highly critical security-fixannounced on http://www.darksecurity.de/advisories/2012/SSCHADV2012-003.txt
fix form language vars for better understanding (Tks to Maverik)change request if HTTP_REFERER is not empty in logout.php
remove session_start() in /account/logout.php
possible errors on 'save password' fixed. Minimum length of password set to 6 chars
fix class.login, when name and pass are both empty, no longer call increase_attempssome redirect updates in frontend account files
+ add languages vars in languages files+ add upload error mesages moduleinstall+ add index.php if not exists in function createFolderProtectFile! corrected changed coding between login_form and forgot_form
! recoded /account/forgot_form.php! update quickSkin ! update languages files + add /temp/quickSkin/ folder! begin fixing sec_anchor in urls
add new backend theme handling (Tks to Stefek)
fix redirect login
account/signup.php, check if user is already loggedfix non object message in framework/functions.php
continue fixing frontend account
fixed print_error exit in frontend account
found more backlinks to fixremove not working ftan in frontendfixed redirect in login procedure (Tks to mr-fan)update droplet LoginBox, additional parameter $redirectremove double config call in media (Tks to Testör)
fixed validation of loginname (admin/users and signup)
fix entities converting in select languages (Tks to the community)see http://www.websitebaker2.org/forum/index.php/topic,20547.msg140512.html#msg140512
redefined wrong admin backlinks
YGN Ethical Hacker Group (2.8.2 / 2.9.0)
update headerinfos
fixed headerinfos
add ini_set('display_errors', 1) (Tks to Thorn)update headerinfos
Ticket #985 With #1318 no login in backend possibleTicket #986 Typo inside the german language file Ticket #982 Unnessesary heredoc causes on errors while installation!Ticket #926/Ticket #928 Mail Notification on new user registration
Ticket #971 Using $_POST in Admin - account - login.php (tks to Aldus)update class.wb.php added tokens function
continue update headertextTicket #930 disabled SyntaxHighlighter from default WB Installationchange help url to www.websitebaker2.org
update headertext
update header info
Beginning header information update
fix login_form.php sometimes produce javascript errors in IE
Clean check in of minor bugfixes: Add some localizations, correct html/php syntax
Ticket #832: Fix wrong configuration of timezone-handling when saving preferences-form on backend and frontend
validate some output files
fix some PHP 5.3 deprecated functions
Created 2.8.x branch
Fixed E_ALL&E_STRICT warning on PHP5 servers (Thanks to Aldus)
replaced all remaining mktime() with time(), except from third party scripts
Fixed not defined language variable in account/email.php (Thanks to Forum-User BlackTiger)
removed unneeded icons from wb_theme
removed unneeded stylesheet.css from account dir
renamed warning.htt to warning.html to fix display of sourcecode after invalid login attemps
added fixed error.htt also to classic theme
added skinable Admin Interface
Mail text for register, signup and forgot mail now taken from WB language file (ticket #684)
Copyright notices now includes 2009
applied additional mail check to forgot login form
some small fixes: group_id/groups_id-handling, safe_mode-query in install, better work-around for issue with phplib and code-module (removed {})
fixed bug with registration of users are not added to signup group
removed include/captcha/asp.php. css have to be added to module's css-files.
reintroduced include/captcha/asp.php
removed include/captcha/asp.php
fixed bug in user signup
Fixed possible XSS in account/login.php and forgot-form.php
fixed fixed typo :-(
fixed typo
Added some missing add_slashes(), get_post_escaped(), and strip_tags() for $_POST, $_GET and $_REQUEST-data. Also for $_SERVER['PHP_SELF'].
added new CAPTCHA and ASP (Advanced Spam Protection)
removed the PAGE_EXTENSION added with changeset 549
fixed bug in frontend login and multiple groups (in conjunction with error_reporting = E_ALL)
added the "users in multiple groups" feature (closes parts of ticket #546)
Replaced the variable PAGE_EXTENSION with hardcoded .php on all places where the pathes points to WB Corefiles with the page extension .php
Replaced hardcoded text in login.php with language variables (fixes #386)
Changed all copyright notices to include now 2008
Security enhancement (reduced number of login trials from 50 to 3).
Added 2007 to all copyright noticesAdded missing ID KeywordsRemoved not Unix conform line endings
Fixed spelling errors in the signup2.php (#330)
Fixed more security issue's related to ticket #237
Fixed tickets 190 and 207
Fixes security issue #237.
Removed "From:" from calls to internal mail function. Ticket 189
Applied fix regarding ticket #138
Ticket #137 - Last Reset timer not reset in frontend forgotten password process
Updated all copyright notices to include 2006
Ticket #126. Cookie REMEMBER_KEY wasn't cleared in account/logout and expiration date is now set to time in the past. Thanks to alex!
Changed mail calls to $wb->mail (thanks to John!).
John: changed captcha.php call to include timestamp
Forgotten password: if sending of e-mail fails, restore old password. Ticket #110
Added an exit call after every heading("Location:...") redirector to prevent unwanted execution of code.
Fixed bug #99 and two additional instances of catpcha instead of captcha.
Fixed some notices and warnings.
Replace 'admin' by 'wb' in all account pages. Moved print_success and print_error code to class.wb.php. Added correct parameters to these functions in account pages.
Fixed captcha bug for signup when disabled
Added captcha verification to sign-up form
Applied aportale's patch to use label instead of javascript toggle code
Fixed more inconsistencies regarding line endings and end-of-file newlines
Fixed inconsistent line ending styles
Fixed bug #65 (last_reset check in account/forgot_form.php)
Fixed spelling mistakes
Renamed compatibility.php to frontend.functions.php.Moved frontend functions from class frontend to frontend.functions.php. Removed instances of strip_slashes_dummy. Replaced $this by $wb in a couple of places.Created file initialize.php, where all initializations now take place (moved from class wb constructor).
Added automatic frontend redirection on login.
Change addslashes,stripslashes to (wb class) method calls add_slashes,strip_slashes
Fixed bug concerning direct access of preferences page.
Reworked visibility and menu code (frontend login problem)
Added direct access redirection in account files.
Reduced redundant initialization code, removed further 'CVS' occurrences. Made $admin accessible in page_content function.
Added the Id keyword for all files
Initial import from CVS to Subversion of Website Baker 2.5.2