like the title says...

It seems our host just updated their PHP version, which screws with our software, see the thread I linked in the next post for more details.

See this thread for a reference to our problem:

http://www.vbulletin.com/forum/showthread.php?s=&threadid=40721

As a temporary fix I need to edit three templates in all styles and this temporary fix also disables the uploading of any attachments.

Attachment check...

EDIT: Nope, attachments don't work at all now. =/

From looking over multiple threads at the vBulletin support forums this issue also makes it impossible for people to add or modify their avatars.

Apparently the host can recompile PHP with a security patch, but I don't really fully understand the issue at this point.

A quote from one of the support guys at the vBulletin support forums which is probably what needs to be done:

Chris Schreiber wrote on 02-28-2002
If you need to get uploads working again, then ask you host to upgrade to PHP 4.1.2 (or apply the patches for their version) ASAP.
There is another fix mentioned in the thread at the support forums but from what I gather it opens the server to hacker attacks, thus being the reason the host has disabled uploads.

(I mispoke saying earlier that they had upgraded PHP)

So, I should e-mail TB asking them to upgrade to 4.1.2? If so, I'll do it right away.

You might want to look over that thread I linked so that you can get a little clearer idea what is going on and maybe ask those who understand the issue better than I do what action to take.

The host has the option of installing a security patch to their current version of PHP as well from what I understand, but from what I gather their current fix for the security issue was to just disable uploads which will also need to be changed again if they upgrade or patch PHP, I think :huh

er... I already have a headache, and you ain't making it any better. :p

I think people can deal with the current situation until morning. Cus I'm trashed right now.

No problem by me, take it easy man. Hell maybe the host is trying to fix things even as we speak. Being a shared server like they are I suspect there are at least a few other vBulletin boards with similar problems being hosted by them. :)

Alright, from running this php action in the admin area:

http://www.swforums.net/forum/admin/index.php?s=&action=phpinfo

I see that register_global is still turned on (in the Configuration - PHP Core section) but it appears that file_uploads has no value. I did a little experimentation and can temporarily give file upload ability back to us via use of a .htaccess file in our root web folders, but according to the topic at the vBulletin support site it opens us up for hacker attack if the host has not patched their PHP version.

So I gather we either need to find out if they will flag that value as "On" (the file_uploads one) or if they have applied the security patch, in which case adding the .htaccess file should be safe to do...I think.

I think I got you. I'm going to e-mail them in a few minutes, politely asking if it's possible for them to either patch it or upgrade it.

I'm pretty sure that the file_uploads variable is the key to this. From what I read at vBulletin.com, applying the patch or doing the upgrade does not automatically change that value, the host has to do it, or we can via the .htaccess file. But I would rather be safe and know if they have applied the security patch before doing such a thing.

hmm... I wanted to wait until I got a response from you, and I'm glad I did. I apparently need to look things over more thoroughly.

Yeah, the upgrade and the patch both address the security issue, but neither automatically fix the issue we ae having. Its most probable that the host either has applied the patch (since the version still reads as 4.0.6) and it disabled uploads, or they just disabled uploads (removed the "On" flag) to cover the venerability.

Here is a topic where someone uses the same host that we do, and he/she says they will be contacting Terra-Byte.

http://www.vbulletin.com/forum/showthread.php?s=&threadid=40833

Here is the official announcement from the big guy at vBulletin:


We have recently learnt of a security issue with file upload support in PHP. More details can be found in this advisory:

http://security.e-matters.de/advisories/012002.html

Until your host has patched your version of PHP, we would seriously recommend that you disabled all file uploads in vBulletin, including avatars, attachments, and limit who has access to the file upload facilities in the control panel.

John

[edit: Please note, many hosts are upgrading to PHP 4.1.2 because of this issue. However, from PHP 4.1 and above, the "register_globals" PHP setting now defaults to "off". This setting needs to be set to "on" in order for vBulletin (and many other PHP applications) to function properly. If this setting is "off", you will receive "no forum specified error" when using vBulletin. Please read more about this here: http://www.vbulletin.com/forum/show...&threadid=40721]

http://www.vbulletin.com/forum/showthread.php?s=&threadid=40711

Shawn: Blah blah blah php blah.
SWFans.Net: Blah blah patch blah blah.
Shawn: Blah blah blah blah vBulletin blah blah blah.
SWFans.Net: Blah blah php blah blah patch blah.
Shawn: Blah blah blah blah on blah blah php.
SWFans.Net: Blah off blah on blah php patch blah.
Just glad you guys know what you're talking about. :)

:lol I do my best to stay as informed as possible for the good of our forums. :)

Just so the staff knows and may understand, I started a topic in the OOC forum and linked to it in the Forum Announcement, in which I offered to do the adding of people’s avatars.

What I can do is when I get a few gathered together that need be done, is upload the .htaccess file I have that circumvents the security fix Tera-Byte put in place, add the avatars and then delete the file so as to close the security hole quickly. Just wanted to keep people following this issue abreast of what I am doing to help work through this problem.

Sorry I haven't been exactly on the ball with this: Apparently, my Store Manager decided that I no longer require those nifty little things some people call 'Days Off'. :x I'm getting paid quite handsomly, but it's really wearing me out. If you really need something done, IM me on any of my names and I'll get it done right away.

No worries. I have seen at least two other instances of people contacting Tera-Byte regarding this issue at the vBulletin support forums, so I suspscet about all that can be done about it is already. :) No worries.

Patch or upgrade test...

Woohoo!!!! They fixed it!

is off to fix all the templates, so attachments will work again.

Testing quick reply.

EDIT: yep, it works. :)

I'm Pretty sure I got all the template modifications taken care of, so everything should be fully functional again. :)