Hi All,<br><br>Please refer to the following link for the diff, instead of the one I had sent earlier :<br><a href="http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?old_path=vtigercrm%2Fbranches%2F5.0.4&old=12052&new_path=vtigercrm%2Fbranches%2F5.0.4&new=12177">http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?old_path=vtigercrm%2Fbranches%2F5.0.4&old=12052&new_path=vtigercrm%2Fbranches%2F5.0.4&new=12177</a><br>
<br>Previous one was w.r.t 5.1.0, so you may have some issues while applying the patch or the diff. So please refer to the new link which is w.r.t 5.0.4<br><br><div><span class="gmail_quote">On 11/14/08, <b class="gmail_sendername">Asha</b> <<a href="mailto:asha@vtiger.com">asha@vtiger.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi All,<br><br>Those who are doing code modifications or applying other patches on 5.0.4, may face problem when they directly unzip the patch.<br><br>Please refer to the following link, which will give you the diff of the changes required for security patch:<br>
<a href="http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?old_path=vtigercrm%2Fbranches%2F5.1&old=12169&new_path=vtigercrm%2Fbranches%2F5.1&new=12170" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?old_path=vtigercrm%2Fbranches%2F5.1&old=12169&new_path=vtigercrm%2Fbranches%2F5.1&new=12170</a><br>
<br>You can download the diff from there and apply the diff on your source.<div><span class="e" id="q_11d99e6a9b3a6eed_1"><br><br><div><span class="gmail_quote">On 11/14/08, <b class="gmail_sendername">Torsten Zenk</b> <<a href="mailto:tzenk@gmx.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tzenk@gmx.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Hi everybody,<br>
be aware that with this security patch you override some modifications
made to root files. I just experienced an error after applying the sec
patch with the only plugin that i have installed, the vical1.1 plugin. <br>
So i donīt know if this is an issue with other plugins.<br>
The export .ics file gets printed out within the browser instead of
being putted out as a downloadable vtiger-calendar.zip<br>
Doing a diff between the involved files showed me that these changes
have to be made if you already have the vical plugin installed andf
then apply the sceurity patch.<br>
The changes have to be made to 1 file out of those who come with
vical1.1.zip:<br>
<br>
-----------------------------------------<br>
in index.php (vTiger 5.04 + vical, no sec patch) these lines are not
there anymore in the new index.php after applying the security patch so
these code changes have to be made manually:<br>
<br>
304 + ereg("^iCalExport",$action) ||<br>
331 + ereg("^iCalExport",$action) ||<br>
338 - if(ereg("^downloadfile", $action) ||
ereg("^fieldtypes",$action) || ereg("^mailmergedownloadfile",$action)||
ereg("^get_img",$action))<br>
338 + if(ereg("^iCalExport", $action) || ereg("^downloadfile",
$action) || ereg("^fieldtypes",$action) ||
ereg("^mailmergedownloadfile",$action)|| ereg("^get_img",$action))<br>
<br>
----------------------------------------<br>
<br>
I guess this procedure has to be done with every single plugin that was
added BEFORE the security patch?<br>
<br>
Is there something like a "general" way to apply vTiger ROOT patches
(like this one) without destroying the plugin modifications or is the
only way to apply the patch to do the manual changes on every single
file that was realesed with the sec patch?<br>
<br>
Best Regards<br>
Torsten Zenk<br>
<br>
<br>
<br>
Prasad schrieb:
<blockquote type="cite">
<pre>Dear vtigers,<br><br>We have released a security patch for 5.0.4 that fixes the following<br>security issues along with some critical bugs reported by the community.<br><br>More details can be found in the release notes [VtigerCRM 5.0.4<br>
<br>SecurityPatch_ReleaseNotes<a href="http://www.vtiger.com/products/crm/vtigercrm-504-Security-Patch-Release-Notes.pdf" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://www.vtiger.com/products/crm/vtigercrm-504-Security-Patch-Release-Notes.pdf></a><br>
<br>].<br><br>Security Issues:-<br>1. Local File Disclosure<br>2. Cross-Site Scripting<br>3. SQL injection Vulnerability<br>4. Arbitrary File Upload<br><br>Trac Tickets:-<br>#5235 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5235" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5235></a>: Patch Apply:<br>
<br>Timeout settings need change<br>#5255 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5255" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5255></a>: Cannot import<br>
<br>more than 500 records<br>#5307: <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5307" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5307></a> Campaign<br>
<br>Related info getting lost<br>#5298 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5298" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5298></a>: File attachment<br>
<br>download gets corrupted<br>#5294 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5294" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5294></a>: Organization<br>
<br>image upload issue<br># <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231></a>5231<a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5231></a>:<br>
<br>Webmail qualify issue<br># <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268></a>5268<a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5268></a>:<br>
<br>Homepage dashboard link showing incorrect data in list view<br>#4847 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4847" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/4847></a>: Problem in<br>
<br>selecting users/groups/profiles from the roles and groups edit view<br>#5393 <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5393" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/5393></a>: Not able to<br>
<br>delete default profiles/roles/users<br><br>We thank vtiger community for their support to detect the issues and help us<br>resolve it. Special thanks to Mark Piper, Fabian Fingerele, and Different<br>Solutions.<br><br>
*Patch Download:*<br><br>The 5.0.4 Security patch download is available here: [<br>VtigerCRM5.0.4_SecurityPatch<a href="http://downloads.sourceforge.net/vtigercrm/VtigerCRM504_Security_Patch.zip" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><http://downloads.sourceforge.net/vtigercrm/VtigerCRM504_Security_Patch.zip></a><br>
<br>]<br><br>*NOTE:* You will need to unpack the zip into your vtiger CRM folder. We<br>recommend you to take a backup of your directory first before you unpack the<br>patch.<br>Regards,<br>Prasad<br>vtiger Team<br><br> </pre>
<pre><hr size="4" width="90%"><br>_______________________________________________<br>Reach hundreds of potential candidates - <a href="http://jobs.vtiger.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://jobs.vtiger.com</a> </pre>
</blockquote>
</div>
<br>_______________________________________________<br>
Reach hundreds of potential candidates - <a href="http://jobs.vtiger.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://jobs.vtiger.com</a> <br></blockquote></div><br><br clear="all"><br></span></div>
<span class="sg">-- <br>
Regards,<br>Asha<br>vtiger Team
</span></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Asha<br>vtiger Team