Re: Register Captcha on 1.1.1 not working

no probs :).. it will not be even a week, probably could be tomorrow or saturday at latest.

if you want to do the edit manually.. in register.php

search for

@include_once ICMS_ROOT_PATH."/libraries/captcha/captcha.php")

around line 194

and replace with

@include_once ICMS_ROOT_PATH."/class/captcha/captcha.php")

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!
Topic


Re: Register Captcha on 1.1.1 not working

Vaughn

Thanks. If the 1.1.2 release is going to happen in a week or so I do not want to waste your time. I can definitely wait for the release.

Thanks.

Topic


Re: Register Captcha on 1.1.1 not working

the patch in the thread mentioned, will not fix the captcha issue, because the captcha issue was unknown at the time i made that patch.

however it has been fixed in the 1.1.2 branch which will be released very soon.

in the meantime if you have updated your production site, i can zip up the 1.1.2 RC branch for you, and you can test & report back..

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Register Captcha on 1.1.1 not working

Thanks!!!

I'll pull down the patch and see if it fixes the problem. If it does I'll post back here for the benefit of the community incase anyone else is searching for an answer for this problem.



Re: Register Captcha on 1.1.1 not working

Yes, this can be a bug. See for more information here.



Register Captcha on 1.1.1 not working

Hello,

I have a production site I just took up to 1.1.1. I have also repeated this on a clean install in my dev environment. I can go through the registration and not enter any text for the captcha and the site still registers the account.

Is this a known bug? Anyone else having this problem.

To just check I did a clean icms install again. And I'm still getting the same problem.



Re: To the moderators

  • 2008/12/10 2:37:58
  • Tom

Hi Wilson.

Quote:

Yep, youre right! The issue ocurred with diferent versions of xoops (including 2018) and with Impress 1 ín diferent servers/ countries.

Sorry if I did it in a wrong place.



You did the right thing, I think perhaps it's not clearer enough on the ImpressCMS websites how people should report security related issues.

I've just proposed we create a security related link in the sub headers of these sites which would direct to a form where users can make their reports or at minimum a page which would give clear information and advice on how to report security issues.

Quote:

PS. in order to not scare me to death, please next time send me a PM



I'm still not entirely sure who removed your post, but I'm looking into it, I've sent a mail to users with moderator access and requested that as a courtesy all users should be informed when their post is edited or removed.

Quote:

Thank you Tom



No problems

From Giba

Quote:

Hi Wilson, eu não tenho acesso em sua mensagem original, enviar no meu e-mail ou do Rodrigo, please. [/quoted]

Translated for the benefit of English readers:

I do not have access to your original message, sent in my e-mail or the Rodrigo.



Re: To the moderators

Hi Wilson, eu não tenho acesso em sua mensagem original, enviar no meu e-mail ou do Rodrigo, please.

Giba


Re: To the moderators

Hi Tom

Thanks for your reply.

No problem at all. I just came here in order to get some "words of wisdom" from our experts and trying to find out if the same happens to someone else.

Quote:

However I see you mention a world wide exploit so I assume it might not actually be ImpressCMS specific? if this is the case then I'm not sure why.



Yep, youre right! The issue ocurred with diferent versions of xoops (including 2018) and with Impress 1 ín diferent servers/ countries.

Sorry if I did it in a wrong place.

PS. in order to not scare me to death, please next time send me a PM

Thank you Tom



Re: To the moderators

  • 2008/12/9 20:27:59
  • Tom

Hi Wilson.

It does appear your post was moved, the issue will be investigated to ensure there is no risk and if there is then a fix will be made promptly.

Thank you for bringing this to our attention!

I'm not yet sure who moved it, but please again accept my apologies.



Re: To the moderators

  • 2008/12/9 20:18:30
  • Tom

Hi Wilson.

I'm not aware of any post being moved yet, however if it was then I would assume it was because we'd prefer not to have security risks publicly posted until we have a fix available for people to use, thus trying to minimise the risk to users websites.

Basically the fewer people who know, the fewer people who might try to use the exploit.

However I see you mention a world wide exploit so I assume it might not actually be ImpressCMS specific? if this is the case then I'm not sure why.

I'm sure if it was moved the person who moved it will read this and reply or send you a message.

I'll also look into this for you, to get you an answer.

Please accept my apologise for the inconvenience.



To the moderators

Hi all

I´ve posted today something here on this forum regarding a possible world wide exploit and when come back to read i can´t find my original post.

Did I do anything wrong or bad?

Thank you all



Re: PHP Security guide

Very nice, objective, straight and with good guidance

Thanks for share.

Giba


PHP Security guide

Hi guys,

I stumble on this yesterday: http://php.robm.me.uk/

It's a nice little PHP security guide which can help beginners get good information on how to protect your PHP code.

Cheers!

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS






Re: [Important] ImpressCMS Website & User Accounts

Quote:


Zaphod wrote:
Good stuff



Equal

Giba


Re: [Important] ImpressCMS Website & User Accounts

Good stuff

If you want to know the truth do not listen to what people say. Look at what they *do* and you will know their heart.


Re: [Important] ImpressCMS Website & User Accounts

Thanks for the excellent explanation Vaughan.

As one of the very cool feature we have introduced inn ImpressCMS 1.1, the password encryption is definitely something I feel we should be using on all our site.

if there would have been a way to use this awesome feature without having to ask everyone to reset their password, we would have done it. But there is unfortunately not a secure way to do this.

So, at the end of the day, we will all have to take 2 minutes of our time to reset our password once on this site to benefit from much more security. It goes without saying that we recommend every site that will be using ImpressCMS 1.1 to do so.

Although there is no way of protecting a site from 100% of hacking attempts, we feel that ImpressCMS 1.1 is the most secure version yet and we will keep improving it on a daily basis !

As usual, all comments are welcomed!

Marc-André Lanciault
Founder and CEO INBOX International inc.
Co-Founder ImpressCMS


[Important] ImpressCMS Website & User Accounts

With regards to THIS news article relating to the upgrade of the ImpressCMS Support WEbsites.

With the upgrade to our latest Version 1.1 on the ImpressCMS network sites, this upgrade offers us an opportunity to use some specific features of 1.1 which will improve security of the site and also protect password hashes of users stored in the Database.

However, in order for us to be able to achieve this goal, after the upgrade. we will need to change the password encryption method that the ImpressCMS network of sites will use.

at the moment users passwords are stored in the Database using an md5 hash, whilst the password is not plaintext, we know from past experience that md5 is no longer secure method, and if the site is compromised, we can't guarantee that your encrypted password will be safe from decryption.

I am proposing that we change the encryption on the sites to use a more secure method which is now available in version 1.1.

the new encryption to use I would say would either be sha256 or sha512 encryption and will use 2 seperate Salt keys of 64 characters each giving added protection, 1 of those being that users with the same password (it does happen) will not in future have the same password hash, hence further security in that regard.

In order to achieve this, once the encryption is changed on the site, every user account on the site will have their current password expired, which means autologin and password managers will fail (until they reset their password).
ImpressCMS 1.1 makes allowances for this, and upon 1st logging in after upgrade you will be presented with a password expired/reset password screen.

the screen is self explanatory, but in order for your password to be reset and hence allowing you to login you must fill out the form correctly. (see attached screenshot below)

You must enter the following information in order to reset your password.

1. Username.
2. Email address (the email address that is registered to that username).
3. Current password (this your current password)
4. new password (this will be your new password which you will use to login again - it can be the same password as your previous password, but is required in order to create a new salted password hash)

once complete, an email will be sent to the registered email address confirming that your password has been reset.

you can then login with your new password.

please discuss if you think we should go ahead with this move, and feel free to ask any questions regarding this move.

thanks

The ImpressCMS Team.


Attach file:



png  Screenshot-User Login : ImpressCMS - Mozilla Firefox.png (0.00 KB)

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!



 Top