delete this post i wrote a code but your f****ng parser killed it
bbPress Plugin Browser »
Private Messaging (0.80)
Download
Version: 0.80
Last Updated: 2009-9-1
Requires bbPress Version: .80 or higher
Compatible up to: .80
Average Rating
Your Rating
Author: Joshua Hutchins
-
Posted: 3 years ago #
-
For everyone interested... I was looking to add a "PM THIS USER" link to my profile pages. I followed the steps outlined by wittmania in the first post on page one, but the fact that I'm using pretty permalinks was causing some conflict.
The only fix I had to make was to the pm_profile_link function he has you insert. I swapped it out with this:
function pm_profile_link() { echo '<a href="'; bb_option('uri'); echo 'pm.php?new=1&receiver=' . get_user_name( $user->ID ) . '">Send a private message to ' . get_user_name( $user->ID ) . '</a>'; }Worked for me like a champ.
Posted: 3 years ago # -
If you installed Detective's fixed plugin and see that all your messages are gone, simply execute this php code somewhere ONCE:
<?php mysql_query("ALTER TABLE".$bbdb->prefix."privatemessagesADDdel_receiverTINYINT(4) NOT NULL default '0'"); mysql_query("ALTER TABLE".$bbdb->prefix."privatemessagesADDdel_senderTINYINT(4) NOT NULL default '0'"); ?>It should fix the problem.
Posted: 3 years ago # -
does anyone know how to get gravatars showing? i tried both of these:
<?php post_author_avatar($pmmessage->id_sender); ?>and
<?php post_author_avatar(); ?>but they don't work..
Posted: 2 years ago # -
Yeah, I just took the gravatar out on private messaging so it only shows the person's name, no image. I couldn't figure it out either. Now I use the Avatar Upload plug-in... does anyone know the code you use if you're using the Avatar Upload plug in and you want the user's avatar to show next to the private messages?
Posted: 2 years ago # -
nevermind, found the solution a few posts back
Posted: 2 years ago # -
he i am geting a ERROR : Fatal error: Call to undefined function pm_fp_link() in /www/1stfreehosting.com/g/r/i/grievous666/htdocs/forum/bb-templates/kakumei/front-page.php on line 73
Can you guis help my thanks
Posted: 2 years ago # -
i use free webhosting and i have made a database if you nead to know thet
site url : http://grievous666.1stfreehosting.com/forum/
Posted: 2 years ago # -
has anyone fixed line breaks in this plugin?
i don't really care about bold, urls, underlining etc, but i think it should keep the original line breaks...Posted: 2 years ago # -
Unfortunately I Found a serious XSS vulnerability in pm message plugin that could lead to stealing of admin cookies. Please email me as I do not wish to post details here overide (at) securityoveride.com.
Thanks Overide
Posted: 2 years ago # -
I'm curious to find out what it is.
There's sloppy code all over this plugin, where it fetches the entire row for users when only the ID or login name is needed and unsanitized use of $_GET and $_POST that's fed directly into queries.
My bet would be on the message.php
In theory someone could also retrieve email from/to anyone via some of the code in this based on a quick glance, no security checks?
ps. I am looking at the original and not detective's mod but still
Posted: 2 years ago # -
Just to clarify the XSS venerability is in the original I have not checked detective’s moded version.
I have been playing around with it all day and it is completely possible to steal administrator password cookies without the admins knowledge and log in as an administrator with this plug-in.
Personally I would uninstall this plug-in and change your admin account passwords immediately until its fixed and if you don’t want to uninstall it at very least change your admin password and do not open any pm messages sent to an admin account.
I hate being the bearer of bad news and please don’t shoot the messenger I really liked this plug-in till I found this venerability :(Posted: 2 years ago # -
This whole plugin is a security nightmare.
If what I am seeing is correct, you can delete any message, by any user by just changing the url.
$_GET data is injected into mysql queries without checks or escaping.
There are no sanity checks. That's insane and very dangerous.
People need to stop using this plugin asap.
Posted: 2 years ago # -
Yeah it’s a shame I really wanted pm capably on my forum but as it is now this one is too risky wordpress and bbpress do a great job of keeping up to date and making secure software but if you install a plug-in with a security risk your compromising you hole web server. I haven’t seen the original poster of this plug-in make any changes in a while but if someone wants to take a look at the code and see what they can fix email me and would be glad to go over the security issues I found with you.
This plug-in is a great idea and obviously someone put a lot of time and effort into it. It just needs some security fixes that’s all.Posted: 2 years ago # -
I believe the bulk of the insecurity can be fixed in one area.
I am testing a quick-fix now with a client.Detective's mod fixes a few general issues but not the critical ones.
Posted: 2 years ago # -
Good deal
If you could post what you fixed that would be great. Like I said I really did want pm capabilities for my forum.Posted: 2 years ago # -
Tying to install detective’s moded version on my bata site and I get the follow data base errors
DB Error in get_pms: Unknown column 'del_receiver' in 'where clause'
SELECT * FROM bb_privatemessages WHERE id_receiver = '3' AND del_receiver= '0' ORDER BY created_on DESC
DB Error in get_sent_pms: Unknown column 'del_sender' in 'where clause'
SELECT * FROM bb_privatemessages WHERE id_sender = '3' AND del_sender = '0' ORDER BY created_on DESCUsing bb-press alpha anyone have a fix for this
EDIT never mind fixed the data base error
Posted: 2 years ago # -
merlin if you want to try my quick security fix for the original plugin, try replacing around line 100 the entire function
function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){ ... }with this
function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){ global $bbdb, $bb_table_prefix; $created_on = bb_current_time('mysql'); $id_receiver = intval($id_receiver); $id_sender = intval($id_sender); $pmtitle=substr(strip_tags($pmtitle),0,64); remove_filter('pre_post', 'post_regulation'); $message=substr($message,0,2048); $message=force_balance_tags($message); $message=apply_filters('pre_post',$message,0,0); $message=apply_filters('post_text',$message,0); $bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages (id_sender, id_receiver, pmtitle, message, created_on) VALUES ('$id_sender', '$id_receiver', '$pmtitle', '$message','$created_on')"); }This patch should in theory make it virtually completely sanitized (but still not completely validated unfortunately) and has the added bonus that most other plugins that affect posts like bb-smilies, etc. should work inside PM's
Posted: 2 years ago # -
Great ill give it a try thanks
Posted: 2 years ago # -
_CK_ amazing job that took care of all the XSS i found and to anyone else reading this please update to _CK_’s fix immediately if not people can run scripts and hidden iframes and all other kinds of nasty stuff on your server.
Thanks again CK great work.
OveridePosted: 2 years ago #
Add a Comment »
You must log in to post.