WIKI and FORUM BUG REPORTING

[nick65go]

Thank you for replicating the problem. It's a hard stop for any new users trying to register.

So we are the happy few / "the chosen ones" for this selected group /bubble, not bothered by intrusion /aliens to shared their undesirable ideas/ proposals. Any novice wanting to "participate" must learn /do it on git hub, under M$windows approval.

[wasifb]

It seems like the second Captcha accepts the same values as the first one. I was able to register by modifying the form data before it gets sent to the server. Here's the JavaScript code that intercepts the form submission by attaching a 'formdata' event handler to the form ($0 refers to the form).

Code: [Select]

$0.addEventListener("formdata", (e) => {
  const formData = e.formData;
 
  const one = formData.get("imgoneField");
  const two = formData.get("imgtwoField");
  const three = formData.get("imgthreeField");
 
  formData.set("imgoneField", one);
  formData.set("imgtwoField", two);
  formData.set("imgthreeField", three);
  formData.set("imgoneField", one);
  formData.set("imgtwoField", two);
  formData.set("imgthreeField", three);
});

This is a temporary workaround on the client side to successfully register on this forum. Just run this code in the developer console after selecting the form element.

[saper]

This second captcha is a bug. Its controls do not work... I managed to register just by deleting the second captcha with DOM inspector.

(Besides, it takes a while to get the registration email - maybe this should be mentioned somewhere - my message IDs were <4Pl9bF75nMz34W@carjack.dreamhost.com>
 and <4Pl9lF39fdz3N0@carjack.dreamhost.com>).

[nick65go]

This is a temporary workaround on the client side to successfully register on this forum. Just run this code in the developer console after selecting the form element.

Congratulations! I had a look into the original code also, but I did not manage to finish the analysis.
PS: for clarification I used Firefox browser menu MoreTools/WebDeveloperTools.

About your text "the developer console", maybe you could give more detailed instructions about finding the object ID, the place where to insert your code in the existing code, etc.

[aus9]

What is the current status of wiki logins please?

One member has raised an issue here
http://forum.tinycorelinux.net/index.php/topic,25957.msg168117.html#msg168117

and today I attempted to login to wiki and the message reads
"Sorry, username or password was wrong."

pretending I was already a member, I attempted reset password and msg reads
"Sorry, we can't find this user in our database."

FWIW I attempted on TC64 firefox with ublock origin turned off

[h2]

I've been experiencing these advanced search issues frequently, to the degree that advanced search simply is not usable day to day. It's not a matter of refreshing in most cases, once it starts, I can't get it to work anymore at all, until I think maybe some time passes since my last use of the advanced search feature.

This unfortunately makes the forums largely unusable because my main goal there is to find the latest posts that contain 'inxi' in them, but since the order presented by regular search is basically random as far as I can tell, or based on some factor other than date/time, it's not useful. I assume it's searching on the default parameter, most relevant, maybe.

I have done a lot of web development in my time, and this to me looks very much like a failed attempt to implement some type of spam bot protection, probably cookie based since when I tried switching to a new browser, for a while advanced search worked, but not for very many days, after a time, it stopped and wouldn't work again until today.

I tested this again just now, and it worked again, which suggests to me a timer on a cookie that is firing incorrectly, maybe with a counter.

Unrelated, but the login captcha thing, if I remember right, was nearly  impossible to read, I think it took me like 10 tries, with guessing at least on one of  the characters, to get it right. I would suggest switching to google's recaptcha 2 or 3, which are a pain, but aren't as impossible to decipher, and actually often/usually guess right, and just give you the checkbox for I am not a bot. I don't know if simple machines supports recaptcha 2,3, it should, it would be weird if it didn't, but it might not, but the current captcha is probably driving away quite a few users who just give up.

I sympathize with the issues caused by forum spammers, I've dealt with those for years, but I tend to think that if they make stuff actually start breaking on the software in the attempt to fight them, they really won, and that's about it.

as of 20221003-0728am-cdt-usa

still getting quite a few of these 403 errors when using various functions of the forum(especially the advanced search function)

Error 403

We're sorry, but we could not fulfill your request for /index.php?action=search2 on this server.

You do not have permission to access this server. Before trying again, close your browser, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.

Your technical support key is: xxxx-xxxx-xxxx-xxxx

You can use this key to fix this problem yourself.

If you are unable to fix the problem yourself, please contact the WEBMA5TER and be sure to provide the technical support key shown above.

sometimes just refreshing the page fixes the issue but other times it happens repeatedly and we just give up and try it again at a later time...

just an fyi...

[h2]

Just my feedback as a long time forum operator and user, I would have been on here years ago but the login/account creation was broken, and there's still quite significant issues (advanced search, captcha image too difficult). I suggested to one of the tinycore guys via email they just switch to linuxquestions.org and call it a day. Those forums are pretty well run, reliable, good reputation, and seem to largely work as expected.

To me, if there are this many hurdles to entry, only someone really determined is going to actually sign up, I know I did not get successfully signed up after my old account vanished until 2 emails were sent, and that's as me as a packager who knew who to email.

I'm not saying this to be critical, but to me, it looks like there are just too many issues with these technically, none of which should have existed.

I have't personnally used simple machines, though I think I've looked at its code a long time ago, so I can't say much about that, but as I noted in my other bug post just now, my guess is the stuff is broken because of spam bot handling, which is not working right. Just a guess, but that's what it looks like to me. I've seen other forums, mx/antix come to mind, that have significantly damaged their usability with their spam bot measures, but with them, it's' more around excessive spam post filters that make posts just vanish when you make them, then you have to try to go line by line to figure out which keyword tripped the spam filter.

I wish I didn't have as much experience as I have with this forum spam stuff, but sadly it's been a scourge for many years now, xrumer is just fairly well written software, the developers are very good. If you don't know what xrumer is, then good for you, you've never dealt with that part of the internet.

And after years of no luck contacting system admin, I had the idea this forum would be upgraded by CentralWare.
We have this posts on 5 and 6 october 2022, and the last one on 16 october 2022.

And then more than 3 months of NOTHING.....

Maybe it is time to hand over the keys to someone else for hosting en maintaining this forum. There must be more than one person taking this to a higher and more professional level.

Had some doubts posting this message, but hey, the Admin has left the house (again) per 1 nov 2022 .....

I hope CentralWare sees this move as something positive and his burden will be lifted by others. Thanks for everything.

[h2]

When I was looking at the issues, it suddenly struck me, I've seen this type of issue before, and it was caused by attempts to merge things like wiki and forum software. I was in a project a while back where one of the guys thought it would be a good idea to use one of these mixed attempts to combine 3 different projects, forum software, wiki, and one other one I forget now.

I watched that from the outside for a while, and it rapidly became evident to me that this is not possible in any real sense, though in that case, I did not get involved since I didn't want to deal with the guy who had made that decision, and I was doing web stuff for a living, and knew it wouldn't work.

Simplicity is your friend here, trying to combine logins to different platforms is a generally very bad idea. I'm not sure this is what is going on here, but given the error message, it looks like it may be.

Thisi is more of a cautionary warning, I've seen this attempted, and it will generally fail unless you have at  least one serious web developer at hand, which almost nobody does, and one willing to do basically the worst type of work in the world for free, which is trying to fix mashed together stuff when it breaks, which it always will. I won't ever accept that type of job for any amount of money. The best solution is to dump that idea, implement standalone quality tools, and go on, if that's what you want.

The ideal is the unix saying: one small tool for each job, and leave it at that.

I don't want this to be taken the wrong way, but when I click on a link and end up with unprotected unhandled full complete error message, which shouldn't even be visible to end users at all, that's not a little thing wrong, that's a massive set of red flags.

I like packaging inxi for tinycore, but would suggest maybe move away from trying to run all these solutions yourselves. Or disconnect them, so that each can be debugged on its own. This is just my experience on what to avoid, and what is a predictable failure. One of my clients runs a CMS, and we totally relied on what I considered to be a core module from them, that's how it was presented, then we did an upgrade one day which destroyed that module, which turned out to not be a core part of their project at all (think something like trying to merge logins between two different foss web tools), and in fact, has never been upgraded or fixed. We, or rather, I, had to literally write the entire logic ourselves to restore the feature, which cost around $10k to do. Now we don't depend on anything like that, just the raw barebones of the software, and I have told them we will never rely on any of their extensions or modules again, beyond what we know for certain actually truly are core modules, and even then, not very many of them.

This is just my experience.

Trying to resolve various codebases written by random people at random times, with random skill levels is not something you can really do in the real world, even when it's all by one person, it can be really hard, I'm reworking a very old website I run now, where I wrote all its logic, to expand and enhance that, and that's running on 2 weeks now off/on programming, but I like the project, and I like my code overall, and I like the logic, but if it weren't mine, I would never touch it. And that's a best case scenario.

Code: [Select]

CON: [mysql:host=mysql.itquit.com;dbname=tinycoreforum_smf]
QRY: [SELECT * FROM smf_members WHERE id_member = ]

Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 in /home/coreroot/wiki.tinycorelinux.net/forumz.php:18 Stack trace: #0 /home/coreroot/wiki.tinycorelinux.net/forumz.php(18): PDO->query('SELECT * FROM s...') #1 /home/coreroot/wiki.tinycorelinux.net/doku.php(21): require_once('/home/coreroot/...') #2 {main} thrown in /home/coreroot/wiki.tinycorelinux.net/forumz.php on line 18

[aus9]

hi

h2 wrote

just switch to linuxquestions.org and call it a day. Those forums are pretty well run, reliable, good reputation, and seem to largely work as expected.

If this was done, it would resolve 2 issues for me.
1) potential members could join and yes I am aware of anti-spam issues are taken at LQ too
2) private messages would work correctly at LQ while at this forum, not always.

I accept that I am noisy, grumpy etc but really LQ is the answer.

Loyalty by the owners to this forum engine (simple machines) does not seem to be answer why we still are using it.

In OH&S   the main rule is.....spot the hazard and prevent it. (The 2 main faults of current forum)
At the risk of repeating myself....LQ is one of the answers

LQ have a very good explanation that no money is required just active support as shown here
https://www.linuxquestions.org/questions/linux-distributions-5/why-is-there-no-forum-for-my-distro-513876/

distro maker will participate in it.

#############

The dev team could then adjust the info on support forum link showing up at distrowatch.com similar to Slackware
https://distrowatch.com/table.php?distribution=slackware

#########################

But wait there is more!

our current forum is not "secured" it runs http while LQ runs https
And a number of web browsers are planning on removing support for the older http
So by moving to LQ or similar forum that do not have our issues we are future proofing

Thanks for reading

[CNK]

our current forum is not "secured" it runs http while LQ runs https
And a number of web browsers are planning on removing support for the older http
So by moving to LQ or similar forum that do not have our issues we are future proofing

That's one thing that CentralWare did fix - it now works on HTTP and HTTPS so if browsers do drop HTTP support, the forum will still load over HTTPS in them.

I prefer that the forum still allows HTTP connections, which makes it easier for me.

If I had my way I'd have everyone switch to Usenet, rather than Linux Questions which I probably wouldn't use. Everyone has their own favourites.

[patrikg]

As what I can see, the version running in this forum is very old.
SMF 2.0.15

The SMF 2.1.4, may be the thing you question, solves the newer one.

[curaga]

I haven't been able to access linuxquestions in years because they use tight cloudflare settings and cloudflare blocks me.

[patrikg]

@curaga
Here you go if you can access wayback machine.

http://web.archive.org/web/20221113042400_id/https://www.linuxquestions.org/questions/linux-distributions-5/why-is-there-no-forum-for-my-distro-513876/

And what I can see the link (button) from the forum to the wiki is fault.
Should be changed in the forum file https://forum.tinycorelinux.net/wiki.php

FROM:
https://wiki.tinycorelinux.net/doku.php?uid=&ip=

It should refers to welcome, like this.

TO:
https://wiki.tinycorelinux.net/doku.php?id=welcome


And as your footer

- "The only barriers that can stop you are the ones you create yourself."

[h2]

A few things, showing the version number of simple machines, and showing it as out of date, is an open invitation to anyone who follows vulnerabilities to exploit them.

At the very least, pull that from the footer template chunk so that automated bots can't detect it.

I access linuxquestions.org almost daily, and have never seen anything problematic about it. Cloudflare issues might reflect locale of access, I in general almost never see cloudflare challenges.

Those are I believe javascript based, so you do have to allow javascript for LQ.

I am posting again because I again had server 500 failures, along with full post rejection without any alert, obviously caused by a misconfigured security rule, probably on the web server.

I posted this in another bug thread here, but the issues are not minor, but at least get rid of the open advertisement that the forum software is seriously out of date, just as a minimum. This takes about 2 minutes to get rid of since it will just be something in a template somewhere.

A few other things, https should not be optional, otherwise there is almost no point in using https, that might of course require ca-certificates be added to the tinycore base install, which pulls in openssl, so I can see the reluctance there.

You can make apache/web server rules that force use if the browser supports it, if I remember right, and falls back to http if the browser does not support it. Not positive, I know you can do it in code, but I think you can do it in configurations too, like .htaccess.

As someone above suggested, first of all, update simple machines to current, and if you can't update it due to some linking between the broken wiki software package and simple machines, that is why you don't do that, break that connection since the wiki doesn't work anyway.

Note that the open display of all the error data in the wiki link is STILL present, which means nobody is taking care of this stuff.

I repeat my suggestion: do yourself and your users, and your potential new users, a favor, and move the forums to lq and call it good and fixed. Then maybe install the wiki software package after removing the mods, if any, to attempt to connect the two user databases, and go on, hopefully you didn't lose all the data in the wiki, but if you did, ouch.

Running this stuff over time is a real pain, and a real commitment, but the ongoing presence of nothing but red flags indicates to me that in a sense, the facts have already made the decision, and it's just a matter of catching up to the facts.

In the old days I would have volunteered to help resolve this, as long as I was allowed to actually fix it, and not add more hacks and patches, but since I don't know either software package, experience guides me to not do that, or to even try.

But if I were to try, I'd figure out if there were any mods applied to link the databases, undo those mods, then do reinstalls of both forum and wiki software, current latest version, and pray it worked. If it did not work, I'd move the forums to lq.org and set up a new wiki package, and never try to repeat the errors that led to the failures.

I find, speaking for myself, the work required to maintain over many years this stuff requires always keeping up with fixes, updating, patching, etc, and it can't be done if you are not an active experienced web developer, except maybe for wordpress, which tends to upgrade fairly cleanly, but it's also annoying to run over time, and has a terrible forum feature, more of a hack than anything else, so not recommending that.

Again, re cloudflare, you want to leverage that existing protection, dealing with cloudflare is another pain for admins, but if it's all set up and working, you don't need to deal with it, beyond maybe a few users enabling javascript, or not being able to access site without a gui browser that runs javascript.

Actually, I take that back, I just tested our cloudflare protected site, and it loaded fine with lynx, so that's not an issue.  That's lynx hitting a forced https page, by the way, through cloudflare, and lynx is about as basic as cli browsers get.

The hacker in me itches to try to fix your codebase, but the experienced developer in me knows that would lead to nothing but pain, but in many cases, just stripping out any mods, totally removing them, then updating the software in question to current version, may work.

Given your wiki simply doesn't work at all, and is displaying private system errors to the world, I would suggest this is the perfecct time to dump what you were trying to do, and update the software, remove the hacks, and then see what you have running and what doesn't work.

[h2]

By the way, I was doing an edit, and added a paragraph of text, and triggered an internal server error. Removing this removed the internal server error, but oddly, adding it here does not then further trigger it. This points to real bugs, in this case, with failed attempts at spam protection, which should never trigger internal server errors.

I would further add, if this trivial thing is out of reach of current maintainers, then you need to move the forums to lq or comparable, though I know of nothing comparable for linux distributions. That fix is almost literally the easiest fix you can do with a codebase like simple machines, and if that can't be done, then it's certain nothing more substantial can be corrected, which means, it's time to wave the white flag and move on.

I'm not going to harp on this, you either get what I'm saying or you don't, and if you get it, protect yourselves and your users, upgrade the software, hope it now works, after removing mods which are failing, then if that doesn't work, give up, and move, since this site is almost certain to get hacked in the future, with all user data compromised. If it hasn't already happened of course.

A few other trivial fixes: update the contact email on the 500 error page so that users can actually report messages, easiest is to just add that email to the hosting account and have someone connect to it, or change it to something that works.

Anyway,  best of luck, but this site is unsafe to use in my opinion as currently configured.