URLs with trailing slash and without it must works the same.

For example, if one uses <path_to_mibew>/license URL he should see the same page if he uses <path_to_mibew>/license/ URL.

I think the problem can be solved using .htaccess file and Apache's mod_rewrite.

Seems like sound notifications on new visitors doesn't work. While popup notifications works as intended.

Hello Dmitry

I am using Mozilla - Firefox Browser

I tried to add a new canned message

The program opened Internet Explorer and requested that I login

But I am already logged in in Firefox

CXan you please help

Thanks

Lloyd Sewell

[email protected]

Vulnerability: Error in SQL
Results:
URL
http://www.mysite.com/chat/client.php?locale=pt-br&style=silver&url=http%3A//www.mysite.com/&referrer=

MESSAGE

No response from server. Injectable request #: 1 Injected item: GET: locale Injection value: "OR

HOW IT WORKS

The SQL error message and a vulnerability that an attacker help to formulate more precise strings for an SQL injection. Can
also be used as an attack 'finder' that precedes an actual SQL injection attack. When looking for a vulnerability
for SQL injection attack, the attacker first enters SQL characters such as' - # to try to generate an error in the application.
If the error is displayed on the resulting page, the attacker gains valuable information about Exploit ** web application ** Although this is
mainly a secondary attack, taking the importance of the exploit, a vulnerability Message SQL Error enables
attacker to gain valuable informaçoess as the type of database used, queried tables and table structures. This
can be considered in this context, an exploit. For example, consider an error message that begins with:
com.mysql.jdbc.PreparedStatement @ 2df1314: select user_id, the bdate birth_date, first_name, ssn from
user _place_holder; _place_holder; _place_holder; _place_holder; sql error: java.sql.SQLException: Communication link failure:
java.net.SocketException, underlying cause: Software Caused connection abort: recv failed _place_holder; _place_holder; BEGIN **
EXCEPTION ** This message provides the informaçoess attacker as which tables are being consulted, names of your columns,
underlying database, such as MySQL, and probably the JSP technology used in web application development. A
error message that contains only the text of the exception as: SQLException: java.sql.SQLException: Invalid column type at
oracle.jdbc.dbaccess.DBError.throwSqlException (SQLErr.java: 134) also reveals that the database used and the type and Oracle
that the application is written primarily in JSP.

IMPACT

An attacker can gain administrative control over your web application or database using SQL queries created
especially for this purpose. It is also possible to obtain remote access to restricted information through queries to your database.
A vulnerability Message SQL Error helps the attacker to formulate the correct query, depending on the information revealed in
error message. This kind of error message can also reveal informaçoess on the implementation of the database,
as the type of database server, server-side technology, etc.. Many web applications use SQL databases for
informaçoess store important that through the error messages deliberately obtained by an attacker can be revealed.
For example, an error generated by a Web form that searches for information about employees of an organization can lead to
Exposure of personal data stored together. Likewise, errors generated by a web application management
inventory can disclose important informaçoess about products yet to be launched.

At the moment Mibew 2.x doesn't support a database listening on non-default port. We need to fix it.

Thanks to @alberto234 for discovering this issue.

1.6.11 will not install. htaccess checksum error.

The contents of README file should be aligned with the actual procedures of installation and upgrade.

In fact, any F5 in the active chat window will make avatar disappear.
Looks like misses something in the constructor.
Tested in 2.0 alpha 2.

Hello,

since we have an own button for our website, we've updated the code in b.php to support PNG-Images. With the transparency/shadow etc they look much better. I replaced this

$image_postfix = has_online_operators($groupid) ? "on" : "off";
$filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.png";
if (!file_exists($filename)) {
    die("no image");
}
$fp = fopen($filename, 'rb') or die("unable to get image");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Type: image/gif");
header("Content-Length: ".filesize($filename));

with this:

$image_postfix = has_online_operators($groupid) ? "on" : "off";
$filename = dirname(__FILE__) . "/locales/${lang}/button/${image}_${image_postfix}.gif";
$filetype = "gif";
if (!file_exists($filename)) {
    $filename = preg_replace('"\.gif$"', '.png', $filename);
    $filetype = "png";
    if (!file_exists($filename)) {
        die("no image");
    }
}
$fp = fopen($filename, 'rb') or die("unable to get image");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
header("Content-Type: image/" . $filetype);
header("Content-Length: ".filesize($filename));

What do you think? Do you implement it in legacy?

We seem to be experiencing operators receiving chats from customers via a group that they are not connected to in the set up.

Anyone else had this bug?

There should be option to track operators or not. By default Mibew should not track operators.

Made by the shielded test site indicate vulnerability as well

http://www.mysite.com/chat/client.php?locale=pt-br&style=silver&url=http%3A//www.mysite.com/&referrer=
MENSAGEM
No response from server. Injectable request #: 1 Injected item: GET: referrer Injection value: " or 1=1 -- -

HOW IT WORKS

SQL Disclosure is a special kind of a SQL Injection vulnerability. SQL Injection is a type of attack that allows a remote user to pass SQL
(Structured Query Language) commands and strings to a back-end database. By exploiting SQL injection vulnerabilities an attacker can
gain access to sensitive information and potentially gain full control over the system on which the database is installed. An attacker may
make use of a SQL Disclosure vulnerability to gain sensitive information without having the required privileges or to locate generic SQL
Injection vulnerabilities. He starts by trying to cause an error in the processing of a SQL query, thereby generating a SQL exception. If
such exceptions are suppressed by the application, he may use the Blind SQL technique to locate a SQL Injection vulnerability. This
enables him to guess the correct structure of the query. For example, if an injection with the construct " -- - causes an exception but with
';# does not, then he understands that the query ends in a ' . Next, he chooses an appropriate SQL statement, for example ' or 1=1;# ,
which will always result in a true state and uses this in the input. When this modified query gets executed, the attacker stands to gain
sensitive information not available to him otherwise. Exploit A SQL Disclosure vulnerability, by definition, involves disclosure of
information to users without sufficient privileges by way of a SQL Injection. Hence, the disclosure of this extra information may be
considered as an exploit of this vulnerability. In this sense, this attack is itself an exploit of a generic SQL Injection vulnerability.

IMPACT

A SQL Disclosure vulnerability enables an attacker to gain access to information that he does not have the privileges for. This includes
data stored in the tables and probably credentials for accessing sections of an application requiring higher privileges. Many Web
applications store important information in SQL databases, such as financial transactions of users, confidential company records and
credit card numbers. Querying such databases without proper access restrictions can cause leakage of this data to anyone who can send
queries to them through a Web application. For example, a well-crafted injection on a banking application may reveal transactions done
by all users to one malicious user. Similarly, an injection on an application used for taxation by companies may expose tax details of many
companies to an attacker.

SOLUÇÃO

The following recommendations will help to mitigate the risk of SQL injection attacks: * Monitor your production applications for the
latest security vulnerabilities and bugs. * Keep up to date on patches and security fixes as they are released by the vendor or
maintainer. * Limit the types of characters and strings that can be passed as application parameters by configuring native application
filters. * Avoid using external SQL interpreters. * Audit your applications frequently at points where HTML input can reach SQL
interpreters. * Ensure proper input validation is performed wherever user supplied data is used, regardless of the application's
relationship to a back-end database. * Avoid using dynamic SQL or PL/SQL and use bound variables whenever possible. *
Enforce strict limitations on the rights to database access. * Remove any sample applications or demo scripts that allow remote
database queries. The following ASP.NET code shows a simple example of a SQL disclosure vulnerability. Assume the goal of the code
is to query user account details, such as name, account id, and credit card, from a users PIN number. SqlDataAdapter myCommand =
new SqlDataAdapter( "SELECT usr_name, usr_accntid, usr_cc FROM accounts WHERE usr_pin = '" + PIN.Text + "'",
myConnection); Assuming a PIN id of 10012301, the code above results in the following SQL query: SELECT usr_name, usr_accntid,
usr_cc FROM accounts WHERE usr_pin = '10012301' The insertion of special characters allows a remote attacker to manipulate the SQL
query and thus substitute or append additional queries in the place of the expected value. This allows a malicious user to craft arbitrary
SQL expressions and have them executed against the database. For example, the query "1000' or 1=1--" would allow the attacker to
enumerate the name, account id, and credit card number of every user in the accounts table, in virtue of the following SQL expression:
SELECT usr_name, usr_accntid, usr_cc FROM accounts WHERE usr_pin = '1000' or 1=1 --' To prevent SQL Injection type attacks, you
should consider adopting the following practices: ASP.NET * Use the RegularExpressionValidator and RangeValidator to ensure
that input data conforms to the expected type and format. If using HTML input controls, use the Regex class (in the
System.Text.RegularExpressions namespace) in your server-side code to constrain user input to allowable types and expected format.

• Establish and enforce rules for allowable input and reject data that does not conform to your defined safe input. * Consider
  executing all queries as parameters with stored procedures. The use of parameters helps to prevent insertion of apostrophes and
  hyphens. Note, merely using stored procedures does not prevent SQL injection-based attacks. * Enforce length limits on inputs, and
  reject input that is longer than the specified length. This practice can make SQL injection vulnerabilities more difficult to exploit. *
  Validate the number of rows that are expected to be returned by a particular query. Produce exceptions if more rows than the expected
  value are returned by the query type. * Perform input validation on both the client and server. Do not rely on client-side code to ensure
  safe inputs. Ensure your input validation routines include server- side code that also validates input against a set of safe or expected
  characters and formats. PHP * Use addslashes() to escape SQL queries. * Employ input validation to against a set of
  allowable characters and reject input which deviates from this pattern. * If you are using MySQL with PHP, use
  mysql_real_escape_string() to escape SQL queries. Be advised, this function does not escape MySQL wildcard characters, such as % or
  , which will need to be sanitized separately by input validation routines. * Enforce length limitations on input so that inputs longer than
  the expected length are rejected. Java The risk associated with SQL injection can be mitigated to a large extent in Java by the use of
  prepared statements or a combination of stored procedures and callable statements. Input validation is still required apart from these
  techniques. **Vulnerable Code** Consider a typical implementation of a SQL query in Java: String username =
  httpRequest.getParameter("username"); String sqlQuery = "SELECT * FROM users WHERE userid = '" + username + '"; Statememt stmt
  = db_conn.createStatement(sqlQuery); ResultSet results = stmt.executeQuery(); In this code, the input "username" from an
  HttpServletRequest object is directly used in a live SQL query. A user could give potentially harmful input in the field username in the web
  application to compromise it. Secure Code Input Validation Any input such as that mentioned above should always be
  validated before being used in a SQL query. The validation code looks like this: if () String sqlQuery = "SELECT * FROM users
  WHERE userid = '" + username + '"; else throw new IllegalArgumentException(); Here, if () could be a simple length check, such as: if
  (username.length() < MAX_POSSIBLE_LENGTH) or, it could amount to a more elaborate regular expression match, for example, for
  peoples' first names: if ( username.matches("[0-9a- zA-Z']") ) or, an even more elaborate regular expression, for peoples' e-mail
  addresses: if ( username.matches("n[A-Z0-9._%-]+@[A-Z0-9.-]+.[A-Z]{2,4}n") ) This means that no input other than what is exactly
  expected is passed to the SQL query. This ensures that even if an attacker injects SQL into input fields, it never reaches the database
  server. When using regular expressions, they must be tweaked to represent the exact format of input expected. _Prepared
  Statements* Prepared statements are used to send pre-compiled SQL queries to a database server, in the absence of stored
  procedures. In Java, PreparedStatement objects can be used for this purpose with one or more parameters. This is implemented as
  follows: String username = httpRequest.getParameter("username"); String query = "SELECT * FROM users WHERE userid = ?";
  PreparedStatement stmt = db_conn.prepareStatement(query); stmt.setString(1, username); ResultSet results = stmt.executeQuery(); The
  "?" in the SQL query is a placeholder for parameters to go in. These parameters are set using set---() methods of the PreparedStatement
  object, e.g., setString(), as shown. When a prepared statement is used, the database server uses the value of the variable bound to the
  "?" provided "as is," i.e., without interpreting any SQL syntax in it. So, if an attacker provides username "name' or 1=1 -- -", the database
  looks for the user with "name' or 1=1 -- -" as a name, which does not return any results and the attack fails. Stored Procedures and
  Callable Statements A stored procedure is a group of SQL statements which performs a specific task. These groups are entities with
  the database server, which can be called like SQL queries. CallableStatement objects in Java are used to call such stored procedures in
  a safe way, like PreparedStatement objects for simple SQL queries. CallableStatement objects are used as follows: String username =
  httpRequest.getParameter("username"); CallableStatement cstmt = db_conn.prepareCall("{call findLogin(?,?}");
  cstmt.setString(1,username); cstmt.registerOutParameter(2,Types.TIMESTAMP); cstmt.executeQuery(); String lastLogin =
  cstmt.getTimestamp(2).toString(); Similar to prepared statements, the database server uses the value bound to the "?" provided as is. So,
  the injection fails. The key to the prevention of SQL injection that leads to vulnerabilities such as SQL disclosure and blind SQL injection is
  a combination of all the methods described above. No one method by itself can provide fool-proof protection against SQL injection
  attacks. ColdFusion Generic ColdFusion provides a number of ways to filter or validate user input. The security measures span
  both client-side and server-side filtering. Where possible, implement your security controls on the server-side to avoid tampering of your
  controls via a Man-In-The-Middle (MITM) proxy. An attacker can easily bypass client-side controls by using such a program to modify the
  underlying HTTP Request as it passes between the proxy and the web application. Additionally, we recommend that sites using
  ColdFusion should configure their application using the recommended security features of the Adobe ColdFusion 8 Developers Guide, or
  the guide relevant to your version of ColdFusion. ColdFusion Data validation allows you to control the type of data that is allowed as well
  as to ensure that user- supplied data corresponds to the correct form. Attentive data validation procedures can have the following
  benefits: * Enhance the security of your application by ensuring that malicious users cannot input data that exploits a security
  vulnerability, such as SQL Injection, XSS, or buffer overflows. * Enhance application resilience by rejecting invalid data on the
  server-side prior to processing the input. * Enhance application usability by providing the user with feedback that allows them to
  correct their mistakes, while not generating verbose error messages. The list below gives you an overview of the available data validation
  tags, as well as their validation type (server vs. client side) methods. For a more detailed explanation consult your ColdFusion Developers
  resources on the CFML language and its security features: * Mask, client: Applies to cfinput tags on the client-side. The use of
  Mask creates a JavaScript or ActionScript control that verifies that input corresponds to a specified pattern. For example: nnn-nnn-nnnn
  where "n" is an integer. Note, this is a client-side control that can be easily bypassed. * _onBlur, _client: Applies to cfinput and
  cftextarea tags. _onBlur creates a JavaScript that runs in the browser and checks that user supplied data matches a corresponding
  pattern. This can be bypassed by a Man- In-The-Middle (MITM) proxy. * onSubmit**, **client: Applies to the Web browser
  when the user clicks submit and checks that the data passed from the browser corresponds to a specified pattern. This can be bypassed
  by MITM proxy. * onServer,** _**server: Applies to server-side data after the form is submitted. ColdFusion checks the form
  data of cfinput and cftextarea tags and generates an error page if the data is not valid. Use this tag in conjunction with the cferror tag to
  specify the validation error page. Note: a failure to specify an error page will result in an information leak in your error handling routine, as
  ColdFusion errors are verbose. * IsValid, **server: Tests an input variable to determine if the content of the variable meets internal
  validation rules. The **IsValid function returns true or false for the variable. * _Cfparam, _**server: **Tests an input variable to
  determine if the variable meets validation criteria. If the variable does not meet the criteria an expression exception is generated. *
  _Cfqueryparam, _**server: **Evaluates the content of a HTTP query string to validate whether the string meets validation criteria. This
  tag is useful for scrubbing HTTP query strings prior to further processing. SQL Security When data from a user-supplied parameter
  is passed within a SQL query, if proper security mechanisms are not in place a malicious user can modify the underlying query and
  conduct SQL Injection attacks. Vulnerable Code Consider the code below, which is vulnerable to SQL Injection: SELECT
  FirstName, LastName, From Members WHERE EmpID='#Form.EmpID#' The sample code above could be called by a malicious URL
  Page 5
  in the following way: Server/script.cfm?EmpID=0%20Malicious%20SQL%20Query Which would result in following SQL Expression, as if
  the form consisted of: SELECT FirstName, LastName, From Members WHERE EmpID= 0 MALICIOUS SQL QUERY An attacker
  could abuse this vulnerability to delete all data from tables or read or modify the underlying database, or authenticate without a username
  or password. Secure Code The cfqueryparam tag can be used to evaluate the string parameters prior to processing by the
  database. You can specify the type of data for the corresponding database columns used in the select statement and reject input of
  invalid data types. Cfqueryparam, when used in conjunction with cfsqltype, can also use a wide range of input validation functions, as
  well as constrain the length of input on the server- side, preventing SQL Injection. For example: SELECT * FROM Employees WHERE
  EmpID = This code thus prevents SQL Injection of the EmpID parameter value by enforcing an integer data type. Note that you must
  enforce proper error handling or this security measure could introduce an information leak via verbose SQL Error Messages. When
  manipulating strings, you can use other security measures to enforce a string data type, limit maximum length of the string, and escape
  the string values within single quotations to ensure it is examined as a single value by the database. For additional information on the use
  of cfqueryparam and cfsqltype, consult your ColdFusion documentation. In addition to the use of these measures, you should also enforce
  input validation to reject queries that contain special characters. This prevents an attacker from manipulating SQL expressions via special
  characters used by delimiters in database queries.

error message appears when try to login. after reload site is loaded is usual.

A feature Set status as "Away" on the visitors waiting screen does not work. It changes its caption to Set status as "Available" but an operator is still online.

Translations import already exists but the export does not.

This should be fixed to allow everyone to share updated translations.

Even though the IP of a Spam bot is blocked they are still getting through and causing a new chat with the "Reason for block" listed in the Visitors Waiting area.

Hi all,

what about flashing title as notification for new message when mibew is used in web browser. Like fb/gmail chat. Lets say we can have entry in "Settings" like dropdown:

Title notification: [off,agent,client,both]

require_once on line 58 of install/index.php fails because /libs/classes/Mibew/Style/Style.php does not exist

Mibew in master branch is dependent on apache's mod_rewrite.

The main reason of it is using MIBEW_WEB_ROOT constant for building URLs instead of Symfony routing component's means.

This should be fixed.

At the moment the repository contains compiled JavaScript code. This code can be easily got via build system and should be removed from the repository.

When .po file is imported via GUI only new strings are added to the database. There should be an option to override existing strings.

One should transfer fc25f35 into the master branch.

At the moment there is no way to change timezone. The default value from php.ini will be used.

Timezone option should be added to the main config file.

The generation of text button is currently missed in the master branch.

On mibew's website there are two version :1.x and 2.0.
Which branch is the version 2.0? How can i try it on the local server? Thanks

Hi,

I'm getting this error while trying to execute Mibew, just after login (and a successful install).

But if I got to /helpdesk/operator/ instead of /helpdesk/operator/operator.php, opens normally.

The list of operator permissions at the appropriate page appears to be unlocalized.

In Mibew there are default values of settings and an actual values stored in the database. And the values from the database overrides default ones.

If a setting can not be changed through the UI, after first save in the database it becomes unchangeable. For example: the setting of left_messages_locale.

This issue is related to both legacy and master branches.

Hello,
Trying to upgrade 1.6.11 to 2.0 alpha1 by replacing the old 1.6.11 directory with 2.0 and leaving the database unaltered we get the following message in apache's error_log no matter where we go:

[Thu Jul 31 10:53:57 2014] [error] [client 10.3.2.118] PHP Fatal error: Can't inherit abstract function Mibew\Style\StyleInterface::getFilesPath() (previously declared abstract in Mibew\Style\AbstractStyle) in /var/www/chat.ats.coop/mibew/libs/classes/Mibew/Style/PageStyle.php on line 28

Both front-end and back-end should be responsive layout.

Hello Dmitry

I am using Mozilla - Firefox Browser

I tried to add a new canned message

The program opened Internet Explorer and requested that I login

But I am already logged in in Firefox

CXan you please help

Thanks

Lloyd Sewell

[email protected]

An attempt to install Mibew with multiple locales (3 or more) results in incomplete import of localized constants.

At the same time initial import of 2 locales works fine.

My chat status is always off

Does not seem to break anything.

Even if the button is generated with enabled 'Include host name into the code' option, the thread in the invitation will be loaded using relative URL.

There are several stings that used as localization constants at client side, but they are not real constants. Such strings are generated at the server side within no_field, wrong_field and other functions. Here is a list of these strings:

• chat.window.send_message_short_and_shortcut
• leavemessage.error.email.required
• leavemessage.error.name.required
• leavemessage.error.message.required
• leavemessage.error.wrong.email

These strings should be replaced with normal localization constants.

Currently every user can view the chat history of all operators independent of the group he belongs to.

We need to have such options:
Every operator can watch only his chat history;
Every operator can watch only his group chat history;

history.php should be fixed.

Salam all,
mibew chat plugin for wordpress is an awesome one, even the best free I found.
But I have found a bug that rises on my server which gives a negative "token" sometimes which makes the client and the admin unable to make the chat, with an idiot message about bad token (which means MY SITE IS USEFUL to the client) Any how I made a fast solution by just modifying the "next_token()" function which exists at "YOURmibewPATH/libs/chat.php" and made it as follows:

function next_token()
{
$toRetHamed=function_exists('openssl_random_pseudo_bytes') ? hexdec(bin2hex(openssl_random_pseudo_bytes(4))) : mt_rand(99999, 99999999);
if (intval($toRetHamed)<0)
next_token();
else
return $toRetHamed;
}

hope this will help
Salamu Alaikum

Probably we need a special page in the interface containing information about license, credits, etc.

Hi Team,
I use the latest April release version of Mibew. Initially it worked good but suddenly by today i noticed that even after logging into mibew user panel and setting the status online it still shows that the user is offline in the webpage chat session window. Please rectify the problem.

Just now tried to install newest version. After successfull update tried to start chat from client side and got this error:

Strict standards: Declaration of ClientSideProcessor::call() should be compatible with RequestProcessor::call($functions, $async, $callback = NULL) in .../web/mibew/libs/classes/client_side_processor.php on line 97

Is this caused my error on my side or somebody else also got this ?

There are too many .htaccess files in Mibew.

For example, types of files that cannot be accessed are defined several times in each style directory. Also there are duplicated .htaccess files in libs/ and libs/classes/ directories.

I believe we should reduce count of this files and use, if it is possible, only one in Mibew root.

In version 1.6.6 mibew only shows translations (de German) to (ä ö ü) character after it's all gone. In the operators backend.
for example:

menu.profile.content=Sie können ihre persönlichen Daten auf dieser Seite ändern.

displays= Sie k

version 1.6.5 Ok

We experienced a "crash" of our local chat system (1.6.4). It was caused by a client who entered some strange UTF-8 characters in her chat text. A short test with your demo shows the same effect: List of visitors no longer worked but continuously tried to reconnect (we got a Loading ... in our older version). So this problem still exists. A test with demo 2.0 was not successful.

When by Clicking on the Chat Window and Clicking on Refresh Button, it is not able to Refresh the Chat window , Morever it is displaying the same Window . Please find the attached screen shot for your reference

hi ,
we already got spamming issue because of lack of captcha in client.php
it will be greate if the captcha is integrated in client.php page .. thanks

If groups are enabled and a button is generated for 'all operators', it will treat an operator not belonging to any group as being offline regardless of the real state of that operator.

If one remove operator's avatar from GUI, he actually remove only info in database but not the file. The avatar file is still available and accessible if you know a link for it.

This behavior should be changed.

It's not possible to take over a chat from an operator. In the popup nothing happens after confirmation message, the message just reappears.