This thread is for all your simple questions about installing and running Wakaba or Kareha, that just require quick answers. Please don't create new threads for issues like that, post them in here instead.
Before posting, check that the question has not already been answered in this thread, or in the previous thread: http://wakaba.c3.cx/sup/kareha.pl/1141929669/
Questions about "500 Internal Server Errors" go in this thread: http://wakaba.c3.cx/sup/kareha.pl/1109033191/
This is a suggestion regarding security. I assume this is the correct place to post it; otherwise, I can start a new topic.
Please implement proper file content filtering in Wakaba/Kareha. As of right now, Wakaba filters out forbidden file types through an array of forbidden extensions, but this is not necessarily sufficient. For example, a PHP file may be uploaded with extension ".php.7z." If a board allows the 7z extension and if the file is not renamed (as is default in the case of Wakaba), an Apache server may in fact still execute it, resulting in the execution of malicious code. This has actually caused a significant disturbance in a site with which I help out. A simple two-line patch that relies on the UNIX file() utility has been written to address this for the moment.
>>472
the default is to not allow any files except jpg, png, or gif images (and rename them). it's possible to make it insecure by configuring it improperly, but it's certainly not the default.
Like >>473 says.
Also, I'm really tempted to say that that is in fact a PHP bug, and until they fix it you're better off disabling PHP on your server.
>>475
Even if it isn't a bug, it's probably caused by shitty/careless PHP coding.
>>472 also, remove the +x from your uploads folder.
When I say default, I mean Wakaba's behavior when enabling non-prohibited filetypes in config.pl
, such as MP3s. I'm pretty sure Wakaba is set up not to rename those after uncommenting the respective lines.
I am told by the server admin that it is actually a bug with the latest Apache (or perhaps mod_php
), possibly affecting only Gentoo. I could not find a citation (beyond this anecdote) to support the claim, but this is seems to be a known issue. It does turn out that if ".php" is found anywhere in the filename, it is still executed by Apache. A PHP file can then be disguised as a 7zip file or MP3 file (e.g., nasty_hax.php.mp3
), and be uploaded. If the extension is uncommented config.pl
, it gets uploaded. If the server (or PHP interpreter) suffers from the issue, the attacker executes the malicious code and has fun. I have neither tested nor asked about this for other script types. Indeed, renaming files would technically render this exploit moot, but by default Wakaba does not do this with non-pictures. There are Wakaba boards out there that support non-picture uploading, and I have seen only one (Pooshlmer) that renames files.
Indeed, that is a wise suggestion. In fact, I've just chmod
-ed the src/
directories myself.
...and then the pictures could not be accessed by anyone. I set permissions to 644, but no one could see the pictures unless the execute bits were set. I'll have to ask the admin about it myself, unless someone here has an idea.
At any rate, I just thought I'd share the (admittedly nontrivial) suggestion and post about this potential exploit for other people. It completely blindsided us. Having a layer of security at the board software level in case of a future server exploit sounds like the best solution, though I understand leaving it in the hands of the administration rather than adding feature bloat.
Kudos for the script.
it is a mod_mime "feature"
Well, the core issue is that PHP is broken and will execute files without the +x bit set. This is horribly insecure, and should never have been implemented, but apparently now we're stuck with it.
The best solution is to completely disable PHP. If you have to use it, enable it only for folders known to be safe from uploads and disable it everywhere else.
To add extra protection in Wakaba for it, though, rather than mess with file
, it'd be far easier to just dump all files whose filename matches /\.php/
. This issue shouldn't affect any CGI languages, since those won't run without +x.
I've got a problem somehow related to encoding.
I successfully installed Kareha, but every time I try to make a post I get a white screen with text saying "Software error: Unknown encoding 'utf-8' at wakautils.pl line 613". It doesn't abort the posting though (my messages still appear despite the error), but the flashing is no good.
I didn't do any changes to wakautils.pl since the very install. What could be that?
>>485
Nevermind, it's alright now... I really forgot to update my perl.
http://wakaba.c3.cx/sup/kareha.pl/1130723862/318
I noticed this issue was never addressed. The CSS typo is still included in the current version of Kareha. I don't know if you forgot about it or if it's intentional...
Hello, is there any built in way or any code snippets you guys have that would allow my to set an image limit on a threads (like a single on) I could probably manage this myself eventually, but I was wondering if it was done already.
I have a problem with kareha, I cannot set a maximum image limit per thread.
I thought IMAGE_REPLIES_PER_THREAD
actually meant IMAGE REPLIES PER THREAD! Apparently it doesn't do anything. I am still able to post image replies way beyond the limit. Is there any way to control this problem?
I think it makes the thread stop bumping when you pass the limit.
Why on earth would you want to limit the number of image replies anyway? That's just annoying, and adds no value to anyone.
>>491
It allows me to control the amount of images uploaded so that I don't go over a certain limit. I'm running a small board with limited bandwith and space.
I want to be able to control the space in terms of number of threads. There's no shame in that. Why are you trying to control my methods so much by just waving it off as "I don't like it, therefore, it is bad." ?
>>492
There is a configuration option for limiting the threads by filesize, you know.
Like the guy says, there's an option already for setting the maximum disk space usage across the entire board. That's what you want to use, not some weird and ineffective limiting of posts per thread.
>>479
Wakaba starts off by renaming files uploaded with those filetypes, but restores the name afterward. If you want to use the generated names on files, search wakaba.pl for "externally defined filetype - restore the name" and commment out that entire if block. I'd give the line numbers, but I've done a bunch of other custom stuff in mine, so they won't be accurate.
OK, so I just closed a thread in Kareha, and I ended up getting this error when I tried to reopen it. Is this normal? By the way, I'm using image mode, on a Linux server.
>>497 did the thread reopen? That's sometimes an artifact of a page that didn't load completely.
>>498
No, the page didn't reopen. Not even when I refreshed it.
Hey I've got a bit of a problem. I've got Kareha pretty much set up but I'd like my .htacess to default to a different page.
Googling gets me the syntax for that (DirectoryIndex etc.) but I don't understand the included example.htaccess file and the directions to change the RewriteRule stuff. Maybe this is more of a general IT question but what am i missing?
http://httpd.apache.org/docs/2.2/mod/mod_dir.html
> A file written by the user, typically calledindex.html
. TheDirectoryIndex
directive sets the name of this file. This is controlled bymod_dir
.
(In case you simply stopped reading the example.htaccess
after the very first line, the mod_rewrite directives at the bottom are purely optional, and have nothing to do with the index page. They only are there to provide better hints to web browsers about the document character set.)
Don't touch config_defaults.pl, ever. That's just where the error was triggered. Your problem is still in config.pl, and you've either removed, commented, or renamed ADMIN_PASS or NUKE_PASS.
Not sure about your verification code error, but to change the title (or anything else), just edit config.pl and let wakaba.pl regenerate your html.
And, yes, wakaba.pl has a purpose; it's what your site runs on...
Can you use the same mysql database for multiple boards? If not, how do you use the same admin table for every board to make global ip bans?
Another question:
When you run wakaba.pl, wakaba.html is created. But I'm wondering if there's a way to edit something so when the html file is created, it's named something like board.html, or imageboard.html.
>>513
Doesn't work, I changed that and it had no affect. Edited the field in config.pl, deleted wakaba.html and re-ran wakaba.pl but it still creates wakaba.html.
is there any way i can disable the ability to post images?
>>516
Yes, it's very plainly in the configuration. Look for the word "image".
ok i thought so i just haven't gotten the script yet and it didn't say anything about like if you put it to 1 or 0 so i was just making sure. thanks though
is there any way to have multiple boards?
im talking about kareha and i mean have things like /board 1/ /board 2/ like different sections where multiple threats and posts can be made sorta like kasuba
i asked people on 4chan and they said i could make a portalish type thing and run multiple karehas off the main page, this is i guess what i want to do, any advice on how to go about doing this?
>>523
Multiple kareha installations.
This really isn't that hard.
I've been running my Kareha imageboard for about a month now, and I've been looking to add new CSS. However, I tried just making a new .css file and putting it in the /css folder, and it doesn't work... How do I add new CSS styles to Kareha in image mode?
Did you rebuild caches?
>>527
Ah, forgot to do that. Thanks for your help!
http://rokuchan.org/wakaba/wakaba.pl does any one know what the problem is and how to fix it
Software error:
Bad name after comments' at config_defaults.pl line 15.
Compilation failed in require at /home98c/sub009/sc61836-VWOA/rokuchan.org/wakaba/wakaba.pl line 17.
BEGIN failed--compilation aborted at /home98c/sub009/sc61836-VWOA/rokuchan.org/wakaba/wakaba.pl line 17.
We aren't psychic, we can't tell what you put in that file that broke it.
Can anyone help me, please? I usually got "Error: No verification code on record - it probably timed out." when trying to post in my oekaki board. I fixed it for posts on main page as this guy said http://wakaba.c3.cx/sup/kareha.pl/1168935423/7 but I still can not fix it for replies.
is there some who can help me please I'm using Futallaby right now and I hate it
I'm >529
>>531
well here is the file I put * over the some stuff like the pw user name and other stuff
here is the txt file
http://rapidshare.com/files/209442147/wkbrokuchan.txt.html
>>534
If you'd just uploaded that file to this board, or used a pastebin, I might have had a shred of care to look at it.
there
>>537-538
I daresay you're editing the wrong file. Start over, and pay closer attention, you should not be touching config_defaults.pl at all.
Whew. This thread is quite the read.
I'm having an issue where I delete wakaba.html and run (access via browser) wakaba.pl. I am then redirected to wakaba.html, which does not exist. It is not built/rebuild when I access wakaba.pl. Clearing cache results in the same 404. Suggestions?
What if you go to admin.pl?task=admin
and rebuild it?
>>541 admin.pl isn't in the zip file I downloaded. I can still rebuild from wakaba.pl using wakaba.pl?task=admin (or something close), but the problem persists.
Something interesting I noticed. If I use permissions 755 for folders (res, in particular), line 378 (inside print_page) goes crazy and throws errors saying a temp file can't be created. It works only if I chmod res to 777.
So with chmod 777 to res, I get wakaba.html not found.
With chmod 755 to res, I get Error: Can not write to directory.
>>541 Issue resolved:
Had to mod /var/www to 777. Icky solution, but maybe my live environment will be better configured than my bevelopment environment. Thank you for your help.
I'm wondering why Wakaba doesn't automatically truncate threads beyond a certain point, if it does,, there do I find this option
thanks
I have a quick question, does posting (running kareha.pl) cause that script to rebuild all the pages?
Hi, I love your scripts ;)
truncate as in, now I have 31 pages of threads after I was testing it..
and I want it to only show say 150 threads at any one time ;)
using Wakaba
Anyway, just wondering if you're going to release your notes.pl script, thanks!
oops, I found the notes.pl script :)
I thought it was just in indefinite testing, sorry
thanks
How do you get rid of the bee? I cant seem to find it in any of the .pl files. Is there something i comment out to stop embedding of files?
> How do you get rid of the bee? I cant seem to find it in any of the .pl files.
remove it from include/rules.html. it's not part of kareha.
people who have the admin password for your board keep adding it through the admin interface.
> Is there something i comment out to stop embedding of files?
yes. fix your php script so people can't inject perl code (so they can't just get the password again), and then change the admin password for your board.
>>550
Hm... helpful advice. I would have just recommended getting off of the internet altogether.
The thing is that it just shows the code on the browser, i think i have properly configured the httpd.config file, and yes i do have perl and i have a correct hashbang. Im using xampp on windows and i dont know what to do, any ideas ?
>>552
Ops i forgot the beginning:
Apache wont execute wakaba.pl
>>553
does this perl test script work?
http://wakaba.c3.cx/sup/kareha.pl/1109033191/4
Read through config.pl to find the various options for how threads are deleted. By default it happens by number of posts, not threads.
If code does not run, you have not properly configured the httpd.config file. Beyond that, it's not like we know how your server is set up. You really need to figure out that part yourself. Also, xampp is known to cause all kinds of problems.
>>554
It works with mod-perl activated, but with that i get this error with wakaba.pl:
[Wed Mar 25 14:06:30 2009] [error] Can't locate config.pl in @INC (@INC contains: . C:/xampp/perl/site/lib/ C:/xampp/perl/lib C:/xampp/perl/site/lib C:/xampp/apache) at C:/xampp/htdocs/wakaba/wakaba.pl line 16.\nBEGIN failed--compilation aborted at C:/xampp/htdocs/wakaba/wakaba.pl line 16.\n
Internal Server error 500
>>555
I did it using this guide:
http://www.thesitewizard.com/archive/addcgitoapache.shtml
Hi, I've got a problem with Oekaki.
I'm using Shi Painter, and everything is OK except one thing: after clicking upload in painting window it shows me a preview in a reply form, and in this preview picture has some constant name. So, my browser saves this picture to cash and next time, when I draw other picture, it shows me the previous one.
Thank you, and sorry for my english.
Configure Apache to send no-cache headers for all files in tmp/
.
>>560
Hm... I tried:
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT");
It didn't work.
What am I doing wrong?
>>562
In my .htaccess:
<IfModule mod_headers.c>
<Files *.html>
Header add Expires "Mon, 26 Jul 1997 05:00:00 GMT"
Header add Pragma "no-cache"
Header add Cache-Control "max-age=0; must-revalidate; no-cache"
Header unset Vary
</Files>
</IfModule>
Still don't work.
>>563
Check your page with wget -S http://blahblah/
or something such as Firebug to see if the headers are really being sent. Probably you don't have mod_headers enabled.
Well, all of a sudden my wakaba install is giving me this error:
Software error:
Malformed UTF-8 character (fatal) at wakautils.pl line 447, <FILE> line 3.
Line 447 is:
$str=~s!([^\w/._\-])!"%".sprintf("%02x",ord $1)!sge;
which is part of:
sub clean_path($)
{
my ($str)=@_;
$str=~s!([^\w/._\-])!"%".sprintf("%02x",ord $1)!sge;
return $str;
}
We've edited parts of our script and it's been working just fine for us for quite some time... this is a quite strange error and I'm hoping someone has a clue about what could be causing it. It happens when anyone tries to post or even when I try to rebuild caches. I'm assuming it will happen with anything that calls wakautils.pl.
Probably some kind of malformed UTF-8 in a filename or something similar.
You are sending those headers only for html files. Note the <Files *.html>
.
Is there any option that allows Kareha threads to be numbered like that of Wakaba?
No.
Hi. when i'm trying to run wakaba.pl i get a 403 error.
permissions are set to 775.