Announcement

Collapse
No announcement yet.

bug in admin/user.php

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • bug in admin/user.php

    Very strange, when I'm in the admin area:
    - select a user
    - click on "change Avatar"
    - choose an Avatar.
    - click "Submit modifications"
    I'm logged out.
    Looking into the code, it's instantly clear it won't work:

    echo "<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"user.php\" METHOD=\"POST\"><input type=\"hidden\" name=\"sessionhash\" value=\"$session[sessio ...

    should be

    echo "<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"user.php\" METHOD=\"POST\"><input type=\"hidden\" name=\"s\" value=\"$session[sessio ...

    but why didn't anyone notice? I'm puzzled...

    cheers,
    dietrich.

  • #2
    What version are you running? I just did this with my unhacked 2.2.7 test forum and had no problems.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      reply

      i'm running 2.2.6, highly modified, but not this part :-)

      you probably have cookies turned on, then the "s"-variable isn't needed. the code i quoted posts a input field with name="sessionhash", which is obviously wrong. there is no $sessionhash used. this should be "s"

      just have a look into the code and you'll see.

      cheers
      dietrich

      Comment


      • #4
        Ok, I changed my user settings to browse with cookies off and repeated the test. Still no problem. Whatever happened to you, it would not appear that this code is the problem.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          reply

          i dont't think you're right. if you look at the code,
          you'll see that the session-id is not postet with the form.
          (admin/user.php, ~line 429)

          sorry, but i bet you didn't look, it's obvious.

          i don't know where your information about the session-id
          comes from but it's NOT passed to the form.

          anyway, i changed it in my code.

          cheers,
          dietrich

          Comment


          • #6
            Yes, I looked at the code and both 2.2.6 and 2.2.7 contain the same code in this regard. I am not disputing this, nor did I say anything at all about the sessionid. (Look at my posts again.)

            What I did say was that I repeated the steps you outlined twice - both with and without cookies on - and both times I completed the change avatar process without a problem.

            Sorry you don't believe me but I went out of my way to try to duplicate the problem you had and I couldn't.
            Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
            Change CKEditor Colors to Match Style (for 4.1.4 and above)

            Steve Machol Photography


            Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X