indexhibit / indexhibit Goto Github PK

View Code? Open in Web Editor NEW

277.0 277.0 54.0 1.82 MB

An archetypal portfolio cms for everybody.

PHP 62.50% CSS 5.53% JavaScript 31.70% Hack 0.27%

indexhibit's Introduction

Indexhibit

Indexhibit is an archetypal portfolio CMS for everybody.

https://www.indexhibit.org

Indexhibit is a registered trademark of Jeffery Vaska and Daniel Eatock.

indexhibit's People

Contributors

Stargazers

Watchers

Forkers

passcual dyjakan y-a-v-a lucaskroeff matyus albodelu mywzgn alexeyan artchernikoff embray bogdangster boltbuckle uuuuuuuuuuooooooo vazn3y aimeko jferard joonseokhu mekas92 cardoenm kirara lockedvolt baballers acy76 juergenmuenzer bugfinda hck0 jupittera egidiofrat garret-linn bsev0 bonitabuzzkill maellebriand1 navinate pepemanuel woshirlon maaaaaaaaaatt lizcarrillo aacierto mattiapaje alekspalermo gabrijoha heech01 jr1013 naruas web-mama parasar elaa0505 applylppa youngjuene lxxself meetmatt fupete jrose100 rael-albert wilfred-unsho

indexhibit's Issues

Subsection bug

There's a couple of bugs related to subsections in the plugin.index.php file.

In line 391, you should change:
$active_subsection = ($flag == true) ? " class='active_subsection'" : '';
to:
$active_subsection = ($flag == true) ? " active_subsection" : '';

In line 534, you should change:
$active_subsection = ($flag == true) ? " class='active_subsection'" : '';
to:
$active_subsection = ($flag == true) ? " active_subsection" : '';

There is a CSRF vulnerability that can be deleted administrator account

Here is a CSRF attacks.

poc:

first,as we all know,when we install the website,the id of installer(index1) is 1(always means admin),so the id of index1 is 1:

ok,make id=1

let's refresh,we can see we have deleted the account of index1

Security contact

Hello maintainer(s),

I am a security researcher from the Institute of Application Security at TU Braunschweig, Germany. We discovered a (potential) security vulnerability in your project.

We would like to report this vulnerability to you in a responsible and ethical manner.
Therefore, we do not want to disclose any details of the vulnerability publicly until you have had a chance to review and fix it.

Could you please let us know your prefered way of receiving security reports?

You can contact us at [email protected] or by replying to this issue.

Thank you for your attention and cooperation.

Apparent error in 2.1.6 upgrade script

I finally got around to upgrading PHP on my server, and the Indexhibit site I host gave me a surprising amount of trouble. After some debugging, I determined that this line 132f45d#diff-4d18d0309652c2b2b099d0e65e1894d6f0d00869e599931b29c8261061100f90R16 was causing 500 errors. It produces the following SQL:

UPDATE ndxz_users SET ID = '1' WHERE user_admin = '1';

... which has the effect of setting to 1 the user ID of any user who has been granted admin privileges. This results in the following error:

ERROR 1062 (23000): Duplicate entry '1' for key 'ndxz_users.PRIMARY'

From the "Admin Status" field on the User page, it seems the intended design is to allow multiple users to be admins.

I'm not sure what the intent was in adding this upgrade step, but instances with multiple admins can simply comment out that line before running the upgrade to work around the problem.

columnerdeux-master

Last version

Hello,
Could someone tell me how to download the latest version? I don't see link. I currently have version V.2.1.5
Thanks

Deprecation notices when using Indexhibit with PHP 8

I've enabled error reporting with:

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

And I get the following notices with PHP 8:

Deprecated:  Required parameter $type follows optional parameter $instantiate in /homepages/23//htdocs/ndxzstudio/common.php on line 39
Deprecated:  Required parameter $server_uri follows optional parameter $uri in /homepages/23//htdocs/ndxzstudio/common.php on line 393
Deprecated:  Required parameter $filename follows optional parameter $from_folder in /homepages/23//htdocs/ndxzstudio/lib/hook.php on line 540

There is a reinstall vulnerability that can be reinstall your website.

Although you have detected this config.php to prevent reinstall,but it still exist.
poc:

let's bypass by the parameter "p"

then we can reinstall the website.

Reflected Cross Site Scripting(XSS)-/ndxzsite/plugin/ajax.php

In page localhost//ndxzsite/plugin/ajax.php, the POST function can change the function used in PHP, the user/attacker can modify the parament and add the script which will be shown without filtering. They can use the script to steal the cookie or some things worse.
Payload used:
jxs=slideshow&i=0&z=<img src="a" onerror=alert(1)>&z=<img src="a" onerror=alert(2)>
Affected URL: http://localhost//ndxzsite/plugin/ajax.php
so,when we visit this url:localhost//ndxzsite/plugin/ajax.php and POST data:
jxs=slideshow&i=0&z=<img src="a" onerror=alert(1)>&z=<img src="a" onerror=alert(2)>
The js will executes.

There are multiple cross-site scripting (XSS) vulnerabilities in the management panel

There are two Stored-XSS Vulnerabilities in the backstage
We can make the Stored-XSS via edit the Projects or Main
poc:

fix：
Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc. The input here is not only the input interface that the user can directly interact with, but also the variables in the HTTP request in the HTTP request, the variables in the HTTP request header, and so on.

Front-end JavaScript libraries with known security vulnerabilities

Hi,

Is there a way to correct this?

TRUST AND SAFETY

Includes front-end JavaScript libraries with known security vulnerabilities 6 vulnerabilities detected

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more.

Library Version	Vulnerability Count	Highest Severity
[email protected]	6	Medium

TRUST AND SAFETY Includes front-end JavaScript libraries with known security vulnerabilities 6 vulnerabilities detected Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. [Learn more](https://web.dev/no-vulnerable-libraries/?utm_source=lighthouse&utm_medium=lr). Library Version Vulnerability Count Highest Severity [[email protected]](https://snyk.io/vuln/npm:jquery?lh=1.7.2&utm_source=lighthouse&utm_medium=ref&utm_campaign=audit) 6 Medium

Redirects to HTTPS even though webhost doesn't support

Hi! Line 32 of ndxzstudio/defaults.php was giving me trouble in my installation and kept redirecting me to the HTTPS version of my site even though one hadn't been set up/my webhost was not supporting it. Am on webfaction and have resolved the issue manually by force setting line 32 to 'http'.

\o/

500 Internal Server Error when trying to enable the Tag Display format in 2.1.5.

It's impossible to enable the Tag Display format in 2.1.5.
The server returns a 500 Internal Server Error.

There is a file upload vulnerability

There is a file upload vulnerability so that we can control the server by any account.

v2.1.6 with PHP 8.0

Hello,
according to the the author, the version 2.1.6 should work fine, but when I switch my PHP version to 8.0, I get a blank front-end, while the back-end works fine.

missing dimgs

I just downloaded all the indexhibit files to start installation and noticed that the dimgs file is missing. Anyone know anything about this?

Upload Error Abort

Hi,

While using latest indexhibit from Github, I can't upload files anymore. My setup is Apache with SSL & http2. Here's the log:

[Mon Aug 29 09:16:08.824527 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(1700): [client 104.28.40.15:11869] AH03078: h2_session(149,IDLE,0): transit [BUSY] -- no io (keepalive) --> [IDLE] [Mon Aug 29 09:16:08.824458 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(150-17,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.824351 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,1): sent FRAME[DATA[length=88, flags=1, stream=17, padlen=0]], frames=127/64 (r/s) [Mon Aug 29 09:16:08.824325 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,1): sent FRAME[HEADERS[length=230, hend=1, stream=17, eos=0]], frames=127/63 (r/s) [Mon Aug 29 09:16:08.824290 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-17,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.824247 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-17,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.824131 2022] [http2:debug] [pid 1372190:tid 140384978421504] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-17): open output to GET matthewoliver.com /ndxzstudio/?a=exhibits&q=jximg&id=53 [Mon Aug 29 09:16:08.824036 2022] [deflate:debug] [pid 1372190:tid 140384978421504] mod_deflate.c(869): [client 104.28.40.15:11869] AH01384: Zlib: Compressed 72 to 70 : URL /ndxzstudio/index.php, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.823962 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.819146 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(3188): AH02823: FCGI: connection established with Unix domain socket /run/php/php7.4-fpm.sock (*:80) [Mon Aug 29 09:16:08.819090 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2819): [client 104.28.40.15:11869] AH00947: connected /var/www/ndxzstudio/index.php to httpd-UDS:0, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818956 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2632): [client 104.28.40.15:11869] AH02545: fcgi: has determined UDS as /run/php/php7.4-fpm.sock, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818941 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2596): [client 104.28.40.15:11869] AH00944: connecting fcgi://localhost/var/www/ndxzstudio/index.php to localhost:8000, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818924 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2538): AH00942: FCGI: has acquired connection for (*:80) [Mon Aug 29 09:16:08.818909 2022] [proxy_fcgi:debug] [pid 1372190:tid 140384978421504] mod_proxy_fcgi.c(1063): [client 104.28.40.15:11869] AH01078: serving URL fcgi://localhost/var/www/ndxzstudio/index.php, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818894 2022] [proxy_fcgi:debug] [pid 1372190:tid 140384978421504] mod_proxy_fcgi.c(1054): [client 104.28.40.15:11869] AH01076: url: fcgi://localhost/var/www/ndxzstudio/index.php proxyname: (null) proxyport: 0, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818871 2022] [proxy:debug] [pid 1372190:tid 140384978421504] mod_proxy.c(1503): [client 104.28.40.15:11869] AH01143: Running scheme unix handler (attempt 0), referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818819 2022] [authz_core:debug] [pid 1372190:tid 140384978421504] mod_authz_core.c(815): [client 104.28.40.15:11869] AH01626: authorization result of <RequireAny>: granted, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818792 2022] [authz_core:debug] [pid 1372190:tid 140384978421504] mod_authz_core.c(815): [client 104.28.40.15:11869] AH01626: authorization result of Require all granted: granted, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818337 2022] [authz_core:debug] [pid 1372190:tid 140384978421504] mod_authz_core.c(815): [client 104.28.40.15:11869] AH01626: authorization result of <RequireAny>: granted, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818307 2022] [authz_core:debug] [pid 1372190:tid 140384978421504] mod_authz_core.c(815): [client 104.28.40.15:11869] AH01626: authorization result of Require all granted: granted, referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.818145 2022] [ssl:debug] [pid 1372190:tid 140384978421504] ssl_engine_kernel.c(415): [client 104.28.40.15:11869] AH02034: Subsequent (No.3) HTTPS request received for child 38400 (server matthewoliver.com:443), referer: https://matthewoliver.com/ndxzstudio/?a=exhibits&q=edit&id=53 [Mon Aug 29 09:16:08.817931 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,1): recv FRAME[HEADERS[length=125, hend=1, stream=17, eos=1]], frames=126/62 (r/s) [Mon Aug 29 09:16:08.817848 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_session.c(1700): [client 104.28.40.15:11869] AH03078: h2_session(149,BUSY,1): transit [IDLE] -- stream change --> [BUSY] [Mon Aug 29 09:16:08.817806 2022] [http2:debug] [pid 1372190:tid 140383153551104] h2_stream.c(542): [client 104.28.40.15:11869] AH03082: h2_stream(149-17,IDLE): created [Mon Aug 29 09:16:08.718213 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1700): [client 104.28.40.15:11869] AH03078: h2_session(149,IDLE,0): transit [BUSY] -- no io (keepalive) --> [IDLE] [Mon Aug 29 09:16:08.718144 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(149-9,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.718043 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,1): sent FRAME[DATA[length=134, flags=1, stream=9, padlen=0]], frames=126/62 (r/s) [Mon Aug 29 09:16:08.718017 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,1): sent FRAME[HEADERS[length=169, hend=1, stream=9, eos=0]], frames=126/61 (r/s) [Mon Aug 29 09:16:08.717989 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-9,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.717950 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-9,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.717862 2022] [http2:debug] [pid 1372190:tid 140384978421504] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-9): open output to POST matthewoliver.com /ndxzstudio/?a=system&q=fileupload&id=53 [Mon Aug 29 09:16:08.717791 2022] [proxy:debug] [pid 1372190:tid 140384978421504] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.707038 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-9,OPEN): DATA, len=0, flags=1 [Mon Aug 29 09:16:08.707020 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,1): recv FRAME[DATA[length=0, flags=1, stream=9, padlen=0]], frames=125/60 (r/s) [Mon Aug 29 09:16:08.706986 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-9,OPEN): DATA, len=14599, flags=0 [Mon Aug 29 09:16:08.706955 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,1): recv FRAME[DATA[length=14599, flags=0, stream=9, padlen=0]], frames=124/60 (r/s) [Mon Aug 29 09:16:08.695502 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(149-15,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.695403 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,2): sent FRAME[DATA[length=134, flags=1, stream=15, padlen=0]], frames=124/60 (r/s) [Mon Aug 29 09:16:08.695378 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,2): sent FRAME[HEADERS[length=169, hend=1, stream=15, eos=0]], frames=124/59 (r/s) [Mon Aug 29 09:16:08.695351 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-15,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.695306 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-15,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.695238 2022] [http2:debug] [pid 1372190:tid 140384986822400] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-15): open output to POST matthewoliver.com /ndxzstudio/?a=system&q=fileupload&id=53 [Mon Aug 29 09:16:08.695193 2022] [proxy:debug] [pid 1372190:tid 140384986822400] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.691667 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,2): sent FRAME[WINDOW_UPDATE[stream=15, incr=46915]], frames=124/58 (r/s) [Mon Aug 29 09:16:08.691463 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-15,OPEN): DATA, len=0, flags=1 [Mon Aug 29 09:16:08.691436 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,2): recv FRAME[DATA[length=0, flags=1, stream=15, padlen=0]], frames=123/57 (r/s) [Mon Aug 29 09:16:08.691390 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-15,OPEN): DATA, len=14147, flags=0 [Mon Aug 29 09:16:08.691362 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,2): recv FRAME[DATA[length=14147, flags=0, stream=15, padlen=0]], frames=122/57 (r/s) [Mon Aug 29 09:16:08.691318 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-15,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.691274 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,2): recv FRAME[DATA[length=16384, flags=0, stream=15, padlen=0]], frames=121/57 (r/s) [Mon Aug 29 09:16:08.648389 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-15,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.648337 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,2): recv FRAME[DATA[length=16384, flags=0, stream=15, padlen=0]], frames=120/57 (r/s) [Mon Aug 29 09:16:08.599250 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(149-13,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.599166 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,3): sent FRAME[DATA[length=134, flags=1, stream=13, padlen=0]], frames=120/57 (r/s) [Mon Aug 29 09:16:08.599141 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,3): sent FRAME[HEADERS[length=169, hend=1, stream=13, eos=0]], frames=120/56 (r/s) [Mon Aug 29 09:16:08.599114 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-13,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.599077 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-13,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.598950 2022] [http2:debug] [pid 1372190:tid 140385020393216] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-13): open output to POST matthewoliver.com /ndxzstudio/?a=system&q=fileupload&id=53 [Mon Aug 29 09:16:08.598905 2022] [proxy:debug] [pid 1372190:tid 140385020393216] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.595111 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,3): sent FRAME[WINDOW_UPDATE[stream=13, incr=34474]], frames=120/55 (r/s) [Mon Aug 29 09:16:08.595035 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-13,OPEN): DATA, len=0, flags=1 [Mon Aug 29 09:16:08.595008 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=0, flags=1, stream=13, padlen=0]], frames=119/54 (r/s) [Mon Aug 29 09:16:08.594961 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-13,OPEN): DATA, len=1706, flags=0 [Mon Aug 29 09:16:08.594935 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=1706, flags=0, stream=13, padlen=0]], frames=118/54 (r/s) [Mon Aug 29 09:16:08.594906 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-13,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.594876 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=16384, flags=0, stream=13, padlen=0]], frames=117/54 (r/s) [Mon Aug 29 09:16:08.594777 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-13,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.594732 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=16384, flags=0, stream=13, padlen=0]], frames=116/54 (r/s) [Mon Aug 29 09:16:08.510754 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,3): sent FRAME[WINDOW_UPDATE[stream=9, incr=32767]], frames=116/54 (r/s) [Mon Aug 29 09:16:08.510577 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-9,OPEN): DATA, len=16383, flags=0 [Mon Aug 29 09:16:08.510548 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=16383, flags=0, stream=9, padlen=0]], frames=115/53 (r/s) [Mon Aug 29 09:16:08.510483 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-9,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.510437 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,3): recv FRAME[DATA[length=16384, flags=0, stream=9, padlen=0]], frames=114/53 (r/s) [Mon Aug 29 09:16:08.466625 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(149-11,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.466541 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,4): sent FRAME[DATA[length=134, flags=1, stream=11, padlen=0]], frames=114/53 (r/s) [Mon Aug 29 09:16:08.466517 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,4): sent FRAME[HEADERS[length=169, hend=1, stream=11, eos=0]], frames=114/52 (r/s) [Mon Aug 29 09:16:08.466489 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-11,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.466451 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-11,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.466349 2022] [http2:debug] [pid 1372190:tid 140385012000512] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-11): open output to POST matthewoliver.com /ndxzstudio/?a=system&q=fileupload&id=53 [Mon Aug 29 09:16:08.466304 2022] [proxy:debug] [pid 1372190:tid 140385012000512] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.462689 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-11,OPEN): DATA, len=0, flags=1 [Mon Aug 29 09:16:08.462661 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,4): recv FRAME[DATA[length=0, flags=1, stream=11, padlen=0]], frames=113/51 (r/s) [Mon Aug 29 09:16:08.462614 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-11,OPEN): DATA, len=6813, flags=0 [Mon Aug 29 09:16:08.462589 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,4): recv FRAME[DATA[length=6813, flags=0, stream=11, padlen=0]], frames=112/51 (r/s) [Mon Aug 29 09:16:08.462558 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-11,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.462510 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,4): recv FRAME[DATA[length=16384, flags=0, stream=11, padlen=0]], frames=111/51 (r/s) [Mon Aug 29 09:16:08.436960 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_bucket_beam.c(1282): [client 104.28.40.15:11869] beam(149-3,output,closed=1,aborted=1,empty=1,buf=0): AH03385: h2_task_destroy, reuse secondary [Mon Aug 29 09:16:08.436848 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,4): sent FRAME[WINDOW_UPDATE[stream=9, incr=32768]], frames=111/51 (r/s) [Mon Aug 29 09:16:08.436815 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,5): sent FRAME[DATA[length=134, flags=1, stream=3, padlen=0]], frames=111/50 (r/s) [Mon Aug 29 09:16:08.436715 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(591): [client 104.28.40.15:11869] AH03068: h2_session(149,BUSY,5): sent FRAME[HEADERS[length=169, hend=1, stream=3, eos=0]], frames=111/49 (r/s) [Mon Aug 29 09:16:08.436679 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1545): [client 104.28.40.15:11869] AH02936: h2_stream(149-3,HALF_CLOSED_REMOTE): resumed [Mon Aug 29 09:16:08.436635 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(1390): [client 104.28.40.15:11869] AH03073: h2_stream(149-3,HALF_CLOSED_REMOTE): submit response 200, REMOTE_WINDOW_SIZE=4194304 [Mon Aug 29 09:16:08.436554 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-3,OPEN): DATA, len=0, flags=1 [Mon Aug 29 09:16:08.436525 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,5): recv FRAME[DATA[length=0, flags=1, stream=3, padlen=0]], frames=110/48 (r/s) [Mon Aug 29 09:16:08.436476 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-9,OPEN): DATA, len=16384, flags=0 [Mon Aug 29 09:16:08.436441 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(339): [client 104.28.40.15:11869] AH03066: h2_session(149,BUSY,5): recv FRAME[DATA[length=16384, flags=0, stream=9, padlen=0]], frames=109/48 (r/s) [Mon Aug 29 09:16:08.436138 2022] [http2:debug] [pid 1372190:tid 140385028785920] h2_task.c(83): [client 104.28.40.15:11869] AH03348: h2_task(149-3): open output to POST matthewoliver.com /ndxzstudio/?a=system&q=fileupload&id=53 [Mon Aug 29 09:16:08.436057 2022] [proxy:debug] [pid 1372190:tid 140385028785920] proxy_util.c(2554): AH00943: FCGI: has released connection for (*:80) [Mon Aug 29 09:16:08.425452 2022] [http2:debug] [pid 1372190:tid 140383287768832] h2_session.c(361): [client 104.28.40.15:11869] AH02923: h2_stream(149-3,OPEN): DATA, len=15016, flags=0

Subsections and the hide from menu setting

I've found that if you hide an exhibit inside a subsection from the menu, the exhibit it's also hidden from the visual index view, which makes no sense. I've found that the culprit is the AND hidden != '1' from this query (line 162) that can be found in the /ndxzstudio/lib/filesourcesubsection.php file:

$imgs = $OBJ->db->fetchArray("SELECT * 
              FROM ".PX."media, ".PX."objects_prefs, ".PX."objects  
	      WHERE media_ref_id = id 
	      AND section_id = '" . $OBJ->vars->exhibit['section_id'] . "'  
	      AND section_sub = '" . $OBJ->vars->exhibit['section_sub'] . "' 
	      AND subdir = '0' 
	      AND media_mime IN ('" . implode('\', \'', $this->medias) . "') 
	      AND media_order = (SELECT MIN(media_order) FROM ".PX."media WHERE media_ref_id = id)  
	      AND section_top != '1'   
	      AND status = '1' 
              AND hidden != '1'
	      GROUP BY id 
	      ORDER BY ord ASC");

If I remove this condition, the exhibit is not hidden from the visual index view.

Update from early version to newest

Hey,

I came across a migration problem which I fixed with replacing $page = ''; to $page = []; on lines 1049 and 1088 of install.php

n/a

There is a CSRF vulnerability that can be reset password of any account

There is a CSRF vulnerability to reset password

first,let's use this account:
username=test and id=12
(In fact,we all know the id=1 and username=index1 is installer,but I have deleted.)

ok,poc:

ok,we reset the password of test and log in:

note:the exp we can get password by grab the return packet.

Can't troubleshoot this lib/chache.php issue

Hello everyone,

can't find any info on this issue neither here or on indexhibit forum, can you help? If you load my website forabetterignorance.com you'll see these error messages popping up, pointing to line 71 of cache.php file. Apparently is a line of code that should check if the user is viewing site from a mobile device...any idea ion what's going on? I'm no web engineer :~/

here's the messages I see:
Warning: Attempt to read property "vars" on null in /home/public/ndxzstudio/lib/cache.php on line 71
Warning: Attempt to read property "default" on null in /home/public/ndxzstudio/lib/cache.php on line 71
Warning: Trying to access array offset on value of type null in /home/public/ndxzstudio/lib/cache.php on line 71

best,
Nicolò

PHP 8 compatibility?

Vaska, I'm raising this here rather than the forum because the forum is not accepting new postings. This is a critical problem and not just a "How do I ..." question.

My hosting service has just upgraded to PHP8 and my indexhibit 2.1.6 site has immediately stopped working. Browser generates this error: [Domain] is currently unable to handle this request. HTTP ERROR 500

Does this require an update to indexhibit code, or is there a setting I can update myself? I'm no expert in php and am flying blind ... also slightly panicked.

PHP 8 compatibility

Are there any plans to update Indexhibit to be compatible with PHP 8?
Right now, we are presented with nothing but a white screen when running it under this PHP version.

Thanks

Check if variable tmp is defined

In the makeNodes() function in the /ndxzsite/js/jquery.ndxzbox.js file, you should check if the variable tmp is defined before using it. Not doing this, sometimes it breaks other JS scripts:

function makeNodes() {
    var count = 0;
    $('.picture_holder a').each(function()
    {    
        var tmp = $(this).attr('id');
        if (tmp) {
            node[count] = tmp.replace('aaa', '');
            count++;
        }
    });
}

There is a improper configuration leads to getshell

There is a improper configuration leads to getshell.
poc:
first,let's sign in our indexhibit CMS,then we can see this choice "Assets":

so,we can modify the plugins,include php files.ok,let's modify:

we can use knife to connect:

Vimeo videos and SSL

I installed an SSL certificate on my site and mostly everything is working as expected, except Vimeo videos uploaded to exhibits because of mixed content issues.

You should change the following IFRAME code to use https instead of plain http on line 228 in the plugin.formats.php file:

return "<div class='vimeo' style='width: {$width}px; height: {$height}px;'><iframe src='http://player.vimeo.com/video/$file' width='{$width}' height='{$height}' frameborder='0' webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div>\n";

to:

return "<div class='vimeo' style='width: {$width}px; height: {$height}px;'><iframe src='https://player.vimeo.com/video/$file' width='{$width}' height='{$height}' frameborder='0' webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe></div>\n";

Is Indexhibit dead?

Hi,

I've been contacted by an artist friend about migrating his indexhibit portfolio to wordpress so as to get a responsive version of his website. My first reflex was to go check on indexhibit.org whether there was new updates and possibly someone might have worked on responsive templates for indexhibit, but the front page of indexhibit.org is empty or nearly empty, and the last updates were done last year...

Maybe it's time to announce that the project is not maintained anymore?

An official announcement would allow people to start planning for a migration.

It was a lovely project btw, I loved working with it a few years back!

Best to you and thanks for everything,

maathieu

Replace media script with the one using Imagemagick

Missing license

You don't provide any information on license under which you share the code. Can you add a LICENSE file and a header on every file?
If you need help to decide, I found this link: https://github.blog/2013-07-15-choosing-an-open-source-license/
(I like GPLv3 because if someone forks your project, the fork remains open source, but it's up to you to decide).

There is a insecure permission so that we can read any file we want,include config.php

When we log in,we can view some css files.But there is a insecure permission so that we can view any file.
poc:
http://local`/ndxzstudio/?a=system&q=assets&edit=..\/../../indexhibit-master/ndxzsite/config/config.php`

fix:The parameter we put need Rigorous testing

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.