Thanks, just was not clear if they still "could" be a security problem. One could always upload them again before uninstall if need be. But if they cause no harm, I'll leave them alone.
Type: Posts; User: mydanilo
Thanks, just was not clear if they still "could" be a security problem. One could always upload them again before uninstall if need be. But if they cause no harm, I'll leave them alone.
Should these OLD.IH4 files be deleted after install or upgrade? Do they cause security problems?
Applied all the suggested fixes to the code and all seems to work fine. What's next? Can somebody confirm that this does plug the outlined security holes?
Awesome! @mc1234567 thank you for consolidating the current solution. I'll implement over the weekend.
Ok, I see all the excitement that it now works. I just don't follow what needs to be done to make it function properly? Can you recap on what you found and what "fix" we need to apply? Thanks.
@DivaVocals sorry I was not aware until now that you acknowledged that this is an issue on your/other sites too. I thought this was just me that has the problem at this point. So we had a general mod...
This code works. My additional images popup now show up. Don't know about XSS issue tho.
I've uploaded now the IH4 version of the tpl_main_page.php again so you can see the behavior. Take spaces out of this link.
http://www. mydanilo.com ...
mc12345678, your are correct. It shows the error image instead of my additional image. I shall check if the new IH handles my file names differently. I don't think I have screwed up picture file...
Ok I searched for posts by torvista, and the only code change suggested is the one that I said I did. The pop up is showing the "no image" image but not my additional image as it should.
This one?
echo '<a href="javascript:window.close()">' . zen_image(DIR_WS_IMAGES . PRODUCTS_IMAGE_NO_IMAGE, TEXT_CLOSE_WINDOW) . '</a>'; /*v4.3.1c-lat9*/
Seems corrected in latest download...
working fine except the popup for additional images comes up with an empty window. Looked at the tpl_main_page.php and have the newest version. Rolled back to the tpl_main_page.php I used on 1.3.9a...