Problem With The Latest Security Relase Relased By Wilt vs Admin Profiles addon

[CoolCarPartsOnline]

Hello Everyone
The latest security patch released by Wilt affect the Admin Profile Mod. After installing the patch I tried to edit the permissions for my profile, but with no luck. I spent 3 hours back ttracking what I did wrong with no luck. Then I remembered that I installed the patch so I removed and restored my original html_output and everything went back to normal.

Can you guys test that as well?

[dbltoe]

Perhaps you missed the statement in the readme.html that came with the patch. Not only does it warn that html_output.php might already have been changed, it went on to tell you how to manually update the file if it had been previously changed.

[CoolCarPartsOnline]

I did see that but I didn't think that I have ever edited the html_output in the admin area.

[CoolCarPartsOnline]

I just did the merge manually and still the same problem exists. So the problem is still there.

[kuroi]

Not sure why this is in the recovering from hacks section and not the Admin Profiles support thread. However, I've just posted a patch for Admin Profiles (in the support thread) to make it compatible with the Zen Cart security patch.

I remain however, puzzled by your description of how you fixed the problem. Admin Profiles doesn't touch the html_output file, so reverting to your original version must mean partially undoing the security patch. But this would not only not help with Admin Profiles, but would also break many other parts of your Admin.

[tony_sar]

well, since we are still on this topic , i have issue after installing the patch . here the error .

lues[$i]['id']) { $field .= ' SELECTED'; } $field .= '>' . zen_output_string($values[$i]['text'], array('"' => '"', '\'' => ''', '<' => '<', '>' => '>')) . ''; } $field .= ''; if ($required == true) $field .= TEXT_FIELD_REQUIRED; return $field; } //// // Hide form elements function zen_hide_session_id() { global $session_started; if ( ($session_started == true) && defined('SID') && zen_not_null(SID) ) { return zen_draw_hidden_field(zen_session_name(), zen_session_id()); } } ?>
Fatal error: Cannot redeclare zen_href_link() (previously declared in /hsphere/local/home/xxxxx/xxxxx/xxxxx/includes/functions/html_output.php:25) in /hsphere/local/home/xxxxx/xxxxx/xxxxx/includes/functions/html_output.php on line 406

in download read me file, stated that i have to add a code above return $form , how ever , that code already exists above $form .. any suggestion ??

version 1.38,
db patch level 1.38

[kuroi]

Tony

Is yours a problem with the combination of Admin Profiles and the security patch? or just the security patch?

What were you doing when that text spilled out onto your site?

Did you install by manually patching the html_output file or by using the one provided?

[tony_sar]

well, this site contains no admin profile simply 2 addon , blank sidebox and cross sell . i uploaded the html_output.php provided with this patch .. once uploaded , tried entering admin , this is the error i get.

im going to recheck everything again .

[kuroi]

Have you by any chance left a backup of the html_output file on your server?

[CoolCarPartsOnline]

Not sure why this is in the recovering from hacks section and not the Admin Profiles support thread. However, I've just posted a patch for Admin Profiles (in the support thread) to make it compatible with the Zen Cart security patch.

I remain however, puzzled by your description of how you fixed the problem. Admin Profiles doesn't touch the html_output file, so reverting to your original version must mean partially undoing the security patch. But this would not only not help with Admin Profiles, but would also break many other parts of your Admin.

I apologize if my description for the solution was unclear. I actually removed the security patch files altogether.

I just downloaded your new patch and both mods are working now.

I posted it in the hack section because I was unable to reply to the patch release since the thread is closed. Also I didn't think there was support for the admin profile or that it might not be updated since the last release of the admin profile was back in 2007.

But the good news is that they are both working now.