cpmFetch blocks in Efiction - Page 2 cpmFetch blocks in Efiction - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

cpmFetch blocks in Efiction

Started by lonebard, March 24, 2007, 03:19:52 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

vuud

Quote from: Calic0cat on March 25, 2007, 06:43:17 AM
I suggested the close in the faint  hope that eFiction would be smart enough to open a fresh connection. Unfortunately, it wasn't. :P

In order to see a working version of cpmfetch in eFiction blocks, you can check my own site at http://www.calic0cat.net - that one has efiction and Coppermine sharing a database, and cpmfetch and Coppermine are both in (separate) subdirectories of the eFiction directory. I also have it working on two test sites, one at http://test.calic0cat.net/efiction/ with a shared database but with eFiction and Coppermine in side-by-side directories, and one at http://test2.calic0cat.net/efiction/ with eFiction and Coppermine on separate databases and in side-by-side directories. It works just fine in all three cases. All working examples are eFiction 3.2 (both test sites) or 3.2.1 (live site only) with Coppermine Gallery 1.4.10 and cpmfetch 1.6.4. The MySQL version is 4.1.16 and PHP is 4.4.2 (with "extra web security"). All sites are (normally) bridged; however, I have disabled bridging on the test2 site in order to eliminate that as a source of the differing behaviour. Disabling the bridging made no difference; the cpmfetch blocks still work fine in eFiction.

*Edit* Important additional note: I've switched the http://test2.calic0cat.net/efiction site over to PHP 5.2.1 without encountering any errors, which shoots my PHP 5 theory all to heck.

It looks to me as if, in lonebard's case (and that of another eFiction user experiencing the same issue), eFiction is looking in the Coppermine database instead of in the eFiction database. Why this issue crops up for them when it works fine for me, I don't know and I've run out of ideas to try.


Hey, is your CPG and eFiction tables in the same database?

(See my post above for the problem)

Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

Calic0cat

Quote from: vuud on March 28, 2007, 04:24:50 PM

Hey, is your CPG and eFiction tables in the same database?

(See my post above for the problem)


Two of my three installs (the live site and one test site) have the CPG and eFiction tables in a shared database. The third install, test2, has the CPG and eFiction tables in separate databases. That one is at http://test2.calic0cat.net/efiction - you can see that the page title has the word "test" in it, indicating that it's coming from my "test" database, while the first image in the "Most Recent" block has the word "test2" in its title, indicating that it's coming from my "test2" database. Why does this work with my setup and not with other people's? Presumably, something to do with the server's setup is forcing either PHP or MySQL to behave differently. Maybe the "extra web security" (which is apparently the mod_security apache module) is somehow responsible for this?

vuud

Quote from: Calic0cat on March 28, 2007, 07:01:07 PM
Two of my three installs (the live site and one test site) have the CPG and eFiction tables in a shared database. The third install, test2, has the CPG and eFiction tables in separate databases. That one is at http://test2.calic0cat.net/efiction - you can see that the page title has the word "test" in it, indicating that it's coming from my "test" database, while the first image in the "Most Recent" block has the word "test2" in its title, indicating that it's coming from my "test2" database. Why does this work with my setup and not with other people's? Presumably, something to do with the server's setup is forcing either PHP or MySQL to behave differently. Maybe the "extra web security" (which is apparently the mod_security apache module) is somehow responsible for this?

I don't really know why - I personally am satisfied with the identification of the symptom to the cause... I really had no idea eFiction even existed until I downloaded the code to look at this problem.

Here is the thing:

EFiction creates a connection to its table
CpmFetch creates a connection to its table
CpmFetch specifically calls mysql through its specific connection
Efiction creates its queries through the last created connection

So thats the problem.  If you can create your CpmFetch object and get it to connect to the database before eFiction creates its own, they will work fine.

You can see this in the includes/dbfunctions.php file...

The dbconnect line returns the specific connection, but non of the queries are told about it! 

Can I say for sure this is why they are having the problem and not others - well, no.  But this is definatly why it is happening.   The eFiction code does not take into account another db connection existing.     

As I mentioned before the bad fix is to put it all into one db, the good is to teach efiction to handle co-existing with another program.  This will fix the problem.

Now, mod_security could be exposing it or something more - by delaying the connection or something...  I don't know much about that except that it does do some support for mysql injection attacks, so who knows.  Maybe it is delaying the connection till it needs it...

I don't know, but the eFiction code should be fixed... thats my 0.02

Someone could probably hack a fix in, I would be tempted to do it myself, but I am really short on time :(











Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

vuud

Quote from: Calic0cat on March 28, 2007, 07:01:07 PM
Two of my three installs (the live site and one test site) have the CPG and eFiction tables in a shared database. The third install, test2, has the CPG and eFiction tables in separate databases. That one is at http://test2.calic0cat.net/efiction - you can see that the page title has the word "test" in it, indicating that it's coming from my "test" database, while the first image in the "Most Recent" block has the word "test2" in its title, indicating that it's coming from my "test2" database. Why does this work with my setup and not with other people's? Presumably, something to do with the server's setup is forcing either PHP or MySQL to behave differently. Maybe the "extra web security" (which is apparently the mod_security apache module) is somehow responsible for this?


My theory could also be tested by editing index.php in the efiction stuff.

Before the include "header.php" line, add in the cpmfetch creation stuff - Specifically the:

(Change to reflect your directory structure)

  include "./cpmfetch.php";
  $objCpm = new cpm("./cpmfetch_config.php");
  $objCpm->cpm_getMediaCount();


the do the rest elsewhere in the eFiction site.  Ommit the close statement.

The last line there forces CpmFetch to establish the dbconnection - by design it waits until it actually needs one - so eFiction can create its own after.

Mind you this is just to prove it out... 




Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

lonebard

Thanks Vudd I created a thread over at the eFiction forums. Hopefully their developers can look into fixing this problem. ( http://efiction.org/forums/index.php?topic=4960.0 )

As for making the changes you suggested to test it I'm not sure what you mean.

index.php is a blank file, you mean index.tpl file?

if I add that code to the index.tpl file it seems to just output it as plain text?

lonebard

Apparently the admins at the eFiction forums consider it a security risk to tell anyone about this problem. So rather than fixing it ASAP they limit the knowledge about it to hidden forums. So my thread no long exists.

vuud

Quote from: lonebard on March 28, 2007, 10:28:16 PM
Apparently the admins at the eFiction forums consider it a security risk to tell anyone about this problem. So rather than fixing it ASAP they limit the knowledge about it to hidden forums. So my thread no long exists.

Seriously... they just deleted your post?

Amazing stuff...  I will add it into my documentation...
Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

vuud

Quote from: lonebard on March 28, 2007, 09:47:03 PM
Thanks Vudd I created a thread over at the eFiction forums. Hopefully their developers can look into fixing this problem. ( http://efiction.org/forums/index.php?topic=4960.0 )

As for making the changes you suggested to test it I'm not sure what you mean.

index.php is a blank file, you mean index.tpl file?

if I add that code to the index.tpl file it seems to just output it as plain text?



If I look at the code in the index.php file, I see stuff.  It should not be blank...

Not the .tpl, it has to be executed in a php file...



Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

lonebard

They contacted me privately and pretty much said I should delete it or they would. So I removed it myself.

Ah sorry I'll try you suggestion again. I was opening the index.php from the SKIN of the site, not the main efiction one.

lonebard

ok so my retarded self remembered got the right file, added the code...

include "../cpmfetch/cpmfetch.php";
$objCpm = new cpm("../cpmfetch/cpmfetch_config.php");
$objCpm->cpm_getMediaCount();


above the "include ("header.php");" line like you said.

Now maybe you can explain "do the rest elsewhere in the eFiction site.  Ommit the close statement."?

Adding the code doesn't produce any errors :) ( which is good ) but I assume the above line is you trying to tell me to use some sort of code to display the images. ( Thank you sir )

vuud

Quote from: lonebard on March 28, 2007, 11:01:39 PM
ok so my retarded self remembered got the right file, added the code...

include "../cpmfetch/cpmfetch.php";
$objCpm = new cpm("../cpmfetch/cpmfetch_config.php");
$objCpm->cpm_getMediaCount();


above the "include ("header.php");" line like you said.

Now maybe you can explain "do the rest elsewhere in the eFiction site.  Ommit the close statement."?

Adding the code doesn't produce any errors :) ( which is good ) but I assume the above line is you trying to tell me to use some sort of code to display the images. ( Thank you sir )

The rest being the call to display the photos...

Amazing stuff.

If it works, I will find a better opening line for you... one that does not waste a SQL call.



Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

lonebard

Ok, I reenabled the block to display the pictures and get this error...

QuoteFatal error: Cannot redeclare class cpm in /home/bgmasque/public_html/cpmfetch/cpmfetch.php on line 1437


Line 1437 is "} // end class"

vuud

Quote from: lonebard on March 28, 2007, 11:15:35 PM
Ok, I reenabled the block to display the pictures and get this error...


Line 1437 is "} // end class"


Oh your using someones plug in or something?

You need to remove those lines you added to the index.php from their plug in...

Otherwise, well, you are redeclaring the class :)

Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

lonebard

Hmm, maybe I need to read more of the cpmFetch Documentation.

If I edit the block to only have the line that wasnt in the index.php ( which is "  $objCpm->cpm_viewLastAddedMedia(1,4);" ) I get this long winded error...

QuoteTable 'bgmasque_efic.cpg1410_pictures' doesn't exist
SELECT p.filepath AS pFilepath, p.filename AS pFilename, p.aid AS pAid, p.filesize AS pFilesize, p.title AS pTitle, p.caption AS pCaption, p.owner_name AS pOwner_name, p.owner_id as pOwnerId, p.ctime AS pCtime, p.hits AS pHits, p.pid AS pPid, p.pic_rating AS pPic_Rating, p.votes AS pVotes, p.pwidth AS pWidth, p.pheight AS pHeight, p.user1 as pUser1, p.user2 as pUser2, p.user3 as pUser3, p.user4 as pUser4, c.cid as cCid, c.name as cName, c.description as cDescription, c.pos as cPos, c.parent as cParent, c.thumb as cThumb, u.user_lastvisit AS uUser_lastvisit,u.user_regdate AS uUser_regdate,u.user_email AS uUser_email,u.user_profile1 AS uUser_profile1,u.user_profile2 AS uUser_profile2,u.user_profile3 AS uUser_profile3,u.user_profile4 AS uUser_profile4,u.user_profile5 AS uUser_profile5,u.user_profile6 AS uUser_profile6, a.aid AS aAid, a.title AS aTitle, a.description AS aDescription, a.visibility as aVisibility, a.pos as aPos, a.category as aCategory, a.thumb as aThumb, a.keyword as aKeyword FROM cpg1410_pictures AS p LEFT JOIN cpg1410_users AS u ON p.owner_id = u.user_id LEFT JOIN cpg1410_albums AS a ON p.aid = a.aid LEFT JOIN cpg1410_categories AS c ON a.category = c.cid WHERE 1 AND p.approved='YES' AND ((a.visibility = 0 OR a.visibility IS NULL) AND (a.alb_password IS NULL OR a.alb_password = "")) ORDER BY p.ctime DESC LIMIT 0,4


Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/bgmasque/public_html/cpmfetch/cpmfetch_dao.php on line 1114

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/bgmasque/public_html/cpmfetch/cpmfetch_dao.php on line 1118

Calic0cat

Quote from: lonebard on March 28, 2007, 10:28:16 PM
Apparently the admins at the eFiction forums consider it a security risk to tell anyone about this problem. So rather than fixing it ASAP they limit the knowledge about it to hidden forums. So my thread no long exists.

I believe that particular philosophy is to keep any potential security risk under wraps while it is being fixed (since volunteer dev teams in general do tend to have actual paying day jobs that prevent instant release of fixes - plus it tends to take a while for users to update even after fixes are released). It is, generally speaking, considered good form to privately report potential security issues and give the developers a reasonable chance to deal with them before releasing information to the general public. And that applies whether in reference to free, open source software or to expensive commercial software.

lonebard


vuud

Quote from: Calic0cat on March 29, 2007, 02:10:43 AM
I believe that particular philosophy is to keep any potential security risk under wraps while it is being fixed (since volunteer dev teams in general do tend to have actual paying day jobs that prevent instant release of fixes - plus it tends to take a while for users to update even after fixes are released). It is, generally speaking, considered good form to privately report potential security issues and give the developers a reasonable chance to deal with them before releasing information to the general public. And that applies whether in reference to free, open source software or to expensive commercial software.

Hmmm, from a programming standpoint I don't think its a security issue.  I can't think of anyway to compromise a PHP script this way.  To do so you would have to actually edit the pages or put more pages on the server, in which case you can do more damage by directly editing pages. Or reading the config files.

But anyway, it would be cool for them to fix it.


Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

vuud

Quote from: lonebard on March 29, 2007, 02:00:42 AM
Hmm, maybe I need to read more of the cpmFetch Documentation.

If I edit the block to only have the line that wasnt in the index.php ( which is "  $objCpm->cpm_viewLastAddedMedia(1,4);" ) I get this long winded error...


Oh that is #*)@ed up

It looks like its using the efiction mysql now...  Is there any chance you would give me direct access to poke at it a bit?  I am really a bit confused as to this behavior.   If not, I dont blame you.
Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco

lonebard

It's not my server but I'll get in contact with the person and ask their permission. Might be a couple days before I can contact them though.

vuud

Quote from: lonebard on March 29, 2007, 03:43:46 AM
It's not my server but I'll get in contact with the person and ask their permission. Might be a couple days before I can contact them though.

Well, I will mull it over some more... can you tell me what your cfUseExistingDBConnection thing (I forget the exact name) is set to right now?

Please post for help to the forum... PM me only if you are sending security related items (passwords, security problems, etc).

cpmFetch - Images, RSS feeds from CPG from outside CPG
New release notification signup also. 
See http://cpmfetch.fistfullofco