AM
I thought http://www.supermod.org was the one continuing yabbse? and boy was I convinced! that wiziwyg(?) guy is really commited to supermod, it's my first time to visit that again and boy... It's really evolving ha?

What's new in the SSI fix this update has by the way?
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 25, 2004, 04:13:06 PM
The supermod is by no means "continuing" YaBB SE.

I'm sorry but I'm not at liberty to spell out the problems with SSI.php :P.

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: David on January 25, 2004, 06:51:55 PM
I thought http://www.supermod.org was the one continuing yabbse? and boy was I convinced! that wiziwyg(?) guy is really commited to supermod, it's my first time to visit that again and boy... It's really evolving ha?
Supermod is in no way affiliated with the YaBB SE project beyond them just choosing to use our software to base their system off of.
Title: Re:YaBB SE 1.5.5 Released!
Post by: daddywolfe on January 29, 2004, 04:55:51 AM
Any recommendations for making this update on a board running 1.5.4 with the supermod SM0817R5?

I have a couple of these board like that, although one seems to have some strange problems already.  Both are identical, but one is causing the server to hang and core dump due to an unclosed process that runs for up to 15 minutes.  Almost always it will show in the error log for the server that yabbse tried to load an active x update for mplayer off a ms update server that has been moved.  I want to update the security but I'm afraid with this one that my problem could get worse.  The board was moved to our most stable server and given enough space that it wouldn't cause core dumps as much, but it's still having this problem.
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 29, 2004, 12:18:32 PM
Any recommendations for making this update on a board running 1.5.4 with the supermod SM0817R5?

Please ask at supermod.org, where you might even find your question already answered:

http://www.supermod.org/community/index.php?board=3;action=display;threadid=1670;start=0 (http://www.supermod.org/community/index.php?board=3;action=display;threadid=1670;start=0)
Title: Re:YaBB SE 1.5.5 Released!
Post by: Yvette on January 31, 2004, 06:23:41 AM
Even with this lastest fix, some of my users are still reporting that when they request a change of password, their email program rejects the message saying that it contains a virus ..(Outlook 'CR' Vulnerability).

Also, sometimes I get bounce backs from their mail servers:

Quote
Subject: WARNING YOU MAY HAVE A VIRUS
The virus software on ***.net has reported that you sent a virus with the subject "Account Information" to:
someone@***.net.  The E-mail containing the virus has been removed to prevent further damage.

[Outlook 'CR' Vulnerability] was found in file: [No attachment]

Was this upgrade supposed to fix this problem? I noticed the change to the sendmail function in Subs.pl. Is there anything else that I can try?

Yvette
Title: Re:YaBB SE 1.5.5 Released!
Post by: Peter Duggan on January 31, 2004, 11:39:21 AM
Was this upgrade supposed to fix this problem?

Basically no, because it's not a known problem. In fact, I've just tested the 'forgot password?' function with a live 1.5.4 board (with SSI.php deleted) that hasn't been upgraded yet, and found no problem with the emails.

Quote
I noticed the change to the sendmail function in Subs.pl.

You mean Subs.php, as detailed in the changelog at http://sourceforge.net/project/shownotes.php?release_id=210608 (http://sourceforge.net/project/shownotes.php?release_id=210608)?

Quote
Is there anything else that I can try?

Are you absolutely certain that there's no problem with your server or nobody is spoofing your email address? A standard YaBB SE doesn't send out emails with the subject 'Account Information', you see...
Title: Re:YaBB SE 1.5.5 Released!
Post by: daddywolfe on January 31, 2004, 01:25:32 PM
He's right about the board not sending out anything like that.  Even the supermod doesn't do that.  We host several se 1.5.4 boards configured with sm 187, and we have never had anything like this.  Also, we run two se 1.5.5 boards, never seen it with those either, as well as one se 1.5.5 board with sm 204 (for testing) and haven't seen it with those.  The odds are somebody is spamming using your board's email address.
You can check with wiziwig at supermod, but my check of the original code doesn't indicate anything to cause this.
Is your board running on a IIS server?  I find it extremely hard to believe the idea that a unix server could be infected with a virus that would show up on a Windows system.  Also, what mods are you running in your board and where did you get them?
And did you modify the message the board sends the password in?  I know that some word patterns will trigger my spam blocker, even though it is legitimate email.
Just some things I would take a look at.
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on January 31, 2004, 07:42:58 PM
It's not a virus, it's an exploit.  Outlook is detecting an exploit in the email....

YaBB SE doesn't even send HTML emails.  Supermod, however, does... but, still, that shouldn't contain any exploits...

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: Yvette on February 02, 2004, 07:53:29 AM
It's not a virus, it's an exploit.  Outlook is detecting an exploit in the email....

YaBB SE doesn't even send HTML emails.  Supermod, however, does... but, still, that shouldn't contain any exploits...

-[Unknown]

Is there anyway that I can reformat the mail headers in Subs.pl so that this exploit isn't there?

Reply to daddywolfe & Peter:

Yes, I meant Subs.php, as detailed in the changelog at http://sourceforge.net/project/shownotes.php?release_id=210608?

Also, I have changed the subject line for forgotten passwords to be Account Information. Is that considered a security risk for anyone trying to monitor email packets or whatever on the Internet.. ?

I have other programs that send email out, such as the lastest version of formmail.php. I've never received bounce backs from email sent via these programs. I also used to run Majordomo on my server, and again, I never received bouncebacks. If I knew enough about mail headers, I would use the way formmail.php generates headers to modify Subs.php, but I don't have a way to test it, to verify that I fixed the problem.

I have 26,000+ members who signed up over the last couple of years, and this problem occurs with only some of them. If I had to guess, I'd say 2-3%.

This latest guy who had the problem wrote me to say that he was trying to get a new password, but his virus protection software kept reporting that I (YaBB Se) was sending him a virus. I received the boucebacks from his attempts. I then tried to modify a couple of headers, resent his password, and received the bouceback an instant later.

Rather than sending further "virus" emails, I manually changed his password in his profile and sent it to him via my regular email account, asking if I could use his account to test to see if I could come up with a fix.. but I haven't heard back. Who in their right mind would let a stranger send email to them when their email program says the email contains a virus?

I'm not using Supermod, and no mods that modify the sendmail function in Subs.pl. Yes, I modified the actual message in the password reminder slightly, but I think this problem occurs with a small perscentage of all email sent out via YaBB SE.. such as notifications.

I'd appreciate any futher suggestions.. here's some info I found about the vulnerability:

"Outlook 'CR' Vulnerability: This vulnerability occurs when an E-mail contains a single 'CR' character within the E-mail headers (as opposed to a 'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can treat this as the end of the headers, which would allow Outlook to see a virus that was embedded in the headers. There is no legitimate reason for an E-mail to contain a lone 'CR' in the headers." http://www.thecoaproject.com/bugreport.php

See also: http://www.securitytracker.com/alerts/2002/Feb/1003546.html

Sorry if this message should have been posted somewhere else. I was hoping the latest upgrade would include a fix for this.

Am I really the only one who has had this problem? I thought that maybe it was a matter of removing one of the instances of \r\n. What is LF?

Yvette
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on February 02, 2004, 09:56:54 AM
Could be just that - I know I would delete any email I recieve with "Account Information" as the subject right off.

Again, it's not Subs.pl.  You're gonna start confusing people if you keep saying that :P.  It's Subs.php...

As far as the vulnerability you're talking about... sounds like your mail server sucks.  You're supposed to send \r\n to the server, and YaBB SE does - so your mail server is stripping it or something.  If that's the vulnerability... well, that shouldn't be YaBB SE either.

CR = \r, LF = \n.  They should always be in pairs. (CRLF aka \r\n)

-[Unknown]
Title: Re:YaBB SE 1.5.5 Released!
Post by: QM on February 05, 2004, 04:32:13 PM
Being a complete numpty, why do I receive an unable to access index.php when performing the 1.5.4 to 1.5.5 package update ::)
Title: Re:YaBB SE 1.5.5 Released!
Post by: [Unknown] on February 05, 2004, 08:26:43 PM
As said above, you need to chmod a few things to 777 for it to work.

-[Unknown]