Not logged in. · Lost password · Register

All posts by berndB (14)

topic: XSS vulnerability in dir plugin - how severe?  in the forum: General Help and Support Plugins
Avatar
berndB #1
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: XSS vulnerability in dir plugin - how severe?
Hello, on the page of the dir plugin:
http://www.dokuwiki.org/plugin:dir

.. it is stated:
"XSS vulnerability allows arbitrary JavaScript insertion. Author informed on 2009-06-16."

Now this is a good half year ago.
How severe is this vulnerability?
Are there so few people who use it?
Is it so difficult to fix?

My application is a simple table-of-contents for a kind of blog, i.e. a list of all pages in a namespace; I first believed the 'blog' plugin provided this list, but it includes the complete content of any page in the namespace.

Update: I tried the nspages plugin, this does the job but it does not show tags nor Author or date.
So my request would be a pagelist-plugin (Page, Date, Author) that displays the namespaces pages.
Any Hints?
This post was edited on 2010-01-24, 16:23 by berndB.
topic: Variable image size with "em" instead of "px"  in the forum: General Help and Support Features and Functionality
Avatar
berndB #2
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 16790
So, what I propose is a second optional parameter to the image rendering, like:
{{apollo2.jpg?180&15|}}

.. where the '&15' renders like this:
<img style="width: 15em;" .. >

If the '&xx' parameter is omitted, it would output:
<img style="width: 180px;" .. >
topic: Imagebox plugin broken  in the forum: General Help and Support Plugins
Avatar
berndB #3
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 16770
The updated version (Jan 21, 2010) works fine now - thanks!
topic: Variable image size with "em" instead of "px"  in the forum: General Help and Support Features and Functionality
Avatar
berndB #4
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 16782
It is not neccessary here to have the server send a higher resolution picture - the "em" parameter (like: <img style="width: 15em;") just tells the browser (IE6) that it may scale the picture - whereas this is kept in the same size with <img style="width: 200px;" or <img style="width: 200;".
Okay?
This post was edited on 2010-01-21, 18:15 by berndB.
topic: Imagebox plugin broken  in the forum: General Help and Support Plugins
Avatar
berndB #5
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: Imagebox plugin broken
The imagebox plugin adds a useful feature to images, a box with a caption:
http://www.dokuwiki.org/plugin:imagebox

But with the current Dokuwiki version (2009-12-25c "Lemming") this plugin is broken: It renders the box around the picture but not the caption text.

This is already mentioned on the plugin page but I just wanted to report it here as well where the attention of developers might be higher.
topic: Variable image size with "em" instead of "px"  in the forum: General Help and Support Features and Functionality
Avatar
berndB #6
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: Variable image size with "em" instead of "px"
While Firefox scales images together with fonts (with ctrl+) older browsers like IE6 stick to the fixed image size and only change the font size (as long as it is not defined with px but em or %).

Scaling an image is possible by setting its size with "em" instead of "px", as explained for example here:
http://www.webmasterworld.com/css/3744644.htm

Now while it is the users choice to define font sizes with "em" he has no influence on the image rendering - the "?xx" parameter always renders as "px", and "?20em" does not work.
Where would be the place to change this?
Can it be done with a plugin or has the core code to be changed?
topic: [SOLVED] Nutzer konnte nicht angelegt werden  in the forum: Non-English Discussion German discussion
Avatar
berndB #7
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 5910
Hatte das gleiche Problem - und freue mich natürlich auch über die Erklärung des Fehlers.

Besser wäre allerdings, Dokuwiki würde eine aussagekräftigere Fehlermeldung generieren "Email muss gepflegt sein" o.ä.
topic: Security Issue  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #8
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 9080
It's not really a dokuwiki problem, but a wrong apache configuration.
So the same problem would appear with other web apps on this (OS/X) machine.

But you're right - why not explain it on dokuwikis security page?
So, as a thankful Dokuwiki user, I just added:
http://www.dokuwiki.org/security#confirming_apache_htacces…
topic: https (on server without admin rights)  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #9
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 9072
Interesting syntax for rewrite - have you tried reading the manual?
http://httpd.apache.org/docs/2.2/rewrite/

Ok, here's a short answer:
http://www.besthostratings.com/articles/force-ssl-htaccess…

There is no login script in dokuwiki, it uses a page controller.
So, just publish the https://yoursite.com/wikidirectory  URL and it works fine.
topic: https (on server without admin rights)  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #10
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 9032
On my site, if I start with https://mysite.de/wiki, see the start page, klick [Login] -> the login continues to be processed via https.
So just use or publish the https-URL whereever you published the http-URL before and it works naturally.

Special coding is only neccessary if you want the site to switch from http to https and back, like i.e. Ebay does it, for performance reasons.
topic: Login button doesn't log in  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #11
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 9002
Try deleting all cookies related to this site in the browser first.
topic: Pluginmanager can't write -after Upgrade- but permissions are fine  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #12
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: Pluginmanager can't write -after Upgrade- but permissions are fine
Hello,
I upgraded my dokuwiki from Version 2007-06-26 to 2008-05-05. Works fine, only the pluginmanager can not update nor install plugins any more, specifying (at installs) that the permissions are insufficient. I triple-checked them, even tried with 777:
mydokuwiki/lib> chmod -R 777 plugins/
.. but the error remains.
Thanks for hints!

Update:
Installing new Plugins works now, only Updates yield the error message.
Then I deleted the respective plugins (dir, pagelist), re-installed them - and it works.
Question remains what causes this behaviour.
This post was edited on 2008-10-23, 20:27 by berndB.
topic: https (on server without admin rights)  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #13
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
In reply to post ID 8999
What happens if you just change the login URL manually to https://... ?
topic: Solved - (Invalid CSS __elements__)  in the forum: General Help and Support Installation and Configuration
Avatar
berndB #14
Member since Apr 2008 · 14 posts · Location: Berlin, Germany
Group memberships: Members
Show profile · Link to this post
Subject: Solved - (Invalid CSS __elements__)
I just installed the (beautiful, feature-rich) "Web-Developer" extension in my Firefox and checked my dokuWiki site with it.
The site looks fine but Web-Developer's CSS module reports numerous errors of this kind:
"Warning: Expected color but found '__text_alt__'.  Error in parsing value for property 'color'.  Declaration dropped.
Source File: http://mysite.de/lib/exe/css.php"

The css is actually filled with these __parameters__, also after switching from my own to the 'default' template.

The output of css.php on splitbrain.org does not contain these elements and produces no errors, so it seems not to be a bug but some misconfiguration or wrong code on my installation (Release 2007-06-26b).
I assume these parameters are parsed and replaced by constants somewhere - but in which script?
Thanks for hints.
// Bernd

Update:
Found that the __constants__ are defined in mytemplate/style.ini and parsed in lib/exe/css.php
Code seemed to work fine - and I found that the reported errors came from an older parsing - failed to clear the list.
- Sorry -
This post was edited on 2008-04-17, 14:46 by berndB.
Close Smaller – Larger + Reply to this post:
Special characters:
Special queries
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2020-02-17, 08:46:12 (UTC +01:00)