no probs :).. it will not be even a week, probably could be tomorrow or saturday at latest.
if you want to do the edit manually.. in register.php
search for
@include_once ICMS_ROOT_PATH."/libraries/captcha/captcha.php")
around line 194
and replace with
@include_once ICMS_ROOT_PATH."/class/captcha/captcha.php")
Vaughn
Thanks. If the 1.1.2 release is going to happen in a week or so I do not want to waste your time. I can definitely wait for the release.
Thanks.
the patch in the thread mentioned, will not fix the captcha issue, because the captcha issue was unknown at the time i made that patch.
however it has been fixed in the 1.1.2 branch which will be released very soon.
in the meantime if you have updated your production site, i can zip up the 1.1.2 RC branch for you, and you can test & report back..
Thanks!!!
I'll pull down the patch and see if it fixes the problem. If it does I'll post back here for the benefit of the community incase anyone else is searching for an answer for this problem.
Yes, this can be a bug. See for more information here.
Hello,
I have a production site I just took up to 1.1.1. I have also repeated this on a clean install in my dev environment. I can go through the registration and not enter any text for the captcha and the site still registers the account.
Is this a known bug? Anyone else having this problem.
To just check I did a clean icms install again. And I'm still getting the same problem.
Hi Wilson.
Quote:
Yep, youre right! The issue ocurred with diferent versions of xoops (including 2018) and with Impress 1 ín diferent servers/ countries.
Sorry if I did it in a wrong place.
PS. in order to not scare me to death, please next time send me a PM
Thank you Tom
Hi Wilson, eu não tenho acesso em sua mensagem original, enviar no meu e-mail ou do Rodrigo, please. [/quoted]
Translated for the benefit of English readers:
I do not have access to your original message, sent in my e-mail or the Rodrigo.
Hi Wilson, eu não tenho acesso em sua mensagem original, enviar no meu e-mail ou do Rodrigo, please.
Hi Tom
Thanks for your reply.
No problem at all. I just came here in order to get some "words of wisdom" from our experts and trying to find out if the same happens to someone else.
Quote:
However I see you mention a world wide exploit so I assume it might not actually be ImpressCMS specific? if this is the case then I'm not sure why.
Hi Wilson.
It does appear your post was moved, the issue will be investigated to ensure there is no risk and if there is then a fix will be made promptly.
Thank you for bringing this to our attention!
I'm not yet sure who moved it, but please again accept my apologies.
Hi Wilson.
I'm not aware of any post being moved yet, however if it was then I would assume it was because we'd prefer not to have security risks publicly posted until we have a fix available for people to use, thus trying to minimise the risk to users websites.
Basically the fewer people who know, the fewer people who might try to use the exploit.
However I see you mention a world wide exploit so I assume it might not actually be ImpressCMS specific? if this is the case then I'm not sure why.
I'm sure if it was moved the person who moved it will read this and reply or send you a message.
I'll also look into this for you, to get you an answer.
Please accept my apologise for the inconvenience.
Hi all
I´ve posted today something here on this forum regarding a possible world wide exploit and when come back to read i can´t find my original post.
Did I do anything wrong or bad?
Thank you all
Very nice, objective, straight and with good guidance
Thanks for share.
Hi guys,
I stumble on this yesterday: http://php.robm.me.uk/
It's a nice little PHP security guide which can help beginners get good information on how to protect your PHP code.
Cheers!
Quote:
Zaphod wrote:
Good stuff
Good stuff
Thanks for the excellent explanation Vaughan.
As one of the very cool feature we have introduced inn ImpressCMS 1.1, the password encryption is definitely something I feel we should be using on all our site.
if there would have been a way to use this awesome feature without having to ask everyone to reset their password, we would have done it. But there is unfortunately not a secure way to do this.
So, at the end of the day, we will all have to take 2 minutes of our time to reset our password once on this site to benefit from much more security. It goes without saying that we recommend every site that will be using ImpressCMS 1.1 to do so.
Although there is no way of protecting a site from 100% of hacking attempts, we feel that ImpressCMS 1.1 is the most secure version yet and we will keep improving it on a daily basis !
As usual, all comments are welcomed!
With regards to THIS news article relating to the upgrade of the ImpressCMS Support WEbsites.
With the upgrade to our latest Version 1.1 on the ImpressCMS network sites, this upgrade offers us an opportunity to use some specific features of 1.1 which will improve security of the site and also protect password hashes of users stored in the Database.
However, in order for us to be able to achieve this goal, after the upgrade. we will need to change the password encryption method that the ImpressCMS network of sites will use.
at the moment users passwords are stored in the Database using an md5 hash, whilst the password is not plaintext, we know from past experience that md5 is no longer secure method, and if the site is compromised, we can't guarantee that your encrypted password will be safe from decryption.
I am proposing that we change the encryption on the sites to use a more secure method which is now available in version 1.1.
the new encryption to use I would say would either be sha256 or sha512 encryption and will use 2 seperate Salt keys of 64 characters each giving added protection, 1 of those being that users with the same password (it does happen) will not in future have the same password hash, hence further security in that regard.
In order to achieve this, once the encryption is changed on the site, every user account on the site will have their current password expired, which means autologin and password managers will fail (until they reset their password).
ImpressCMS 1.1 makes allowances for this, and upon 1st logging in after upgrade you will be presented with a password expired/reset password screen.
the screen is self explanatory, but in order for your password to be reset and hence allowing you to login you must fill out the form correctly. (see attached screenshot below)
You must enter the following information in order to reset your password.
1. Username.
2. Email address (the email address that is registered to that username).
3. Current password (this your current password)
4. new password (this will be your new password which you will use to login again - it can be the same password as your previous password, but is required in order to create a new salted password hash)
once complete, an email will be sent to the registered email address confirming that your password has been reset.
you can then login with your new password.
please discuss if you think we should go ahead with this move, and feel free to ask any questions regarding this move.
thanks
The ImpressCMS Team.