PostNuke
Flexible Content Management System
Site search
Search results
Number of hits: 14
- Using PostNuke and MySQL in Unicode (UTF-8) (News)
-
MySql and UTF-8
by: Bernd Plagge
www.choicenet.ne.jp
MySql introduced support for different character sets and collating rules in version 4.1. While this has many advantages databases sometimes need to be migrated and then we have to ensure that the correct character code is set for the new database. We are mainly using UTF-8 and hence you may have to adapt this information to your situation!
What is the problem?
MySql uses as default Latin1, swedish flavour.
How do we check this?
run mysql.
mysql> show variables;
How to check the character set for a particular database?
run mysql.
mysql> show create table
The character code can be set in various places - so where is the best place for this?
We always use UTF-8
------------------------
In this case it makes sense to set the character code for the whole server to UTF-8. MySql actually sets the character code at different levels:
server
client
database connection
database
The character encoding for server, client and the connection work hand in hand to ensure that the data is interpreted correctly. It seems that MySql makes no effort to determine the correct character set but will convert data in accordance with it's configuration. This leads to problems for old databases if the database character code differes from the one configured.
The easiest way to configure MySql for UTF-8 is to put the configuration inot the main configuration file (/etc/mysql/my.cnf).
In my.cnf there are different file sections. So you can't put it just anywhere.
[mysqld]
character-set-server=utf8
[client]
default-character-set=utf8
Setting UTF-8 for one Database
--------------------------------------
You can check the default character code for a database either by dumping the data and then changing the schema file or you can do this online.
You use the 'alter table' statement to change the database using mysql.
run mysql
alter database
default character set utf-8
default collotion_name utf8-general_ci;
note: you may omit the word 'default'.
It is also worth noting that e.g. mysqldump silently adds the default character code when exporting data!
This can causes problems if the character code defined and the database content are different. In such cases MySqldump will try to convert data to it's default character code!
However, you can disable that by adding the character code option when using MySqldump.
e.g. mysqldump --set-charset.
In the same way you may explicitely set the character set.
mysqlimport --default-character-set = utf8
mysqladmin --defautl-character-set = utf8 create
Setting the character code at server start
-----------------------------------------------------
You can start the server with:
character-set-server
collation-server
The current values can be determined with the command
run MySql:
mysql> show variables;
Values may be changed with commands like:
set character_set_server = utf8;
set collation_server = utf8_unicode_ci
Setting the character code within Applications
----------------------------------------------------------
You want ensure that the correct character code is set when connecting to a particular database.
Connect to the database and issue the following SQL command:
mysql>SET NAMES utf8;
SET NAMES is equivalent to the 3 commands:
character_set_client
character_set_connection
character_set_results
How to run PostNuke in UTF-8
-----------------------------------
Several things have to fall into place for this to work correctly.
1) the database encoding needs to be set to UTF-8
2) the application language needs to be encoded in UTF-8
3) PostNuke needs to be told to use UTF-8
ad 1)
see above for details!
ad 2)
The character code for a given language is set in language//global.php (PN 0.76x) or in language//core.php (PN 0.8). Search and adjust the following 3 define strings:
define('_CHARSET','UTF-8');
define('_LOCALE','en_US');
define('_LOCALEWIN','eng');
Of course it is not sufficient just to change the _CHARSET to UTF-8. The text strings themselves need to be encoded in UTF-8. This can be done in a number of ways:
a) use 'recode' or 'iconv' on every language file
b) use the pnlwb (PN Language Workbench) to extract and convert all language files
ad 3)
Following the database initialization you need to issue a "set names to 'UTF-8'" command. As this is done in includes/pnAPI.php we need to patch that file.
PN 0.76x
----------
// load security functions.
include 'includes/pnSecurity.php';
// Load our language files
include 'includes/pnLang.php';
pnLangLoad();
//bplagge 2006-01-31 - charset fix for new MySql version
$dbconn =& pnDBGetConn(true);
$info=$dbconn->ServerInfo();
if ($dbconn->ErrorNo() != 0) {
echo "Error: "; echo $dbconn->ErrorNo();
}
// print_r($info);
$c = _CHARSET;
// Mysql uses non-standard name for UTF-8!
if ($c == 'UTF-8')
$c = 'UTF8';
$query = sprintf('SET NAMES \'%s\'', $c);
$dbconn->Execute($query);
if ($dbconn->ErrorNo()!=0) {
echo "Error: "; echo $dbconn->ErrorMsg();
echo "check pnAPI.php";
}
}
// end bplagge - mysql charset adjustment
PN 0.8
-------
if ($stages & PN_CORE_LANGS) {
// Load our language files
pnLangLoad();
}
# bp 2007-06-01
# need to "set names '' " to ensure correct data handling
$query = sprintf('SET NAMES \'%s\'', 'UTF8');
$result = DBUtil::executeSQL($query, -1, -1, true, true);
Please note that the MySQL character code names are NON STANDARD!
How to check?
----------------
I always found that phpMyAdmin is an excellent tool for MySQL databases. If the data entered in PostNuke is also correctly displayed in phpMyAdmin table browse mode I'm quite confident that everything is fine.
Generated on June 6, 2007. - PNSA 2006-3 - PostNuke Input Validation Vulnerability (News)
-
Severity
Critical
Impact
Directory Traversal
Vulnerabilities
Directory traversal vulnerability in error.php in PostNuke 0.763 and earlier allows remote attackers to include and execute arbitrary local files under certain circumstances via the PNSVlang session variable which is included by error.php.
Credits
Kacper
Solution
Users should immediately update to 0.764. PostNuke versions 0.764 and later are unaffected.
PostNuke 0.764 Downloads
see Release Announcement.
Andreas Krapohl [larsneo]
PostNuke CMS DevelopmentGenerated on November 21, 2006. - Downloads on PostNuke.com Target of Hacker: Immediate Action Required if You've Downloaded PostNuke in the Past Three Days (News)
-
credentials, the admin name and password) is sent to a different server. Second, in one file there was code allowing a malicious user to execute any shell command on the web server.
As noted before, immediate action is required from everyone who downloaded the .zip package between Sunday (24.Oct) at 23:50 GMT until Tuesday (26.Oct) at 8:30 GMT.
Required Actions
1. Immediately remove the affected file /includes/pnAPI.php and replace it on your server with the original one (either from a fresh download or from http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnAPI.php?rev=1.86&content-type=text/vnd.viewcvs-markup)
2. Check the access-logs for any entry containing 'oops='. If you find any call please contact the PostNuke Security Team via http://forums.postnuke.com/index.php?module=vpContact providing the access log for further investigation.
3. Change your database details, username, password and if possible, database name.
Future Safety Precautions
In the future to avoid downloading tampered files please compare the MD5 checksums with an independent source to ensure legitimacy, such as http://www.post-nuke.net. For those unfamiliar with MD5 it is a check you can use to make sure the download has not been tampered with and can be trusted. In order to compute a checksum you need an MD5 utility and you can find a variety of tools (for windows) here: http://lists.gpick.com/pages/Checksum_Tools.htm and another favorite is the free and platform independent open source project jacksum (http://www.jonelo.de/java/jacksum/) You can also find more information about this topic on Wikipedia at http://en.wikipedia.org/wiki/Md5
Finally, be assured we are working to find the hacker and will take any and all legal action when they are found.
About PostNuke
PostNuke is a community, content, collaborative management system, a C3MS providing webmasters with a set of tools to build a dynamically generated web site within minutes of downloading the software. It's backed by a team of dedicated, talented developers, designers, and volunteers with years of experience.
General Info About PostNuke:
Modular Structure, Customized Functionality through Third-Party Modules, Advanced User Group Permissions System, Multi-language Support (Approximately 36 Language Packs Available), Embedded WYSIWYG HTML Editor Activated on Most Text Entry Areas, Site Search, Advanced API (Application Programming Interface), Focused on High Level of Security, Easy-to-Use Guided Browser Based Installation, Easily Change/Customize Your Site's Look/Feel Through Plug-in Themes, Provides advanced content management features while promoting collaboration, communication and community around the content.
A Short List of Available Modules
News Publishing, Content Management, RSS Feeds, Voting Booth/Polls, Banners Module, Comments Module- allows other modules, includingGenerated on October 26, 2004. - An Expert's Opinion: Furthering Our Understanding (News)
-
Dear Vanessa and All Other Members of The Fabulous PostNuke Community:
I am an attorney-at-law, licensed by the State of Florida, and the United States District Court for the Southern District of Florida to engage in a multi-jurisdictional copyright and trademark practice. My practice focuses on cyberlaw (see http://cyberlaw.info). Nothing contained herein is legal advice, nor should it be relied upon without independent research and consultation with a licensed attorney. The following discussion is limited to the laws of the U.S.
I have been asked to comment upon the following hypothetical. If a person or entity (jointly and severally referred to hereafter as "Party A") creates a theme utilizing, or adds an original image or code to a GNU GPL program that was copyrighted subject to the GNU GPL ( see http://www.gnu.org/licenses/gpl.txt ), may another person or entity (Party "B") distribute Party A's distribution containing the new material without the permission of Party A because the entire work (including the new material added by Party A) has now become subject to the GNU GPL?
Also, you have asked me to assume the following notice appears on Party A's
work:
// ----------------------------------------------------------------------
// Copyright (c) 2002-2003 Party A
// http://partya.com
// ----------------------------------------------------------------------
// LICENSE
//
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License (GPL)
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
// See the GNU General Public License for more details.
// To read the license please visit http://www.gnu.org/copyleft/gpl.html
// ----------------------------------------------------------------------
The pertinent portions of the GNU GPL are as follows:
"0. ... the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does."
"2. ... mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
Pertinent Sections of United States Copyright Law:
Copyright protection extends to an "original work of authorship fixed in any tangible medium of expression. 17 U.S.C. 102 (a) at ( http://www4.law.cornell.edu/uscode/17/102.html ).
Copyrights are divisible (i.e. you can retain certain exclusive rights, but transfer others). See Section 17 U.S.C. 106 ( http://www4.law.cornell.edu/uscode/17/106.html).
Discussion:
The above license purports to convey via the GNU GPL rights to the "program."
Since copyright is divisible, we must first determine the meaning of the word "computer program." A definition for the term "computer program" is actually a question of fact that would need to be determined by a Court or jury. Dictionary.com defines computer program as follows: "computer program n : (computer science) a sequence of instructions that a computer can interpret and execute; "the program required several hundred lines of code" [syn: program, programme, computer programme]".
It can be argued that an image (which has been stored on digital media) is not a "program." It is data which is called by a program. It would be an anomalous argument to propose that a copyrighted picture taken by the owner of the program and was included in his distribution of his GNU GPL program could be used unless the owner consented.
Similarly, it follows that a presentation, template or display, which is created utilizing copyrighted programs, may not in and of itself be a "program."
Very generally, there is no impediment to obtaining independent copyrights for original works of authorship created by utilizing programs. If there were, Microsoft would be able to prosecute every author who submitted an original manuscript to a publisher in Word format and digital artists would be unable to copyright their works because they used a paint program.
Similarly, if someone creates a theme or skin that artistically rises to the level of an original work of authorship utilizing a program, the resulting theme or skin should be copyrightable separately from the program that created it. It could be argued that the skin, theme, or result is a new, original work of authorship fixed in a tangible medium of expression, and not a derivative or compilation of the original program (i.e. Word, Paint Shop Pro, or, for that matter, Autotheme).
Turning to paragraph 0. of the GNU GPL, licensing a program or work under its terms does not make all files included with the distribution subject thereto See paragraph 0., supra. In our hypothetical, the notice only refers to the "program", and not any particular resulting theme or image therein.
Turning to paragraph 2. of the GNU GPL, "the mere aggregation" of an original work of authorship which is not a derivative or compilation of the program with the program (or with a work based on the Program) on a ... distribution medium "does not bring the other work under the scope of the License." In plain English, this means that just because a distribution contains some files which are subject to the GNU GPL, NOT ALL files contained in the distribution may be so subject. This argument should also apply to data entered into the program to make it display an original work of authorship.
With respect to the language contained in the notice contained in Party A's distribution, a reasonable interpretation of same should lead a Court and/or jury to determine that a program is not the resulting theme, skin, etc., but a set of instructions that the "artist" utilizes to create same. Just because core code is distributed with additional files, or data is entered into existing code to make, draw or display the new skin on screen, should not, in and of itself, make the new files or data subject to the license. See GNU GPL paragraphs 0 and 2 above.
Pursuant to 17 U.S.C. 106, copyrights are divisible (i.e. you can retain certain exclusive rights, but transfer others). Accordingly, it could be argued that Party A's copyright in and to the theme or skin or image remains the sole and exclusive property of Party A. If the argument succeeds, those who violated Party A's exclusive rights (17 U.S.C. 106) in the resulting theme, display, image, skin, etc., face exposure to federal suit for copyright infringement.
Notwithstanding, the program code and modifications made thereto which are considered to be derivatives or compilations ARE subject to GNU GPL, unless the additional code merely "plugs-in" to the preexisting code, is "not based on preexisiting code," and is capable of "standing alone." Note, early cases did not hold telephone manufacturers liable for patent/copyright infringement because their pin out to wall jacks was identical to that of the other's pin out, allowing access to the other's network.
It would logically follow that a third party can utilize GNU GPL code to create an original work of authorship (i.e. a new theme) and obtain a copyright in the new material. However, if the resulting theme, display, image, and or template is similar to that which the artist has not released under the GNU GPL, the third party could be prosecuted for copyright infringement if that third party did not get consent (provided other procedural requirements are fulfilled).
It is worth mentioning that the creator of a program who initially released it under certain conditions, may be able to revoke same at any time (but this would require further research and is a topic for another discussion).
Elliot Zimmerman, Esq.
The Law Offices of Elliot Zimmerman, P.A.
5353 North Federal Highway, PH 405
Fort Lauderdale, FL 33308
http://cyberlaw.info
legal@cyberlaw.infoGenerated on April 30, 2004. - PostNuke Project Summary Issue #3 (News)
-
Xanthia Templating Environment
The Xanthia Templating Environment for PostNuke .726 is nearing an RC3 release. Since RC2 a number of enhancements and changes have been made, including some large performance gains. This has been achieved through reducing the number of SQL queries used to generate themes and, recently, the caching of palettes, zone and theme settings in a new pnTemp/Xanthia_Config directory. In addition, the Short URLs output filter now only operates on the master, not the sub-templates.
Theme designs should now form a full page (minus module and block zones). The header and footer areas are all contained within the themes, so as a user you can change header settings simply by modifying the theme.
Full page caching means that pages can be served without the need to execute module code. This feature, although of less use in heavily dynamic sites, those that have large amounts of static content can make use of this.
Support for module specific style sheets is also included in Xanthia RC3 – in /pnstyle/style.css.
The pnRender module has itself undergone changes. Additional template paths are available, allowing hooks functions and blocks to have different templates per to level module (pnModGetName()). A separate improvement, plugin results can now be assigned to a template variable.
.8 Development Progress
As development of .8 continues, more progress towards a Milestone release is being made. This release will primarily be aimed at 3rd Party Developers to allow them to test their modules with the new Core. Due to the substantial amount of change in the core, it is anticipated that module may need to make some minor changes – the milestone release should allow this to happen. As an initial target, 6-8 weeks has been estimated. This does however represent a substantial step towards Release Candidates and the future full release. The recent .8 developments are listed below:
New installer – The new installer is completed (exempting graphics work). The module is now based on the module’s separate initialization script, and links through each /pninit.php script to complete the install. This simplifies the installer, and ensures that it remains current through module changes.
Core pnHTML usage – The PostNuke_Core (system) tree is now free of pnHTML. Although PostNuke will continue to support pnHTML based modules until 1.0, all .8 core modules use pnRender.
Core optimization – Changes have been made throughout the core (/includes) to reduce the number of queries made during a page load by creating in memory caches of common data.
New database connection – This reduces memory overhead and global database connection. Credits for this enhancement go to Eric Barr from Envolution. This new method is backwards compatible to existing modules.
.7x Gold Release
It is planned to release a .7x Gold Release which will include the back ported enhancements that have been made to the .8 core, the removal of font tags, allowing for more control using CSS. The new database connection method is back ported, XTE will be included, and, although yet to be confirmed the Mailer module from .8 allowing configuration of mail settings, such as external SMTP servers.
Documentation Website
For a while now, the documentation site has been online, at http://docs.postnuke.com. The first project of the pnCorps at this website has been to improve and expand the FAQ. It now contains an increased amount of useful information and answers to common questions.
As the documentation site expands, the pnCorps would like contributions and suggestions for new documentation, As well as assiGenerated on March 13, 2004. - Custom User Fields Storing Problem (News)
-
pnUserSetVar($name, $value, $uid = 0){ list($dbconn) = pnDBGetConn(); $pntable = pnDBGetTables(); if (empty($name)) return false;
if (empty($uid)) { $uid = pnSessionGetVar('uid'); if (empty($uid)) return false; }...
#2Making use of the previous change to the API code, the problem could be solved with altering newuser_user_finishnewuser function (modules/NS-NewUser/user.php).Right after the lines that update user table, insert the following:...$result = $dbconn->Execute("sql statement to insert new user...");$uid = $dbconn->PO_Insert_ID($pntable['users'], $column['uid']); if (!empty($dynadata) && is_array($dynadata)) {
while (list($key, $val) = each($dynadata)) {
pnUserSetVar($key, $val, $uid);
}
}...
I found that this change completely solved the problem with custom user data fields storing.
Miklos KovacGenerated on February 24, 2004. - Phoenix Template Rendering Engine Overview (News)
-
What is a template
rendering engine?
A template rendering engine is the total separation (abstraction) of an
application business logic and rules from the content layer (output HTML, XHTML,
XML, PDF, etc.).
It includes dynamic variable substitutions
(replaces keywords or place holders with content), dynamic block substitutions
(for example the result of a record set from a query, for instance the number
of available news topics on the news index), amazing capabilities to process
unlimited nested loops among many others.
Conditional statements ( [if/elsif/else]
which allow you to make decisions based on user interaction in a easy to understand
way - optional).
The problem here is many template
solutions for PHP are based on regular expressions replacements, which highly
complicated the code and added an immense overhead into the application, this
regular expressions metaphor where hard to extend (and to adjust to taste),
and did not quite provided the complete separation of presentation and logic
(for example, to make rows of a table alternate colors, PHP code had to be adjusted).
Instead of following this route and
live with this and many other drawbacks, Phoenix takes advantage of a revolutionary
concept in template rendering engines, provided by the underlying architecture
of Smarty. The compilation of templates, which combines the speed of execution
of pure PHP code with the ease and simplicity of template syntax.
By using this approach template files
are first converted into PHP scripts before they are executed. This may sound
costly in terms of performance until you consider that this need only be done
when the template file is changed! Once a template file is compiled, they are
stored for later use (and re-use) using a caching mechanism, the end result
being a reduced overall server load. Which can be greatly enhanced (up to 500%)
by the use of PHP optimizing technologies like php-accelerator or the zend optimizer.
The second biggest advantage is extensibility,
this is what really makes it invaluable for programmers and designers a like.
How
does it work?
Basically templates work quite similar to
any ordinary HTML page, it uses template "tags" to distinguish dynamic content
(data provided from the DB for example), from the rest of the template which
is pure HTML. This tags are then automatically replaced with the result of the
requested data set. All template functions are loaded on demand this means that
even though the rendering engine is extensive in its core it will only load
the required code to perform each task.
While working with templates you have
access to a wealth of resources, among them are:
Variable modifiers (allows you to
transform on the fly the properties of your content, i.e. Caps, indentation,
upper, lower, etc)
Configurations files, this allow you
to define settings for colors, width and practically every aspect of the HTML
properties.
A wealth of Built-in functions which
you can extend, like free block/module positioning, forms, automatic clocking
and encoding of email addresses, and many more.
You can easily add and extend with
your own functions the engine by taking advantage of the plugin architecture.
Many new possibilities arise with
the capability of automatic inclusion of static content either local or remote
on the fly.
Caching Mechanisms designed with great
granularity allows you to specify how, when and how often cached content is
to be updated (turning your site as fast as static HTML) and under which conditions.
Advanced
Features:
Prefilters
Are
a set of functions that are run on the templates prior to them being compiled
with the engine. (i.e. removing unwanted comments form them)
PostFilters
This are functions that are executed after the templates have been compiled.
And
could help add valuable data to the whole of your templates if needed on the
fly.
Output Filters
This
feature allows you to apply settings to content while being executed as opposed
to the postfilters which are applied just before saving the compiled template.
Multiple Template sources
Templates
may come from a variety of sources, like file system or the database.
Debugging Tools
Intelligent
debugging console which allows one to trace all items related to any and all
templates used diring the course of a page rendering.
The pnTemplate API
This
(Template Application Programming Interface) provides a set of tools that allow
programmers to harness the full set of combined resources that PostNuke and
Smarty provide.
It follows the pnAPI naming conventions
and style and will become easy to understand and apply for module/block programming,
taking current modules and block to the next level of usability, flexibility
and power.
The Phoenix Administration (system)
Module
It’s the front end for all
this power and flexibility, it manages Themes, which are composed of templates,
that in turn have interesting properties like content type (html, xhtml, csv,
rss, pdf), they also belong to a layout, each template in a theme can belong
to a different layout, lets say you create a "dual column" layout and an "art
deco", layout for theme "Postnuke", then you can switch among this with the
click of a mouse, and then apply this system wide, templates also belonge to
specific zones (header, footer, module content, block etc.)
Templates install them self’s
similar to how modules do now, you just drop in the theme, initialize and activate
it and you are done. Same goes for upgrades or removal.
In the Phoenix administration module
you can manage all aspects of the rendering engine, including but not limiting
to all properties that control the behavior of smarty, as well as create, edit,
delete templates and its related itmes online, since you can choose to use file
system templates or db templates or a combination of both, you can directly
upload new sets of templates from your computer.
You have access to CSS and many more
properties and features, the best part of it all is, that you can have the old
themes right along with the next generation and also switch back and forth among
them with ease.
Templates Programming Language
and Active Zones
While working with templates
as mentioned before you can either use the basic template "tags" and normal
HTML or go beyond the choice is yours, the rendering engine provides enough
resources to make your templates intuitive and intelligent accomplishing quite
complex task with great ease, this is done by the use of what we call the "active
zones". Active zones are special place holder areas in your templates that allow
execution of commands from the template rendering language or invocation of
plugins, filters, variable substitution, etc.
This, active zones, are easy to use
and apply and will make your life very simple and productive while customizing
and designing the site of your dreams.
In conclusion the Phoenix Template
Rendering Engine can answer the needs and requirements of both novices and
seasoned developers or graphics designer. And it supports popular HTML editors
like DreamWeaver among others allowing you to use visual tools to enhance your
experience and over-all productivity harnessing all this power in one simple
place.
For reference if you happen to read this before the principal article of this series please read the first part which you will find here:
http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2357
Note: [ For clarification 1st quarter refers to the 1st four (4) months [Jan-Apr] of 2003, thus the goal is to have the 0.8Generated on February 11, 2003. - Successful PostNuke Phoenix Installation on Windows 2000 Server -- HOW TO (News)
-
few hours trying to solve a problem that was just waiting for a reboot. Take my word for it, especially with the MySQL install.
The Config:
Hardware: PIII slot 1, 384 Megs RAM, 1 FAT32 drive(2 partitions), 1 NTFS drive (single partition)
Windows 2000 Server Sp3
IIS 5.0 included with windows 2000
PHP 4.2.3 (via installer)
MyODBC 2.50.39
mySQL 3.23.52
The Details
Windows Server
This is a multi role machine running DNS, Active Directory(AD) and other network services, and IIS. It's basically my intranet, Domain Controller(AD), File Server and development web server. It's locked down behind a router with its own security protocols, so if you hack the router, you still have to hack AD, which grants access through IP first, Domain second and user third. It's pretty tightly locked up, and its a good way to have a fairly secure development platform.
IIS
IIS is configured to run a default site, which is locked down using AD. If the machine dns name is theMachine, I can easily access the default web site using my browser and going to http://theMachine. The default site is basically a default installation with nothing on it and I use virtual directories to point to development file structures - this is documented in IIS documentation. Basically I took a default PostNuke installation file structure and copied it to a directory on one of my development partitions (I used a FAT32 partition -- no reason for it, just thought this may be a useful fact), and made that a virtual directory of the main site. If I name the virtual directory PNdev, I can now access that directory via http://theMachine/PNdev.
PHPDownload the installer version of PHP for Windows (link in heading title) stop the IIS serverexecute the php installer and follow the instructions (pay attention to the checkboxes for what kind of webserver you wish to install it on, there should be one for IIS 4.0 and up)reboot. After reboot run a search for php.ini(because I'm too lazy to look for it in the C:/Winnt folder), and change the register_globals to 'On'. NOTE: DOING THIS POSES A SECURITY ISSUE FOR THE WEBSERVER. Read about it in the PHP documentation. Now you're ready install mySQL.
MyODBC
I downloaded and installed this driver for MySQL because I'm developing some desktop packages that may be using MySQL in the future -- but it's part of the environment and thought I should mention it. Just do it if you're not sure.
mySQLdownload (link in title)and and unzip this file to it's own directory Go to IIS and stop the server!Install using the setup program and use all the default values,( if you install it other than to the default directories, don't come crying to me)reboot
After Rebooting, run a search for the my.ini file and delete it, if you don't find one - good - it means you need to create one.
Creating a my.ini file with winmysqladmin.exe
You will find a folder in c:\mysql\bin\ called winmysqladmin.exe, if you don't find it here, you screwed up somewhere or installed mysql in another directory - run a search to find it. Once you have located winmysqladmin.exe, I would advise putting a shortcut to it on your desktop.
Open winmysqladmin.exe, a window should pop up asking for a user name and password. Enter a username and password that you wish to use, this will be the MASTER USERNAME AND PASSWORD for your mysql installation. You will need this password very shortly, so write it down! Once you submit the info, look in the sys tray for an icon that looks like a trafficlight. If the 'light' is red, mySQL needs to be started. Do this by right clicking the icon, choose 'win NT' and then click 'start this service'. (If you wish to set more u/n & p/w for other users on their own dbs -read about in the mySQL documentation.)
Creating a Database with winmysqladmin.exe
If the traffic light icon is in the tray, open the gui by right clicking the icon, choose 'show me'. If not in the tray, open winmysqladmin.exe by opening from the shortcut you placed on your desktop earlier, or find it again and open it. When it opens, you will see the window appear and then disappear, look in the tray and you will see the traffic light. Right click the icon, choose 'show me'.
The GUI will appear, click on the 'Databases' Tab. Right click on the server name in the upper left frame and click 'create database'. Input a database name and click ok. This will create a new blank database. Now you are ready to install Postnuke.
PostNuke Install Notes
At this point, I am assuming that you have the files in place on the server and will refer to the directory that holds those files as 'POSTNUKEweb'. Some preliminary steps:make sure that config.php and config-old.php both are world-writable.Note that once the install/upgrade has been completed these files can be re-set to read-only.
your config file should be modified to reflect the username and password that you set up during the installation of mySQL. Remember? I told you to write them down!!! It should also reflect of the name of the database that you created with winmysqladmin.exe.
additionally your config.php file should be set to Windows. Do this by changing $pnconfig['system'] = '0'; to $pnconfig['system'] = '1'; on line 48.
KICK ITgo to your post nuke installation (i.e. http://POSTNUKEweb/install.php).
choose the language and click 'Set Language'. If this page just refreshes and you can't get beyond it, you need to change your php.ini file described above in the PHP heading.
when you get to the DB info page DO NOT check box for use with intranets, I check this on my first run through and could not log in after installation, by not checking it, I could log in fine. I have a feeling that its because of the server setup, but it works for me. You can play with this setting after install:make a backup copy of the pnSession.php file (located in the includes directory). Then, open the file in your favorite editor, and find the line (somewhere around line #88) that looks like this:
Code:
if (pnConfigGetVar('intranet') == false) {
You can toggle the intranet functionality by changing the boolean false to true and vice-versa on this line to see how you system/server/nuke responds.
By following these guidelines you can implement PostNuke pretty seemlessly on your Windows 2000 server. I haven't experimented with XP, win2k (non server), or 98, but I'll be sure to post my findings if I do.
Also, thanks to the entire dev team on PostNuke for creating a kickass solution platform --- you guys ROCK (and so does the communityGenerated on October 8, 2002. - Addon for Mail Notification on home Page. (News)
-
[ line 1. ] $result2 = $dbconn->Execute("SELECT count(*) FROM KGLX_priv_msgs WHERE pn_to_userid=" . pnUserGetVar('uid'));
[ line 2. ] list($numrow) = $result2->fields;
[ line 3. ] if ($numrow > 0) {
[ line 4. ] echo "window.alert('You have $numrow New Private Message(s) " .pnUserGetVar('uname') . "!')";
[ line 5. ] }
[ line 6. ] else
[ line 7. ] {
[ line 8. ] echo "";
[ line 9. ] }
The line Numbers are for you to know that the text wrapping was done by the browser you are viewing and it should not be coded as it appears. You will need to delete the "[ line n. ]" indicators. The number of the line has no relevance to the code you are placing it in. It just need to go directly above "include 'footer.php';" as previously stated.
Have a good day.
Peter Schmalfeldt
____________________________________________________________________________
Freeloader Studios - All our hard work for you to take credit for.
http://www.FreeloaderStudios.com
Webmaster@FreeloaderStudios.com
Generated on August 9, 2002. - CERT Advisory CA-2002-09 Multiple Vulnerabilities in Microsoft IIS (News)
-
Original release date: April 11, 2002
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Microsoft IIS 4.0, 5.0, and 5.1
Overview
A variety of vulnerabilities exist in various versions of Microsoft
IIS. Some of these vulnerabilities may allow an intruder to execute
arbitrary code on vulnerable systems.
I. Description
There are a variety of vulnerabilities in Microsoft IIS. Many of these
vulnerabilities are buffer overflows that could permit an intruder to
execute arbitrary code on vulnerable systems.
We strongly encourage all sites running IIS to read Microsoft's
advisory on these and other vulnerabilities and take appropriate
action as soon as practical. Microsoft's bulletin is available at
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
Additional information about these vulnerabilities is available at
http://www.kb.cert.org/vuls
VU#363715 CAN-2002-0071 Microsoft Internet Information Server (IIS)
vulnerable to heap overflow during processing of crafted
".htr" request by "ISM.DLL" ISAPI filter
VU#883091 CAN-2002-0074 Microsoft Internet Information Server (IIS)
contains cross-site scripting vulnerability in IIS Help
Files search facility
VU#886699 CAN-2002-0148 Microsoft Internet Information Server (IIS)
contains cross-site scripting vulnerability in HTTP error
page results
VU#520707 CAN-2002-0075 Microsoft Internet Information Server (IIS)
contains cross-site scripting vulnerability in redirect
response messages
VU#412203 CAN-2002-0073 Microsoft Internet Information Server (IIS)
vulnerable to DoS via malformed FTP connection status
request
VU#454091 CAN-2002-0150 Microsoft Internet Information Server (IIS)
vulnerable to buffer overflow via inaccurate checking of
delimiters in HTTP header fields
VU#721963 CAN-2002-0149 Microsoft Internet Information Server (IIS)
buffer overflow in server-side includes (SSI) containing
long invalid file name
VU#521059 CAN-2002-0072 Microsoft Internet Information Server (IIS)
vulnerable to DoS when URL request exceeds maximum
allowed length
VU#610291 CAN-2002-0079 Microsoft Internet Information Server (IIS)
buffer overflow in chunked encoding transfer mechanism
VU#669779 CAN-2002-0147 Microsoft Internet Information Server (IIS)
buffer overflow in chunked encoding transfer mechanism
II. Impact
For many of the vulnerabilities, an intruder could execute arbitrary
code with privileges that vary according to which version of IIS is
running. In general, IIS 4.0 permits an intruder to execute code with
complete administrative privileges, while IIS 5.0 and 5.1 permit an
intruder to execute code with the privileges of the IWAM_computername
account.
III. Solution
Microsoft Corporation has released Microsoft Security Bulletin
MS02-018, which announces the availability of a cumulative patch to
address a variety of problems. We strongly encourage you to read this
bulletin and take the appropriate corrective measures. MS02-018 is
available at
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
In addition to applying the patch, or until it can be applied, we
recommend the following actions:
* Use the IIS Lockdown tool and URLScan to eliminate or reduce the
impact of some of these vulnerabilites; they may also eliminate or
reduce other vulnerabilities that have not yet been discovered.
The IIS Lockdown tool can also be used to disable ASP if it's not
needed. More information about the IIS Lockdown tool and URLScan
can be found at
http://www.microsoft.com/technet/security/tools/locktool.asp
http://www.microsoft.com/technet/security/URLScan.asp
* As Microsoft has recommended for quite some time, disable the HTR
ISAPI extension unless it is absolutely required.
* Disable anonymous FTP unless it is required.
* Don't give login credentials on IIS servers to untrusted users.
_________________________________________________________________
Our thanks to Microsoft Corporation for the information contained in
their advisory. Additionally, our thanks go to the various individuals
and organizations whom Microsoft identified as discovering the
vulnerabilities, including eEye Digital Security
(http://www.eeye.com), Serge Mister of Entrust, Inc.
(http://www.entrust.com), Dave Aitel of @Stake
(http://www.atstake.com), Peter Grundl of KPMG, Joe Smith
(jsm1th@hotmail.com) and zenomorph (admin@cgisecurity.com) of
http://www.cgisecurity.com, Keigo Yamazaki of the LAC SNS Team
(http://www.lac.co.jp/security/), and Thor Larholm of Jubii A/S.
_________________________________________________________________
Author: Shawn V. Hernan
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2002-09.html
______________________________________________________________________
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and bulletins,
send email to majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
Revision History
April 11, 2002: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPLXddqCVPMXQI2HJAQG0+AP8CqkIjWiFgHY0WdWHeuDDoTt/ME76Qyxc
hIqu0JY4NYwPgHa3t28g5kT216wgIBpI3A/B4iS/d0GXACsN/NFzMbHK7oyvSauS
/ljHAfOFWsP8Uho6LQX/A9i4BV1gXDc5ThmCXormjgjcskyrQrRNRE8bSi6yY/kQ
paZ74Dil6co=
=qG95
-----END PGP SIGNATURE-----
Generated on April 11, 2002.
Page 1 / 2 (1 - 10 of 14 Total)
