**************************** Changelog for eXtplorer Version $Id: CHANGELOG.txt 249 2016-12-11 16:11:03Z soeren $ **************************** --- version 2.1.13 --- - fixed various security issues reported by Mario Korth: * potential XSS * Arbitrary file read * Path traversal in listing directory contents * Path traversal in archive feature - added new turkish translations --- version 2.1.12 --- - fixed wrong version display - fixed empty language selector --- version 2.1.11 --- - fixed "text.js not found" message on server when editing text files - fixed PHP 7.2 incompatibility in Tar.php - PHP 5.3 compatibility fixes --- version 2.1.10 --- - fixed vulnerability discovered by ADLab of Venustech (command injection, but requires admin access) - webdav display UPPER/CASE/FULL/PATH with some webdav client - standalone extplorer webdav does not work with PHP7 - CVE-2016-4313: archive path traversal vulnerability in extplorer 2.1.9 - #202 Users with read only permissions should not be able to extract archives. - added indonesian language files --- version 2.1.9 --- - fixed PHP 7 compatibility issues - raising PHP compatibility to PHP >= 5.4 --- version 2.1.8 --- - added security functions for protection against CSRF attacks - fixed "directories with the name '0' are not loading" --- version 2.1.7 --- - fixed SWFUpload against XSS vulnerabilities - fixed XSS vulnerability in file list --- version 2.1.6 --- - fixed https usage for ports other than 443 - fixed XSS issue related to PHP_SELF - added date range filtering to file search - simplified search function - fixed scrambled non-ASCII file names on UTF-8 systems --- version 2.1.5 --- - fixed doubled subdirectories in directory tree - fixed wrong Joomla path detection (security issue on some systems) --- version 2.1.4 --- - fixed security issues found by Trustwave SpiderLabs, Vikas Singhal - update to the latest version of Archive_Tar - fixed version check link, now points to extplorer.net --- version 2.1.3 --- - fixed serious login vulnerability reported by Brendan Coles of itsecuritysolutions.org (the only changed file is /include/users.php) --- version 2.1.2 --- - hide the top and bottom bar in J! 3.0 - fixed installer for J! 2.5 --- version 2.1.1 --- - Joomla! 3.0 compatibility --- version 2.1.0 --- - fixed an XSS-vulnerability (impact: medium, users needs to be logged in) --- version 2.1.0 RC5 released --- - fixed password change functionality --- version 2.1.0 RC4 released --- - updated version check to work with J! 1.7 - implemented PHPass Library for more secure hashing of passwords: http://www.openwall.com/phpass/ (backwards compatible with previous md5 hashing method) - updated to ExtJS 3.4.0 (brings support for IE9) - fixed file-disclosure issue reported by colonelxc@users.sourceforge.net - support for files with non-ascii chars for editing (thanks gr8ron) - fixed a fatal error in the webdav module - added ability to load without fetchscript.php (when it's inaccessible due to server permission problems) --- version 2.1.0 RC3 released --- - fixed filesize for files > 2GB - works and installs on Joomla! 1.6 now --- version 2.1.0 RC2 released --- - updated to ExtJS 3.3.1 - fixed Flash Upload - updated to SWFUPload 2.5 beta - fixed deprecated warnings because of ereg functions - fixed some FTP file operations (upload, copy, move, delete) - fixed visibility of user form fields (form appeared empty) - fixed editable file types detection (+ added .ini) --- version 2.1.0 RC1 released --- - finally added the File Diff Feature - added RAR extraction feature - updated to ExtJS 3.2.1 - only editable files are shown in source view now, viewing all other files will lead to a redirected to "download" - PDF files now open inline in an iframe --- version 2.1.0 beta6 released --- - updated to ExtJS 3.0.3 --- version 2.1.0 beta5 released --- - added nice slide-in message box for success messages - removed deprecated ZIP library --- version 2.1.0 beta4 released --- - changed Save/Reopen/Cancel buttons in Edit View to appear in the top toolbar - changed directory drop-down lists to a vista-like location bar - new: Flash Upload! Using SWFUploadPanel - added pluggable authentication system --- version 2.1.0 beta3 released --- - changed default state of "Show Directories" to enabled - changed Edit Window to appear in a new Tab per File - assigned Keyboard Events to the Grid (Delete, Ctrl-A, Ctrl-C, Ctrl-X) - updated to ExtJS3 RC2 - updated EditArea to version 0.8.1.1 (loads faster and is more stable) --- version 2.1.0 beta released --- - allowing Download by users with "view" permission - updated Services-JSON class to version 0.9.0 - updated GeSHi to version 1.0.8.3 - moved from ExtJS 1.1 to ExtJS 2.2 -- version 2.0.1 released (2009-01-15) ---- - added script for WebDAV access (disabled by default, requires 2 database tables and DB login credentials) - fixed a security issue within script initialization -- version 2.0.0 stable released (2008-08-05) ---- - added .csv to the editable file types - when copying/moving multiple directories, only the first directory was processed - fixed failing extraction of larger archives ("Failed to connect to the server") - updated Editarea to 0.7.1.3 - fixed browsing & working on external FTP servers - fixed dirselectors not working in FTP mode - fixed file-mode switch link -- version 2.0.0 RC4 released (2008-05-31) ---- - fixed installation package for Joomla! 1.5 - added Danish Language Files (thanks to Ronny Buelund!) -- version 2.0.0 RC3 released (2008-05-31) ---- - [ 1944163 ] In germanf.php fehlt ein Eintrag - fixed compatibility problem with JomComment+MyBlog (Services_JSON was redeclared) - switched from "Codepress" to "EditArea" (http://www.cdolivet.net/index.php?page=editArea), which gives a lot of advantages: * faster loading of large files * built-in toggle feature * built-in Find, Search+Replace and Jump-To-Line Features -- version 2.0.0 RC3 released (2008-05-26) ---- - fixed Cross-Site Scripting & File Disclosure Vulnerability - fixed MimeType detection for search results -- version 2.0.0 RC2 released (2008-02-10) ---- - fixed Standalone scripts.zip extraction error - re-added System Info (moved to "About" Window) - implemented basic UTF-8 support for file mode - changed [ 1800028 ] Need to enlarge file edit box, or allow for full screen - fixed [ 1791706 ] incorrect error reporting - fixed [ 1790536 ] Browsing directory incorrect - fixed [ 1782937 ] when unzipping a zip containing a zip: zip not present! -- version 2.0.0 RC1 released ---- - fixed [ 1755938 ] status bar messages truncated when path is too long - fixed [ 1759450 ] No textfield and browse button in upload file on IE7 - fixed [ 1762000 ] copy a file from a subfolder to "root" folder doesn't work - fixed [ 1766233 ] Chmod error in FTP mode - fixed [ 1761083 ] IE7 closing button & seach action (file search - subdirectories weren't included) --- version 2.0.0 beta5 released ---- - added Swedish and Slovenian Language Files - set "zip" as default archive type - added message box that prevents eXtplorer usage on Joomla! 1.0.x versions >= 1.0.13 and explains why. - added Joomla! version check - implemented some changes for compatibility on Windows Systems with IIS running --- version 2.0.0 beta4 released ---- - fixed header-only problems on Mambo/Joomla! < 1.0.10 - added Server-to-Server transfer capabilities (using fopen, cURL or fsockopen) - fixed [#6092] Some strings remained hardcoded - fixed [ 1754755 ] Save button when uploading file not translated - fixed the Frontend Browsing part (when being used as a Joomla! component) - updated finnish and french language file - updated ExtJS to 1.1 RC1, included Konqueror Patch - fixed [ 1752904 ] error on admin dialog opening - fixed [ 1752901 ] Combo on Login page doesn't work in IE6 and 7 - fixed [ 1752534 ] Non-static method ext_Lang::msg() - removed dialog_status from onHide function for the dialog - fixed bugs in the language files with undefined properties of non-existant var $_VERSION - fixed bug with undefined var $acl --- version 2.0.0 beta4 released ---- - fixed a bug which caused that a maximum of 50 directories in the same level were listed in the tree, not all - fixed a bug with CodePress - didn't allow to edit files (when used in Joomla!) - added a check to the standalone version to extract the contents of the file "scripts.zip" online and throw a warning if it doesn't succeed. - removed the status bar from the Dialogs, moved the status bat into the Paging Toolbar - added CSS styles to make the dropdown lists smaller --- version 2.0.0 beta3 released ---- - re-activated User Management for the stand-alone version - fixed a critical error which caused deletion of directories although "Cancel" was clicked - fixed an error which prevented correct listing of numeric directories/files --- version 2.0.0 beta2 released ---- - added double-click action which opens the Context Menu in the grid (Opera and Konqueror don't allow custom right-click menus) - applied patches to ExtJS to allow usage with Konqueror - added new ext_Lang class to be able to escape quotes and line endings for using it in JavaScript Strings - fixed node context menu displaying outside of view - added the fetchscript.php file to bundle and compress javascript and stylesheet files (Sending compressed js and css files significantly reduces the download size for ExtJS) --- version 2.0.0 beta1 released ---- - fixed the "symlink points to target which can't be accessed" problem - fixed "out of memory" problems - directory names changed (no directories starting with a '.' anymore now) - completely changed layout: directory tree, file grid with renaming, context menu, drag&drop - added the ExtJS 1.0.1a library --- version 1.6.0 released ---- - archives do not contain the whole file path anymore now, but only the relative one - added possibility to specify a directory where an archive file is saved to (allows to create archives even when the currenty directory is not writable) - added the great CodePress Sytnax Highlighting Editor (http://codepress.fermads.net/) - removed the extra spaces in the directory path - fixed the "Strict Standards" error (non-static method called statically) --- version 1.5.1 released ---- - added ftp logout function to allow different ftp logins during one admin session - added possibility to specify an FTP host name and port (other than localhost:21) - bookmark functionality fixes (thanks to pokemon!) - fixed a critical error where wrong permissions would be applied to an uploaded file in FTP mode (leading to a 403 error on some servers) --- version 1.5.0 released --- - changed the way errors are displayed (+nice styling). - added support for *symbolic links*. You can create and delete links, but not change the target. You will have to create a new link to do so. - eXtplorer is an FTP client now! - added PEAR'S Net_FTP package to allow local FTP access/transactions - changed Archiving Section to ajax-based step-by-step system to prevent time-outs - added PEAR Package File_Archive to allow better archive handling - changed file links in the directory list to "Edit" or "Download" - added a simple file-based bookmark system - changed the download function to allow larger downloads (100MB+) - replaced hardcoded english strings with new variables (thanks to Paulino Michelazzo!) --- version 1.4.0 released --- - added a new "View File" feature to dispay a file's source code with GeSHi syntax highlighting - checking now, if a remembered directory exists (it might have been deleted meanwhile) - added line number / column monitoring on the "Edit file" form it also allows to jump to a certain line number - added feature to allow overwriting existing files on upload - fixed directory chmod issues Details: when running a *chmod* command on files and directories with permissions that do not include "execute", directories would become inaccessible (e.g. d--------- (root). Tip by John, thanks!) - added basic frontend directory browsing and file download feature (not comparable to Docman or ReMOSitory, it's just a directory browser, no descriptions, no download counter!) !DISABLED BY DEFAULT! Enable by editing the file /components/com_extplorer/configuration.jx.php --- version 1.3.3 released --- - fixed a wrong image source (menu_divider.gif => png) - fixed a fatal error when using eXtplorer on installations with the SafeMode hack - added Bulgarian language (thanks to Ivo Apostolov) - fixed download problems under Mambo 4.5.2.3 with gzip compression = On --- version 1.3.2 released --- - fixed various problems (create file/directory, archiving, download) with $mosConfig_absolute_path --- version 1.3.1 released --- - last visited directory is stored in the session for quick go-back - updated finnish language - added Icelandic language - fixed an error which caused icons not to display in directories outside of the Joomla/Mambo root directory --- version 1.3.0 released --- - the home directory is now ONE LEVEL ABOVE the joomla/mambo directory. If you have joomla inside /public_html/ You will be able to browse to the root directory / ! Check if you want this behaviour. When not, see /config/conf.php line 41.... - created archives don't contain the full path anymore, but the relative path from the mosConfig_absolute_path - converted transparent .png to .gif - removed the IE transparency fix, which caused IE to slow down (really long load times!) - updated the language files - "Chmod", "Edit" and "Delete" links are not active now, when the file is not chmodable, writable or deletable - delete alert box will display the name of the file that is to be deleted - added a checkbox to chmod form, so the user can decide wether to chmod rescursively or not - added a rename feature - current user ID and group ID (on a *nix OS) are displayed correctly now - component name changed to "eXtplorer" --- version 1.2.1 released --- - bug fix: File Upload Icon is grey although file uploads are allowed - bug fix: [#4944] mamboXplorer strips \r\n to just rn - added Unzip / Unarchive Feature (Feature Request #6171) to unpack archive types: zip, gz, bz2 directly on your webspace. - fix for the PNG Fix. --- version 1.2a released --- - new language variables + more languages - nice X - Icon for components Menu. thanks to Michael! - added PNG transparency fix for IE - added Owner / Group information to File List - bug fix: "$ok @cmod" changed to "$ok = @chmod" --- version 1.2 released --- - removed full path from Archive ( tar.gz /bzip2 Archive Creation) - added ability to change permissions recursiveley through all subdirectories --- version 1.1 released ---