Books Module for PostNuke / News: Recent posts

After installing books .750, some of you can't go to the books administration panel, they get an "access denied" message.
This is a very common problem with "old style" module and PostNuke .750. It is in fact not the module's fault but PostNuke fault and the problem is hopefully corrected with PostNuke .750 (the PostNuke team corrected it shortly after the .750 release).
For those technically inclined I will provide the details of the problem becore giving the solution(s)
The PROBLEM
(You can skip this section if you are only interested in the solution, but you will miss an occasion to learn something on your PostNuke website security :)
All PostNuke files are protected against direct access (except of course those that must be accessed directly like the root index.php, print.php, user.php, admin.php, modules.php, ...files). Files wich contain only a list of functions (like pnuser.php, pnuserapi.php, ...) doesn't need to be protected because if someone try to access them directly no code get executed on your server so nothing bad can happend.
There are several method used for this kind of protection.
Look for instance at the includes/blocks/poll.php file, it is protected with :
if (strpos($_SERVER['PHP_SELF'], 'poll.php')) {
die ("You can't access this file directly...");
}
This protect it from direct access because if there is poll.php in the url the "You can't access this file directly..." message is returned.
When the file has the same name that the root file it is mean to be accessed via, this method can't be used so another one is used. Look for instance at the modules/NS-Polls/index.php (wich is accessed via the root index.php) it begins with :
if (!defined("LOADED_AS_MODULE")) {
die ("You can't access this file directly...");
}
For this to work, the LOADED_AS_MODULE must be defined in the root index.php wich includes this file.
And this is where the problem arise : old modules have an admin.php wich is accessed via the root admin.php file. Someone in the Postnuke team made the mistake to try to protect them with :
if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
wich is obviously wrong because it will protect nothing (try for instance to directly access modules/NS-Polls/admin.php wich is protected with this method and you will get
*Fatal error*: Call to undefined function: modules_get_language() in */path on the HD of your server/modules/NS-Polls/admin.php* on line *32 *proving that protection doesn't work. A hacker doing that now know where is installed your PostNuke on the hard disk of your server. In term of security it is not very good it is what is called a "path disclosure"
So the PostNuke team rapidly realize that they must revert to that old method to protect the admin.php files in old modules : put at the begining :
if (!defined("LOADED_AS_MODULE")) {
die ("You can't access this file directly...");
}
But the problem is that the 'LOADED_AS_MODULE' constant is not defined in the root admin.php file. So they needed to release a modified root admin.php file.... read more

All the files in CVS have been updated to the current state of the books v.750 module. Some other features will be added before the official release but you can contribute to beta-test this new version by downloading all the files.
Be sure to read the included documentation because a lot of things has changed.
Let me take this opportunity as the new administrator of this project to thank the provious developpers for giving us such a wonderfull module and say that I will try to be up to the task to continue improving their creation and support the books module's users. Thanks to all.

Joel Fisler (books@fisler.ch) has contributed an updated set of German language translations, including translations for the books blocks. They are in CVS.

Karl Heigl has contributed a German language translation for books .721. It's available for download (just one file, global.php) in CVS.

Version .721 of the books module was released on October 7th, 2002. It has many bug fixes as well as some new features. it also includes the security patch mentioned here: http://online.securityfocus.com/archive/1/294014

The maintenance release v0.62 has been uploaded to SourceForge on 2002-04-23. It includes some minor bugfixes and security enhancements.

There is also a v061_to_v062 patch file available to minimize your effort to update your books module installation.

Michael Schatz

On 2002-02-25 the first maintenance pack for books module was released. The file is named books_v05_sp1. Detailed install instructions are included.

Every user of the books module v0.5 is recommended to apply this file.

Michael Schatz, 2002-02-25

The newest version of the books module for the PostNuke CMS has been released on 2002-02-22. You may find the download on http://sourceforge.net/projects/pn-mod-books/

What is new ?

o Works on any standard postnuke 0.703 installation
o The search engine works and the word searched is highlight. You can search
in subcategories, author and book description.
o The subcategories are working
o books table don't need to be added in the file pntables.php anymore.
o this modules don't interact with other modules anymore. So it should work
fine with the module messages and others.
o missing translation have been added.... read more