AbleDesign

Dan · Admin / Developer Joined: 19 Feb 2001 Posts: 2057

I have updated the distribution copies of MyCalendar v2.01 and D-Man v1.12 to fix some rather large security holes where someone could spoof a valid session and gain access to admin functionality (not all of it, but enough to be dangerous).

The fixes are relatively simple. You may either download a new copy or make the changes yourself.

MyCalendar:

In index.php, add the following two lines after line 3 (include("./session.".$phpEX);):

unset($user_id);
unset($sess_username);

D-Man:

In index.php, add the following two lines after line 3 (include("./session.".$phpEX);):

unset($user_id);
unset($sess_username);

In download.php, add the following two lines after line 4 (include("./session.".$phpEX);):

unset($user_id);
unset($sess_username);

That is all that needs to be changed to patch up this immediate area of concern. Of course, I will need to place extra emphasis on testing to make sure there are not similar risks still out there.

The re-release of D-Man v1.12 includes some improvements that were being saved for the next release.

Cheers,
Dan

Dan · Admin / Developer Joined: 19 Feb 2001 Posts: 2057

Regarding the MyCalendar v2.01.1 security update:

The distribution is missing three files (calendar.php, calendar_mini.php, and view_full_year.php) that were included in v2.01 but removed (renamed) in preparation for v2.1 and inadvertently omitted in the security update.

As such, v2.01.2 has been released with these three files included. Those of you who downloaded v2.01.1 have been notified directly.

My apologies for any confusion this may have caused.

Cheers,
Dan

Dan · Admin / Developer Joined: 19 Feb 2001 Posts: 2057

Also, if MyCalendar v2.01.1 was your initial installation, you will need to add the Category field to the Calendar table like in the corrected mysql_table_structure.sql file. Alternatively, if you have not added any events/users/categories to the table, you can simply drop the calendar tables and re-create them according to mysql_table_structure.sql.

Cheers,
Dan

Dan · Admin / Developer Joined: 19 Feb 2001 Posts: 2057

Another update has been made to MyCalendar v2.01 and D-Man v1.12 to fix a bug that could allow users to log in who have not yet confirmed their account by clicking on the link in the confirmation email. The distribution files have been updated accordingly.

The affected files are index.php in D-Man and do_login.php in MyCalendar. If you would rather make the changes yourself, here is what you need to do:

D-Man (index.php):
Lines 103-105 should be changed to:

Dan · Admin / Developer Joined: 19 Feb 2001 Posts: 2057

MyCalendar v2.01.4 has been released to correct an error in the v2.01.3 release... The language files were accidentally updated to a version in progress which handles the confirmation email section differently, making the confirmation for account creations break down.

The latest version history can be found here:

http://AccountBiller.com/scripts/vhistory_MyCalendar.php

Cheers,
Dan