Worked for me, but I *did* have to CHMOD the file back to whatever it was before I changed it. Besides, that only stopped me activating and deactivating extensions
@PassingShot: Are you sure you did it correctly? My extensions.php file looks like this:
<?php
// Make sure this file was not accessed directly and prevent register_globals configuration array attack
if (!defined('IN_VANILLA')) exit();
// Enabled Extensions
Just one thing, Mark, isnt that entire file rewritten each time extensions are enabled/disabled? Or does vanilla just cut out lines and add lines as necessary?
I don't believe it is mini. You'll notice that in /library/Framework/Framework.Control.ExtensionForm.php, the extension file is read into an array, and inclusion lines are added/deleted from the array to enable/disable extensions.
Can i get Vanilla 1.0.1 still? i would like to use some of the extensions that are only compatable with 1.0.1 or am i missing something and 1.3 does actually run backward extensions????
HELP!
@finferflu: When you look in appg/settings.php, do you see a line which looks like the following?define('IN_VANILLA', 1);If not, then that's your problem.
Nope, I haven't got that line! I've added it at the end, obviously before ?>, then tried again with if (!defined('IN_VANILLA')) exit(); in /conf/extensions.php, but I still get the blank page... Maybe there's something else to do, which I completely ignore...
1 is there any .htaccess solution for this?
2 when we download extension from Vanilla addons ... is there this line added already ?
3 what versions are vulnarable? and can we download old versions of the script?
4 what hacker can do using this line injection (not how)
thanks
If you read the blog post it gives you a better insight into the problem. Using htaccess is no help in this case, extensions contain the line if their authors have added it (all authors were emailed saying to update their extensions if necessary - i guess if they havent all been updated as appropriate in a week or so i'll go through and do any that need it), versions below 1.0.3 are vulnerable, and hackers can do pretty much whatever they want (it allows them to execute their own php script on your server) assuming register_globals is enabled (if it's not you dont *need* to worry about it).
@Finferflu - make sure that your appg/settings.php file contains:
define('IN_VANILLA', '1');
If it doesn't, then you didn't upload the new appg files properly, and that would cause the change to your conf/settings.php file to cause the entire forum to load blank.
I have a little problem in that the extensions page does not show the extensions that I have activated. And also, the Pimped extension doesn't work, but maybe I have to download a new version.
Comments
<?php // Make sure this file was not accessed directly and prevent register_globals configuration array attack if (!defined('IN_VANILLA')) exit(); // Enabled Extensions... followed by my enabled extensions...
Yes, I've tried to CHMOD to 666, 665 and 777, but no result.
@ SirNot:
That's what it says with your code: Thank you guys so far.
define('IN_VANILLA', 1);If not, then that's your problem.I've added it at the end, obviously before ?>, then tried again with if (!defined('IN_VANILLA')) exit(); in /conf/extensions.php, but I still get the blank page... Maybe there's something else to do, which I completely ignore...
define('IN_VANILLA', '1');If it doesn't, then you didn't upload the new appg files properly, and that would cause the change to your conf/settings.php file to cause the entire forum to load blank.