RSS feed

Nutsmuggling

Events Manager 2.2, security hole closed

Hello folks,
I just released Events Manager 2.2. It’s a minor upgrade, here is the changelog:

  • Added a option to get events through a select
  • Closed many bugs causing a notices/warning visible only in debug mode
  • Closed a critical security hole discovered by Danilo Massa (to be released on May 10th)

The first point is the only proper feature, it allows you to use a select for the events venue. It’s something that comes in handy for people/organizations whose events take place in the same venues all the times.

The second point is something I should have done AGES ago. I put Worpress in debug mode and thus could see all the stuff that’s usually spitted directly into the error log. There were many small bugs, caused mainly by the lack of isset here and there. I believe there are still minor notice/warnings, but I got rid of most of them.

Point three is what urged me to release ASAP. Danilo Massa kindly notified me of a security hole in Events Manager, providing a simple one-liner to fix it. Since the vulnerability is pretty serious I hurried to apply Danilo’s patch and release 2.2.

This release is quite stable, it’s employed in a client portal, so you should have no problem with the upgrade.

Enjoy,
Davide

Share and Enjoy:
  • Digg
  • del.icio.us
  • Google
  • Technorati
  • StumbleUpon
  • Furl
  • Reddit

31 responses to “Events Manager 2.2, security hole closed”

  1. Robbb says:

    Ciao Davide, ho provato a installare Events Manager, ma ho ottenuto un errore all’attivazione del plugin, quindi ho riprovato con una installazione vergine di WP, ma quello che ottengo e’ Mentre con EM2.2 ottengo Ho controllato lo script segnalato e ho notato che non ci sono piu’ errori eliminando la parte tra le righe 1382 e 1472. Allora ho provato a eliminare progressivamente le istruzioni per accertare dove si verifica l’errore, ma sembra che il problema sia che (probabilmente solo su certe installazioni di PHP) i tag aperti in un modo all’inizio di una struttura devono essere aperti allo sesso modo alla fine della struttura. Quindi per esempio devi avere codice vario e non puoi invece scrivere Pero’ se correggo questo “errore”, quello che ottengo e’ questo

    A questo punto sospetto un problema di compatibilita’ con WP2.9.2-IT PHP Version 5.2.8 Apache 2.2.11 Spero di esserti stato d’aiuto

  2. Gero Pflueger says:

    Hi,

    thanks for this great plugin. I’m missing just one feature: the feature to easily edit the number – or time span – of shown events, as well in the widget as on the events page. I need more than just 10 events – I want to show all of my events in the coming six or twelve months, at least on the events page.

    If you would introduce this in the settings of the plugin I’d consider it the perfect plugin :)

    Best, Gero

  3. Ceri says:

    Hi there! Amazing plugin… one question/problem though:

    On first load the calendar widget doesn’t target the “ajaxCalendar” (itself) for it’s prev/next links. It just targets the main frame… or something, I’m not very good at this. The ajaxCalendar does not define it’s target on FIRST load, but on subsequent clicks the prev/next month links work just fine, and “ajaxCalendar” is in the address they link to if you hover over the links, where it wasn’t on the first time you use them.

    This is a problem when you are using ajax/javascript for more than one content area, ie if you are using a content slider for your main content. The Calendar widget ends up targeting my main slider which shows the next available page in its lineup.

    Here’s a working example of my problem: http://iangreenlaw.cerenacat.com/wordpress/ When you click the next/prev links on the calendar, the main content gets changed as though you used my nav links. The calendar content DOES get changed to the next month, but so does my main content… this does not happen after the first time you use the calendar links, they behave properly after that.

    Please also note that on first load the prev/next links access a “post” command rather than a “get” command, the get commands work just find and target the ajaxCalendar. Not sure what that means, though… like I said, I’m a beginner of sorts.

    Is there anything that can be done to make the plugin more specific to target itself and not the main nav? Would be much more robust for use in slidingtabs type themes like this one (for ref I am using a modified “sleektabs” theme).

  4. Mike says:

    Will this work with WP3.0 beta soon?

  5. Niko says:

    Hi and thanks for this great plugin – basically just what I need!

    However since the update I have one major problem: the “details” section of the event is entirely unavailable when I create or modify one (in HTML as in visual), so i can’t type in any additional text or upload any image….

    Any thought ?

  6. Niko says:

    Ok nevermind I just found out it was compatibility problem with qTranslate… upon desactivating it, the “details” are now available…

    Too bad, I really need qTranslate too :-(

  7. dennis says:

    Do you have the rsvp email corrected? I used to get all these errors printing on the screen above the site. Also, who is the “notification receiver”?

  8. fog says:

    Hi !

    Good work so far, but what really needs to be done is a administration section where you can customise, add and delete fields needed for booking also required fields and form validation. I will do some changes…?!$

    Best Greets Fog

  9. Jeremy Legasse says:

    How can I change the language on the datepicker???? on an old install the datepicker is english but on a new wordpress installation and plugin install from 2.2 it’s in a differnt language? Where do I change it back to english??

    Thanks! LOVE THE PLUGIN

  10. I房 says:

    偶尔幽生活一默你会觉得很爽,但生活幽你一默就惨了……

  11. Bitcause says:

    http://davidebenini.it/2010/04/10/events-manager-2-2-security-hole-closed/#comment-16025

    Niko,

    See dbemevents.php (2.2.2) row 1702 with qtranslatehooks.php (v2.5.7) row 314

    Solution:

    Install this plugin (CKEditor For WordPress 1.0 Beta2): http://wordpress.org/extend/plugins/ckeditor-for-wordpress/

    And enjoy! :)

  12. Bitcause says:

    Sorry, out of action with CKEditor For WordPress 1.0 Beta2 in the Post/Page language switch-tab on top of editor. Uninstall CKEditor For WordPress 1.0 Beta2 and go to dbemevents.php (2.2.2) and delete rows 1693 to 1709 this: <div id="" class="postarea">

    And paste this:

                    <?php the_editor($event [$pref . 'notes']); ?>
    
    
                    </textarea><br/>
                        <?php _e('Details about the event', 'dbem') ?>
                    </div>
                </div> <div style="clear:both;">
    

    Next: Go to wp-admin/wp-admin.css and wp-admin/wp-admin.dev.css and replaces this: .js .theEditor{color:white;} with: .js .theEditor{color:black;}

    Enjoy :)

  13. Samy says:

    Hi I just tested your great plugin, but I cannot install it : it says (on WP 2.9.2 with EM 2.2.2) that :

    Parse error: parse error in F:\sites\ocrav2\wp-content\plugins\events-manager\dbem_events.php on line 2288

    Can you help me ?

  14. Andy Blackwell says:

    Let us all know when this error is fixed, file is too long to easily find the problem spot.

    Parse error: syntax error, unexpected $end in /{path-to-wp}/wp-content/plugins/events-manager/dbem_events.php on line 2358

  15. Nathan says:

    Great plugin. Much more thought out than some of the competing events plugins.

    Just one small feature request – a closing date on RSVPs. Shutting off RSVPs once it’s hit a capacity limit is great, but it would also be nice to close RSVPs off at a certain date (say, a week before the event).

    Other than that, top stuff!

  16. Chris says:

    Hi,

    does it work on wp3?

    dont get it running on wp3.

    grts,

    Chris

  17. Radu says:

    Hi,

    I’d like to display 2 event widgets on the same page. (one titled: Future Events and one Past events). But when I drag and drop it into the widgets bar, the widget dissapears from the Available Widgets.

    The other widgets like Archive for example, can be used as many times as you like.

    Do you know how this problem could be solved?

    Cheers, Radu

  18. Sascha says:

    hi, i love your plugin! i would like to use it, but a need a important feature:

    every user is able to show and edit all events. thats bad. its important that the users only see and change the own entries.

    i have try to manage it with the plugin adminize. the problem is: it is possible to disable the menue for editing. but, if the user write and new event and klick “publish”, he will be listened all events and can change it then.

    thank you

  19. Maureen says:

    I’m using 2.2.2 with Wordpress 3.0. The automatic update did not work. I had to do a manual ftp upload instead. The only problem I’m seeing so far is that in Internet Explorer on the main Events page in the editor the list of events shows up very briefly and then dissapears. Looks like a just an IE display problem because it works fine in Firefox. If anyone else sees this and finds a fix for it please respond! Thanks :)

  20. Maureen says:

    I have one recommendation for an improvement to the usability of this plugin.

    In the current month (June), if I click the right arrows to move to the next month (July) and then click on a date in the calendar, the calendar immediately jumps back to the current month. Could the calendar be configured to show the month of the date of the event?

    Thanks for a great plugin!

  21. Melvin says:

    Hi Davide,

    Just wanted to say thank you for a great plugin. Though it took some time to figure out how to modify it for our use, it still is a great help to us to have it.

    cheers.

  22. erkh says:

    Hi,

    Thank you for your great plugin.

    1- “Send book” button “Accept Text” is not readable because of text background colour.

    2- Name, Phone, E-Mail should be integrated with user database

    3- Booking List should be displayed with an attribute

  23. Bhavi says:

    Hi,

    I just made a fresh install of wordpress 3.0 and installed the events manager plugin. It throws following warning message while activation.

    The plugin generated 233 characters of unexpected output during activation. If you notice “headers already sent” messages, problems with syndication feeds or other issues, try deactivating or removing this plugin.

    Please advise

  24. Raymond says:

    I just upgrade to the 2.2 release because of the mention of the security patch.

    However, my event manager is now not working. I’m very green in regards to your program and have no idea how to fix.

    This is what I get when I login to the admin.

    WordPress database error: [Unknown column 'eventcategoryid' in 'field list']

  25. Tom says:

    Hi Davide,

    Thanks a lot for this plugin, it rocks!

    Three issues I am encountering:

    • Version 2.2 doesn’t populate the default values, I had to manually fill everything in. Not a big deal though.

    • The fields “Small calendar title” and “Small calendar title separator” are not set up in the database and can’t be saved, effectively disabling the event preview on the widget calendar.

    • Recurring events do not show up in the current month in the calendar widget. For the next month they show again.

    Any idea when you can fix the last two at least? Or is there a workaround?

    Cheers, Tom

  26. Carey says:

    Hi Davide, I’m holding off upgrading to 3.01 until you upgrade to 2.2.3.

    My client wants to eliminate the end time for events. When I leave it blank a default time populates the field. Is there a way to have that field remain blank?

    Thanks and love the plugin just like the other comments.

  27. Davide says:

    To you all folks, EM 3.0 is about to be released, it should solve most of your problems. Davide

  28. acai berry cleanse says:

    Good day intelligent points.. now why did not i think of these? Off subject barely, is that this page pattern merely from an bizarre set up or else do you employ a personalized template. I exploit a webpage i’m in search of to improve and nicely the visuals is likely one of many key issues to complete on my list.

  29. Ladies Watches Gruen says:

    Admiring the commitment you put into your website and detailed information you offer. It’s great to come across a blog every once in a while that isn’t the same out of date rehashed material. Excellent read! I’ve bookmarked your site and I’m adding your RSS feeds to my Google account.

  30. Willodean Kilfoyle says:

    Excellent weblog right here! Additionally your web site a lot up fast! What host are you the usage of? Can I get your affiliate link to your host? I wish my site loaded up as fast as yours lol.

  31. hosting seo says:

    Recommeneded website…

    below you’ll find the link to some sites that we think you should visit…

Leave a Reply