reddragonwebdesign / bluethrust5 Goto Github PK

For example, the user can try to load _setup.php, and it will execute its code, even though it's only supposed to be included.

About 30 includes have this already. if(!defined("MAIN_ROOT")) { exit(); }

members/index.php - the "My Account" / console / control panel page

Need to install an SQL query profiler and find the query. There's a query in a loop somewhere that should be rewritten.

In v4, it says "thank you for voting", no error

Current version only comes with 1 theme: Ribbon WoW

To quiet down the PHP warnings when $_POST is not set yet.

if(!$_POST['submit']) {
replace with
if ( empty($_POST['submit']) ) {
	
if($_POST['submit']) {
replace with
if ( ! empty($_POST['submit']) ) {

Important defense against crackers

Use this code

Using require_once is best. Using the others, especially include and require, can lead to hard to diagnose double include bugs.

Check wiki for latest info:
https://github.com/RedDragonWebDesign/BlueThrust5/wiki/Dependencies

May need to untie JQuery from each theme. Looks like it may be hard coded in each theme.

edit: Attempt to upgrade JQuery did not go well. The modal background colors went from black to white.

Currently using a custom function in functions.php -> function encryptPassword()

Detailed analysis in the wiki: https://github.com/RedDragonWebDesign/BlueThrust5/wiki/Cookies-&-Sessions

Is this the fix? Test it.

8e1edc1#diff-6b9e7981e321d53866d4fc23480ce98eb9102648fa9da83da545ee68b346a394R352

https://github.com/bluethrust/clanscripts

From this private repo, I assume: https://github.com/RedDragonWebDesign/ClanWD

At the end of install, the user currently gets a message saying that the installer directory will be auto deleted. But the code for the auto delete is in the index.php file and is never called.

Fix, or delete.

Is
members/include/emailnotifications.php gone for a specific reason? Was it just extra broken? Or is the functionality somewhere else now? Would really like functioning notifications.

http://localhost/BlueThrust5%20R17/src/diplomacy/request.php

http://localhost/BlueThrust5%20R17/src/signup.php

v4 bug if server's default error_reporting() isn't E_NONE. That page doesn't load _setup.php so warnings aren't silenced.

• go to login.php
• check "remember me" so that cookies get set
• log in as normal
• go into DevTools, edit your cookie btUsername to a non-existent username
• go try to log in, no matter what you type, you can't log in

https://github.com/bluethrust/clanscripts/pulls

https://www.google.com/search?q=%22bluethrust%22+security

https://www.exploit-db.com/exploits/39534
https://www.mehmetince.net/bluethrustclanscript-remote-code-execution-exploit/

Not necessarily because these warnings create errors/problems.

Mainly because the large number of trivial warnings fill the page in debug mode, burying warnings for new changes I make that might need attention.

Also, the more of these we fix now, the less things will break when things are hard deprecated in future versions of PHP.

Things To Test

• add news
• add forum topic
• add forum post
• add forum attachment
• use as many forms as possible
• installer: manually turn on debugging using debug()
• add squads
• add tournaments
• go to pages without using a cID (console), sID (squad), bID (board), tID (topic), pID (page), etc.
• go to pages using an invalid ID (see above)
• log out, click everything
• log in, click everything
• view topic while logged out - http://localhost/BlueThrust5%20R17/src/forum/viewtopic.php?tID=5#10
• view the cID of a separator - http://localhost/BlueThrust5%20R17/src/members/console.php?cID=90

Example: move news/index.php to news.php

Currently displays an ambiguous "access denied"

v4 is present in a lot of images. Edit those out of the images completely, so that we don't have to edit images every time we change the version

• Installer - installer/images/installer.png
• Forum Profile Pic - themes/ribbonwow/images/defaultavatar.png
• topbanners of skins?
• default user portrait of skins?
• setup.php - "You must be using at least PHP version 7.0 in order to run Bluethrust Clan Scripts v4. Your current PHP Version"

Then figure out where the main version variable is, and update that as needed

• config file somewhere... loaded by the footer I think

The GitHub repository I forked from hadn't been updated since 2014. The version on the bluethrust.com website was last updated in 2016, and has a change log.

Bug Fixes:

1/1/2015

1) Fixed bugs with regard to the donations plugin.  

2) View Donation Log Page: If you have already installed a prior version of R17, you can delete this page from the database,
   it is not used.  Alternativly, you can go to My Account > Administrator Options > Manage Console Options.  Then click on 
   "View Donation Log", and choose to hide it.


1/18/2015

1) Added in a php version checker.


1/25/2015

1) Fixed a bug with being able to post extremely long words in a forum post. Limits the width to whatever you set 
   as the max image width.

2) Fixed the clock.  After a new hour it wasn't updating.  Thanks to Timberwolf from the forums for the fix!


3/29/2015

1) Fixed issue with downloads not uploading correctly when not using split file downloads.


2/7/2016

1) Fixed issue with editing theme.  Was allowing the file to save without the correct admin key.

2) Prevented CSRF attacks on Set Rank page.

r/starcraft

Somebody posted about BlueThrust one time. Reach out to that gentleman. Sounds like he is tech savvy and created his own clan scripts.

u/kappa09

https://www.reddit.com/r/starcraft/comments/njatl/anyone_remember_clan_scripts_from_bw_dastek_and/

possible regression

Confirmed still present on 11/03/20. Better test all the member management pages.