Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Theme Uploader - Upload Themes Directly From Admin CP
#1
This plugin allows you to upload and use themes directly from the admin CP without Backend access.

Instructions:


1. Upload and unzip the attached file to your THT includes directory.
2. ChMod your "themes" Directory to 0777 (or 777)
3: Edit your settings.php file in "yourthtadmindirectory/pages" with the following

Find:
PHP Code:
    echo $style->replaceVar("tpl/themesettings.tpl"$array); 

And After it add:
PHP Code:
include LINK."upload.php"

enjoy!
Changelog for v1.2.2:
  • Fixed Minor Security Issue That let others upload stuff when admin is logged in.



Changelog for v1.2:
  • Fixed Fatal Security Error
  • Removed iframe for a better method (now includes on page)

Special Thanks to Jonny for bearing with me through the long and difficult process of getting this plugin to work with THT's security system. (as denoted by the posts below and all the pm's in my inbox, as well as the shoutbox conversations.) This plugin wouldn't be here without him.

If you need support, have suggestions or feedback, please reply to this thread.


Attached Files
.zip   theme_upload-v1.2.2.zip (Size: 32.9 KB / Downloads: 725)
Nick - TheHostingTool Staff Coordinator

[Image: standard.png]

Reply
#2
Download Unnaproved
Reason: Major security flaw, basically anyone could upload a zip with any contents in and put it on the server. The upload.php needs to check if the staff member is logged in.
Jonny H - THT Main Developer & Founder


Reply
#3
Thanks, I should remember that in the future. Will fix and release v1.2
Fixed. I added the following at the top of upgrade.php to check if the script was called by THT. I will wait for confirmation of scripts security before re-uploading.

PHP Code:
if(THT != 1){die();} 

1.2 Release Delayed to to a slight error that causes in-operability of themes.
Nick - TheHostingTool Staff Coordinator

[Image: standard.png]

Reply
#4
Still won't work, I don't think. You need to check that $_SESSION['logged'] exists.
Jonny H - THT Main Developer & Founder


Reply
#5
Okay, I came up with this:

PHP Code:
if(!$_SESSION['logged']) {die();}; 
Nick - TheHostingTool Staff Coordinator

[Image: standard.png]

Reply
#6
That should work yeah. Raptor, instead of using a iframe do this:
PHP Code:
include LINK."../upload.php"
Jonny H - THT Main Developer & Founder


Reply
#7
the if(!$_SESSION['logged']) is not working correctly. The script dies every time. I have tried if(!isset($SESSION['logged']) too with same results.
Nick - TheHostingTool Staff Coordinator

[Image: standard.png]

Reply
#8
(01-07-2009, 07:19 PM)TheRaptor Wrote: the if(!$_SESSION['logged']) is not working correctly. The script dies every time. I have tried if(!isset($SESSION['logged']) too with same results.
Use the include as I quote, don't use a iframe..
Jonny H - THT Main Developer & Founder


Reply
#9
(01-08-2009, 09:11 AM)Jonny Wrote:
(01-07-2009, 07:19 PM)TheRaptor Wrote: the if(!$_SESSION['logged']) is not working correctly. The script dies every time. I have tried if(!isset($SESSION['logged']) too with same results.
Use the include as I quote, don't use a iframe..

Okay, here is what I get with that:

I put upload.php and pclzip.lib.php in the includes folder. I inlcude the file like you mentioned. But for some reason, the form keeps trying to post to admin/upload.php. (action=upload.php)... hmmm. Maybe if i replace "action=upload.php" with "action=.../includes/upload.php" it might work. Will try that next chance I get.
Okay... Changing the form "action" to "../upload.php" works. But the security thing is still dieing. The script works fine without the !_$SESSION['logged'], so i know that that is the problem.
Nick - TheHostingTool Staff Coordinator

[Image: standard.png]

Reply
#10
Just leave the action as ""
Jonny H - THT Main Developer & Founder


Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)