This code part does not work for IPv6 addresses: COALESCE(INET_ATON(

An IPv6 address does not have a . in its format

At least loginip and createip are affected by this.

These changes implement out-of-the-box integration with Joomla!, in a similar vein to the existing Wordpress integration.

In addition to these changes, the Joomla! integration also requires a plugin to be installed into Joomla! (see https://github.com/SFWLtd/plg_q2a_integration). This plugin allows the Joomla! administrator to configure the Joomla! permissions that will grant different levels of access to Q2A.

Note that the installation instructions on the Joomla! plugin currently describe how to install it with a version of Q2A that does not contain the changes in this pull request. The changes here will allow those installation instructions to be dramatically simplified.

With the new Snow theme 1.4 when the admin switches to RTL mode the menus no longer stay in the same line, they items gets distorted and stack on top of each other

After clicking "needs to be upgraded" the server did not respond anymore.

Error log says:

[21-Jun-2015 13:14:59] PHP Question2Answer MySQL query error 1054: Unknown column 'qa_posts.name' in 'field list' - Query: (SELECT '0' AS selectkey, qa_posts.postid, qa_posts.categoryid, qa_posts.type, LEFT(qa_posts.type, 1) AS basetype, INSTR(qa_posts.type, '_HIDDEN')>0 AS hidden, qa_posts.acount, qa_posts.selchildid, qa_posts.closedbyid, qa_posts.upvotes, qa_posts.downvotes, qa_posts.netvotes, qa_posts.views, qa_posts.hotness, qa_posts.flagcount, qa_posts.title, qa_posts.tags, UNIX_TIMESTAMP(qa_posts.created) AS created, qa_posts.name, qa_categories.title AS categoryname, qa_categories.backpath AS categorybackpath, CONCAT_WS(',', qa_posts.catidpath1, qa_posts.catidpath2, qa_posts.catidpath3, qa_posts.categoryid) AS categoryids, qa_posts.userid, qa_posts.cookieid, INET_NTOA(qa_posts.createip) AS createip, qa_userpoints.points, qa_users.flags, qa_users.level, qa_users.email AS email, qa_users.handle AS handle, BINARY qa_users.avatarblobid AS avatarblobid, qa_users.avatarwidth, qa_users.avatarheight, NULL AS obasetype, NULL AS ohidden, NULL AS opostid, NULL AS ouserid, NULL AS ocookieid, NULL AS oname, NULL AS oip, NULL AS otime, NULL AS oflagcount, NULL AS oflags, NULL AS olevel, NULL AS oemail, NULL AS ohandle, NULL AS oavatarblobid, NULL AS oavatarwidth, NULL AS oavatarheight, NULL AS opoints, NULL AS parentid, NULL AS qcount, NULL AS position, NULL AS childcount, NULL AS content, NULL AS backpath, NULL AS action, NULL AS period, NULL AS count, NULL AS pageid, NULL AS permit, NULL AS nav, NULL AS heading, NULL AS widgetid, NULL AS place FROM qa_posts LEFT JOIN qa_categories ON qa_categories.categoryid=qa_posts.categoryid LEFT JOIN qa_users ON qa_posts.userid=qa_users.userid LEFT JOIN qa_userpoints ON qa_posts.userid=qa_userpoints.userid JOIN (SELECT postid FROM qa_posts WHERE type='Q' ORDER BY qa_posts.created DESC LIMIT 0,30) y ON qa_posts.postid=y.postid) UNION ALL (SELECT '1', qa_posts.postid, qa_posts.categoryid, qa_posts.type, LEFT(qa_posts.type, 1), INSTR(qa_posts.type, '_HIDDEN')>0, qa_posts.acount, qa_posts.selchildid, qa_posts.closedbyid, qa_posts.upvotes, qa_posts.downvotes, qa_posts.netvotes, qa_posts.views, qa_posts.hotness, qa_posts.flagcount, qa_posts.title, qa_posts.tags, UNIX_TIMESTAMP(qa_posts.created), qa_posts.name, qa_categories.title, qa_categories.backpath, CONCAT_WS(',', qa_posts.catidpath1, qa_posts.catidpath2, qa_posts.catidpath3, qa_posts.categoryid), qa_posts.userid, qa_posts.cookieid, INET_NTOA(qa_posts.createip), qa_userpoints.points, qa_users.flags, qa_users.level, qa_users.email, qa_users.handle, BINARY qa_users.avatarblobid, qa_users.avatarwidth, qa_users.avatarheight, LEFT(aposts.type, 1), INSTR(aposts.type, '_HIDDEN')>0, aposts.postid, aposts.userid, aposts.cookieid, aposts.name, INET_NTOA(aposts.createip), UNIX_TIMESTAMP(aposts.created), aposts.flagcount, ausers.flags, ausers.level, ausers.email, ausers.handle, BINARY ausers.avatarblobid, ausers.avatarwidth, ausers.avatarheight, auserpoints.points, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM qa_posts LEFT JOIN qa_categories ON qa_categories.categoryid=qa_posts.categoryid LEFT JOIN qa_users ON qa_posts.userid=qa_users.userid LEFT JOIN qa_userpoints ON qa_posts.userid=qa_userpoints.userid JOIN qa_posts AS aposts ON qa_posts.postid=aposts.parentid LEFT JOIN qa_users AS ausers ON aposts.userid=ausers.userid LEFT JOIN qa_userpoints AS auserpoints ON aposts.userid=auserpoints.userid JOIN (SELECT postid FROM qa_posts WHERE type='A' ORDER BY qa_posts.created DESC LIMIT 0,50) y ON aposts.postid=y.postid WHERE qa_posts.type='Q') UNION ALL (SELECT '2', qa_posts.postid, qa_posts.categoryid, qa_posts.type, LEFT(qa_posts.type, 1), INSTR(qa_posts.type, '_HIDDEN')>0, qa_posts.acount, qa_posts.selchildid, qa_posts.closedbyid, qa_posts.upvotes, qa_posts.downvotes, qa_posts.netvotes, qa_posts.views, qa_posts.hotness, qa_posts.flagcount, qa_posts.title, qa_posts.tags, UNIX_TIMESTAMP(qa_posts.created), qa_posts.name, qa_categories.title, qa_categories.backpath, CONCAT_WS(',', qa_posts.catidpath1, qa_posts.catidpath2, qa_posts.catidpath3, qa_posts.categoryid), qa_posts.userid, qa_posts.cookieid, INET_NTOA(qa_posts.createip), qa_userpoints.points, qa_users.flags, qa_users.level, qa_users.email, qa_users.handle, BINARY qa_users.avatarblobid, qa_users.avatarwidth, qa_users.avatarheight, LEFT(cposts.type, 1), INSTR(cposts.type, '_HIDDEN')>0, cposts.postid, cposts.userid, cposts.cookieid, cposts.name, INET_NTOA(cposts.createip), UNIX_TIMESTAMP(cposts.created), cposts.flagcount, cusers.flags, cusers.level, cusers.email, cusers.handle, BINARY cusers.avatarblobid, cusers.avatarwidth, cusers.avatarheight, cuserpoints.points, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM qa_posts LEFT JOIN qa_categories ON qa_categories.categoryid=qa_posts.categoryid LEFT JOIN qa_users ON qa_posts.userid=qa_users.userid LEFT JOIN qa_userpoints ON qa_posts.userid=qa_userpoints.userid JOIN qa_posts AS parentposts ON qa_posts.postid=(CASE LEFT(parentposts.type, 1) WHEN 'A' THEN parentposts.parentid ELSE parentposts.postid END) JOIN qa_posts AS cposts ON parentposts.postid=cposts.parentid LEFT JOIN qa_users AS cusers ON cposts.userid=cusers.userid LEFT JOIN qa_userpoints AS cuserpoints ON cposts.userid=cuserpoints.userid JOIN (SELECT postid FROM qa_posts WHERE type='C' ORDER BY qa_posts.created DESC LIMIT 0,50) y ON cposts.postid=y.postid WHERE qa_posts.type='Q' AND ((parentposts.type='Q') OR (parentposts.type='A'))) UNION ALL (SELECT '3', NULL, qa_categories.categoryid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, qa_categories.title, qa_categories.tags, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, qa_categories.parentid, qa_categories.qcount, qa_categories.position, COUNT(child.categoryid), qa_categories.content, qa_categories.backpath, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL FROM qa_categories JOIN (SELECT NULL AS parentkey UNION SELECT grandparent.parentid FROM qa_categories JOIN qa_categories AS parent ON qa_categories.parentid=parent.categoryid JOIN qa_categories AS grandparent ON parent.parentid=grandparent.categoryid WHERE qa_categories.backpath='' UNION SELECT parent.parentid FROM qa_categories JOIN qa_categories AS parent ON qa_categories.parentid=parent.categoryid WHERE qa_categories.backpath='' UNION SELECT parentid FROM qa_categories WHERE backpath='' UNION SELECT categoryid FROM qa_categories WHERE backpath='') y ON qa_categories.parentid<=>parentkey LEFT JOIN qa_categories AS child ON child.parentid=qa_categories.categoryid GROUP BY qa_categories.categoryid ORDER BY qa_categories.position) UNION ALL (SELECT 'pending_iplimits', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, action, period, count, NULL, NULL, NULL, NULL, NULL, NULL FROM qa_iplimits WHERE ip=COALESCE(INET_ATON('78.57.238.26'), 0)) UNION ALL (SELECT 'pending_navpages', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, title, tags, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, flags, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, position, NULL, NULL, NULL, NULL, NULL, NULL, pageid, permit+0, nav, heading, NULL, NULL FROM qa_pages WHERE nav IN ('B','M','O','F') ORDER BY position) UNION ALL (SELECT 'pending_widgets', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, title, tags, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, position, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, widgetid, place FROM qa_widgets ORDER BY position)

Admin panel said before the upgrade: Q2A database version: 47

While developping another plugin that deals with tags I stumbled over the following bug:

When a user favorites the tag "teisė" or the tag "teisę" both are favorited as entity "teisę".

Already in the frontend favorite form you can see that both tags have the same T id which is for the example favorite_T_1900_0. However, teisė should have 11294 according to the database.

For seeing the bug: http://www.klaustukai.lt/tag/teis%C4%97 http://www.klaustukai.lt/tag/teis%C4%99

The problem lies in qa-db-selects.php with the mysql query:

case QA_ENTITY_TAG:
            $selectspec['source'].=' AND entityid=(SELECT wordid FROM ^words WHERE word=$ LIMIT 1)';
            break;

Querying my database with SELECT wordid FROM qa_words WHERE word="teisė" LIMIT 1 incorrectly returns wordid=1900 instead of wordid=11294. Obviously the special character ė is interpreted as ę.

Any way to fix this? Kai

What do you think about setting the headers for X-Frame-Options, X-XSS-Protection and X-Content-Type-Options?

https://securityheaders.io https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options

This would harden the website a bit more against possible attacks and should not cause any problems (unlike CSP, which has to be used with caution).

CSP may be more difficult to integrate, as this is not supported in every browser and has to be used with caution (adding allow origins for example) but may be a look worth.

I was checking this feature and it was working fine till I was adding points to user profile...but as I reduced the points then points started to show very unusual results. Then I created a fake account and tested it more rigorously, first I added 100 points to a user (the user was already having 100 points and all point settings are as q2a offers). Now users score is 200 then I reduced 100 points (by typing -100) and the score turned to zero. The added 100 points, with zero and hundred the final score was hundred. Now added 10 points (final score 110). This time tried to reduce 10 points which should have resulted in 100 but the score with was there is 90.

This was getting even confusing so I thought to report it here instead to getting mad.

Noticed here: https://www.question2answer.org/qa/72828/stop-spam-and-editor-plugin-not-working-and-down-whole-website

And can confirm that I run into the same problem, once in a while.

Opening admin/plugins then "options" (especially with SCeditor).

Empty error logs :(

Please test it.

This pull request converts user hashes after a successful login, and uses bcrypt for all new passwords by default.

You need to add password_compat functions to question2answer to make it compatible with PHP 5.3+ (I work with PHP 5.6 and 7.0 on my local machine).

Worked here without any issues.

This pull request solves #340

Keep in mind that we do not need any salt as password_hash creates a safe hash by default.

Hello all. In order to make updates to question2answer.org easier for more people to get involved, and to reduce the maintenance effort from current management, I propose to move this website to GitHub pages using their web server and Jekyll for page processing.

This may be considered a best practice for open source projects and I have started most of the effort already.

For a live preview of this website, please see https://fulldecent.github.io/question2answer.org/

If you would like to get involved, please see https://github.com/fulldecent/question2answer.org

This issue was created in an effort to find more contributors interested in helping. Please join if you have HTML or Jekyll experience or if you otherwise support the cause.

When the result is good enough, we will create a pull request from that project into this project in a new gh-pages branch move this project to the q2a user. The end result will be a website which is automatically generated from source code here in the question2answer repository and supported by the Q2A contributors like you and me. Further discussion on the project plan and migration plan are at https://github.com/fulldecent/question2answer.org/blob/gh-pages/README.md

Just bringing this into attention from http://www.question2answer.org/qa/52743/security-wise-how-secure-is-q%26a resp. http://iedb.ir/exploits-2900.html

###########################

# Question2Answer 1.7 - Stored XSS Vulnerability

###########################

######################################################################
[+] Title: Script Question2Answer 1.7 - Stored XSS Vulnerability
[+] Author: s0w
[+] Tested On Windows & Linux
[+] Date: 21/03/2015
[+] Type: Web Application
[+] Script Download: https://github.com/q2a/question2answer
[+] Vendor Homepage: http://www.question2answer.org
[+] Vulnerability in:\qa-include\pages\question.php
[+] Google Dork : intext:"Powered by Question2Answer"
#######################################################################

[+] As shown in the code, the value of 'title' and 'textbody' not filtered
by 'htmlspecialcharts'
which cause stored xss and same in data-store in webserver SQL commands
.

[+] Exploit :
1. Browse application in browser ..
2. Add new question with xss code like alert method ;)
3. submit the new question to viewers ..
4. complete next steps as xss in tag,body,title,.. etc ..
5. Finally submit your Qes ..
6. Test your target in main page ./index.php ..
7. Use this in Cookies,alerts, Or TrafficBots :D Have Fun !!

[+] XSS Pattern can be used: '"<script>alert(/s0w/)</script>
[+] Demo Video : http://youtu.be/6qy9DXifNiw
[+] Demo Target :
http://soualwjoab.com/

# Discovered By: s0w
# Contact: fb.me/s0w.egy
# Mail: [email protected]

To Egyptian Shell team | Sec4ever

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-03-25]

###########################

Has this been fixed?

Hi, in default login page and signup page is separate . It is better both in same page. for example :

if you have an account please log in : 
username:
password:

if you dont have an account , please sign up : 
username : 
email : 
password

I'm having trouble modifying sections of the code controlled by SnowFlat theme from my plugin. The theme just calls $this->method, instead of delegating to the layer stack which would cause my layer to run. It isn't documented that theme defined methods will have precedence over whatever is written in a layer class

Anyway, I want to convert my layer into a theme, but without overriding all the styling of SnowFlat. Unfortunately, it just enables my new theme but doesn't seem to execute its qa-theme class. At the top of it, I have

require_once QA_INCLUDE_DIR . "../qa-theme/SnowFlat/qa-theme.php";

use qa_html_theme as SnowFlat;

class qa_html_theme extends SnowFlat {
    // my methods
}

The above neither works nor throws any error. I can't var_dump but I know the class doesn't run since it throws no error when I put a deliberately wrong path

How do I fix this?

After entering a notes link like in a text field (question/answer/comment) and after saving and closing the dialog the link is prepended by the word "denied:" which renders the link unusable. A notes link is something like "notes:///xxxxxxxxxxx". See https://www.hcltechsw.com/notes. This is NOT an issue of ckeditor. The culprit is q2a/qa-inlude/vendor/htmLawed.php line 340.

What's wrong?

Using the default theme (SnowFlat), the top right menu has a corrupted background, as shown in the image below.

What does this PR do?

This PR simply adds extra space for the menu container by extending its height. It will look like this:

I recently walked through the basic install https://docs.question2answer.org/install/ And it says you can find the latest version of the code on github. However, the default branch is dev, not master.

It would probably be good to mention the person installing needs to switch to the master branch because there are bugs in the dev branch. Or just make master the default branch? Either way...