Sandbox 2.0.7

I should have made a proper release thread at 2.0, but failed to do so. Sandbox 2.0 represents a major update to the original Sandbox package. A ton of new features, rebuilds of existing ones, and a entirely new skin cap off what has been approximately 18 months of work. Yes, there were some lapses in development during the time between 1.7 and 2.0, but the end result is a much more streamlined package that's more user friendly and has more features than any other blogware package out of the box. That may not be what some people want, and that's fine, the development of this project has largely mirrored what I wanted in this kind of software ever since I took over at version 1.2.

Major Highlights

* Skinning is now handled via the XTemplate PHP class. This means easier access to the HTML data for anyone interested in creating skins, plus separates it all from the database where it was stored previously. At the same time, all HTML data has been separated from the code logic. It's not quite MVC, but it's close enough for me.
* Akismet spam filter protection has been built in to the package and now covers user registrations and the email form in addition to comments.
* Comments are now possible in the image gallery and downloads area.
* Blog posting and comments now have emoticons available.
* User passwords are now hashed using SHA256 instead of MD5.

Changes for Sandbox 2.0.2

* SECURITY: Fixed a number of cross-site request forgery vulnerabilities.
* Typed in email address was not parsed correctly.
* There was no method for users to select an alternate skin.
* Made it possible to style the post titles where icons show.

The cross-site request forgery vulnerabilities are the major thrust for the 2.0.2 update, and it is extremely important that anyone using a previous version of Sandbox update to 2.0.2 in order to be protected from this problem.
"It is pointless to resist, my son." -- Darth Vader
"Resistance is futile." -- The Borg
"Mother's coming for me in the dragon ships. I don't like these itchy clothes, but I have to wear them or it frightens the fish." -- Thurindil

Well. I guess that's that then.

« ACORN Bankrupt
Kerchner v Obama »

Posted on Mar 23, 2010 7:16 pm by Samson in: | 43 comment(s) [Closed]
I'll go download a fresh copy and see what it looks like. Is the new installer you've included able to handle upgrades from previous versions too? Just out of curiosity, what's MVC? (acronyms are far too prevalent in our society...)

Query: What's up with Conner having comments at 6:32 and 6:34 listed in the Recent Comments sidebar, but only the 6:32 one showing?

Well you'll want to grab it again then, sorry, but I had a flash on how to fix the icon styling so it wasn't locked into the template with a single color. Good thing only 2 people had touched it so far :P

No, the installer doesn't do upgrades yet, because there's no need. No new SQL data has been done, and all you need to do is drop the updated PHP, .xtpl, and .css files over what you already have. Just don't wipe out your settings.php file :)

MVC = Model View Controller. It's a design method for building web apps. I'm not 100% solid on how it works, but it's supposed to be a full separation between the logic code, the database code, and the rendering code.

@Dwip: Probably because he commented on the actual download for it, and the download has the same name as the blog posting.

Edited by Samson on Mar 23, 2010 9:29 pm
Tricksy hobbitses...

The second person grabbed it at roughly the same time that I did, unless somehow Sandbox counted my download of it twice. Either way, I'll go grab a new copy, again. ;)

Ah, nice, so the installer really only has work to do if you're doing a clean install to begin with. Slick. :)

Oh man, I'd have never guessed that's what it meant. :lol:

Yes, Dwip, because I commented in both places and they both showed up on the recent comments list and it only looked like the same thread because they both had the same name but if you'd followed the respective links in the recent comments box they'd have taken you to different places. ;)

Updated version has been posted.

Version 2.0.3

* SECURITY: Potential remote file inclusion vulnerability has been addressed.
* Color BBCode tag should not have been greedy.
* Unable to create or edit Gallery folders due to tokens not being generated.
* Spam control page had a bogus link.

The security bug was good for a few laughs, because although it should have worked, it failed miserably to do anything other than generate a gang of fatal errors this morning.

Well, that certainly sounds like fun, at least you were able to resolve it. :)

Well that was sure quick. At least the folks who published the vulnerabilities contacted me this time.

The math based captcha hasn't even had a full day to be 100% sure but it passed initial self testing so what the hell. It's probably not all that great, but we'll see if the sea of spambots goes down now.

Version 2.0.4


* SECURITY: Multiple remote vulnerabilities still existing in 2.0.3 have been corrected.

New Stuff:

* Implemented a simple math based captcha to help screen out bots.

That was quick indeed! Ok, I'll go grab the new one too. :lol:

So... here we are 8 days later and not a single one of the bots trying to register has gotten through. Who knew such a simple captcha would work so well. I should implement the same in QSFP since the image based one is obsolete now.

I hadn't found time to check out this newest version of Sandbox yet unfortunately (things here have been crazy lately), so, we're not using a straightforward image for captcha anymore? And the spammer central testbed has had complete success for over a week with the new system? Sounds impressive enough. :)

Yep, so far it's kept them out. They're still trying, because one triggered a bug in the last release if the math value isn't submitted with the form. A bot with an out of date cache of the form. We'll see though. As many bots as I get hammering the place it should be a fairly solid result after an entire month.

Samson said:

As many bots as I get hammering the place it should be a fairly solid result after an entire month.

I would think so too.

Well, since I goofed and had the bad copy of 2.0.3 still being served, I corrected that and we're at 2.0.5 now with the included fix for the profile page not working.

Also, for those keeping score, since the math captcha was implemented on July 6, not a single bot registration has managed to get through. The error on the profile page was irrelevant to that since they can't get there without having first registered. So far, so good, but only time can tell if this is truly effective or just a temporary roadblock.

I thought that might be the case when I downloaded the last update, but figured it was just a name conflict at the time rather than the obvious. Some days I'm slower than other days I guess. :sigh: Anyway, all fixed now so I'll go grab the new one, again.

Woohoo! Hey, even the old captcha method eventually proved only a temporary roadblock for spammers but it was still truly effective while it lasted (and it's still widely in use in most places, even google), I think you're just advancing the effort ahead of most places. Until we get to the point that every computer uses some form of biometric identification that spammers can't find a way around, we'll always only have temporary roadblocks so all we can do is to try to stay ahead of the spammers as best we can and you seem to be staying at the forefront of that effort.

Since this has just come up for me:

Dear O Wise and Fearless Leader of the Alsheroki: some kind of optional comments or post+comments search would be handy.

Meanwhile, it appears I have just decided to search through 1300 comments or so looking for wherever it is I said that one thing.

I've sort of avoided the issue of adding a comment search to the mix because it could strain the database to have to look through that much more information. But I guess it's going to be necessary at some point. I'll have to put in some kind of restriction on doing searches over and over though so bots don't come along and ruin it for everyone.

That's dedication of the highest order to manually hunt 1300+ comments looking for something :)

Well, thankfully it was in one of three threads, and IE does have its own search, so a little less dedicated than all that, but.

Perhaps just only offer the search to folks who are already logged in? Thus no bots to spoil the intent.

He never did say he'd manually searched through 1300+ comments, but I'll bet I know which three threads he was searching to rack that level of count. It wasn't a comment to do with Oblivion, was it? :lol:



Our buddies over at Secunia have done it again:

No attempt was made to contact at all, as per their policies. Fortunately the vulnerabilities listed in that posting are FIXED as of 2.0.4 so their advisory is wrong about it being unpatched.

:sigh: At least they're only citing bugs in the older versions, and it sounds like even if you're running version 2.0.3 it's only a problem if you've got "magic_quotes_gpc" set to off anyway. On the flip side, I really should get around to upgrading my sandbox install. It rarely gets hit anymore anyway, and I don't really use it except to check out new version features and such when I remember to do so, but... if I'm going to continue maintaining a copy of Sandbox at all on my server that's open to the public, I suppose I really do need to maintain the current version of it. After all, it's not like I hadn't already downloaded every version that's ever been available to date anyway... :facepalm:

Two week mark, still no bots getting through to register users. Sometimes the simple things are the best?

Woohoo! Congratulations. :biggrin:
Indeed. :)

<< prev 1, 2 next >>
Comments Closed
Comments for this entry have been closed.

Forgot Password?

 1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31