Affected versions: 1.7, 1.8, 1.9
Not affected: latest (1.9.1) and older than 1.7 (I hope nobody’s still running them!).
–
The issue
In a nutshell: a typical API request, with data returned as “js”, the job publisher’s email address is revealed, as well as the secret “auth” hash used for editing/deleting jobs (without an account). A typical API request:
/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=100&response=js
e.g. http://www.jobberbase.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=100&response=js
Inside the jobs array/JSON, you’ll see that each job has 2 fields that shouldn’t be there: auth and poster_email.
*auth* is the auth string used in URLs for editing and deactivating job ads.
*poster_email* is the actual email address of the advertiser.
Bad.
The fix
In your _includes/class.Job.php:
a) Search for method ApiGetJobs. On line 501, there should be a while-loop after the big SELECT for jobs. Replace the contents in that while-loop with:
$current_job = new Job($row['id']);
$job = $current_job->GetInfo();
unset($job['poster_email']);
unset($job['auth']);
$jobs[] = $job;
b) Do the same for method ApiGetJobsByCompany (while-loop should be on line 541 after you made the change on 2a).
====
We’re sorry for not picking this up earlier and we hope your site wasn’t affected in any way by this breach.
If you have any further questions about this issue or other security concerns, please don’t hesitate to write back!
We’ve got a new version fresh out of the oven and it’s truly the best jobberBase version, yet!
If you’re anxious to get it, go ahead and download it.
Here are some of the new features in 1.9:
- Proper support for Windows/IIS hosting. Read the install guide if you’re interested.
- Better multiple themes support, and a new theme in the default codebase — Hireme, from hireme.sg.
- Admin panel redesign, using the Cadify theme.
- Support for more language files — an important step towards full multi-language support.
- All email templates are defined in a single XML file, under the translations folder.
- Config system rewritten and improved.
- Performance updates and general cleanup.
See the full changelog on the wiki.
We’re very happy how jobberBase is evolving and can’t wait to start working on version 2.0, which will be another big step forward. Can’t wait!
Kudos to the team and a big thanks to our community for the support and involvement!
It’s always my great joy to announce a new version of jobberBase but this one has to be the best moment of them all! And for 2 reasons:
- Our development team grew in the past 4 months and I’d like to thank Chronos, evertsemeijn, navjotjsingh, redjumpsuit for all their hard work!
- This version has the most new features and core updates since we launched, including themes support. We’re well on our way for version 2.0 which will support plugins.
Here are some of the new features:
- Ability to change all settings from Admin Panel instead of config.php
- Improved and Paginated Search
- Editable Job-Url Structure
- Editable locations
- Recaptcha Support
- Database Prefix Support
- Dynamic Menus in Header and Footer
- Multiple Theme Support
- City Cloud Page
- SMTP Mail Support
Go on and download it directly from Google Code.
You might want to read the Installation Guide or, if you’re upgrading from 1.7, read the Upgrade Guide.
About a month ago, we launched jobberBase Pro, a compiled version of jobberBase + some extra features requested by a lot of customers.
It was a challening month for our team, one in which we saw our focus dilluted between fixing bugs, working on new features and offering support for Pro customers.
Why did we launch Pro in the first place?
For 2 reasons:
- We saw that customers tend to request the same extra features that aren’t curently implemented in jobberBase open-source and we wanted to give them easy access to them.
- We wanted to experiment a dual-licensing revenue model, as we don’t have a revenue model and need to support further development.
What did we learn?
An open-source project and the community that forms around it is a living organism that reacts to change.
Our great community is alive & kicking and its feedback was mixed: some liked the Pro version and some didn’t. And it was perfectly understandable why they didn’t, which made us rethink our strategy.
Open-source is our way
We never forgot this, but we let it become second priority.
Well, this is ending *now* and we’re back 100% on the open-source version and have stopped distributing Pro.
We still offer support for Pro customers and want to make them achieve their goals with the purchase!
The next big thing
In the following months we’ll keep releasing small updates and bug fixes, but the main development focus will be on a new version, one that’s plugin-friendly.
Once this version is live, you (developers) will be able to build plugins and themes for jobberBase. We can’t wait to get there, guys!
So, in the meanwhile, keep an eye on this blog, follow us on Twitter and get involved in our growing community.
Kudos.
We’re extremely happy to announce version 1.0 of jobberBase Pro, aimed at customers who need a jobsite with employer accounts and payment integration, features not available in the open-source version of jobberBase.
It costs $199/license/domain and you get the complete source-code and free upgrades for 1 year.
Follow this blog and @jobberbase on twitter for further updates.
Indeed, a new version is out, thanks to all of those who made it happen!
In the name of the jobberBase dev team, I’d like to thank every person who got involved in our community and helped others get things done. We truly appreciate your effort.
You probably noticed the refreshed UI on jobberbase.com. We’ve began to list some jobberBase-powered sites and hope to see that list grow. If you have a jobberBase site that isn’t listed there, give us an email at hello [at] jobberbase [dot] com.
One more thing… we’re preparing a Pro/Premium version of jobberBase, with employer admin, resume management and paypal payment integration and plan to sell it at an affordable price.
We’ll continue to develop both the open-source and pro versions, while trying to figure out how to bring the most value to the world.
It’s been a great ride until now, and it’s only getting better! 
We’re really happy to announce this version, with lots of bug fixes and a few handy new features:
- fixed: ‘Invalid use of group function’ exception in class.Stats.php
- fixed: a database query exception was thrown if the search string contained a city that existed in the DB and ended in a space character (ie: “london “). This happened only for live-searches (via AJAX)
- fixed: made the select query compatible with mysql 4 in class.SpamReport.php
- fixed: a database query exception was thrown if the words in the search query were separated by many whitespace characters (ie: “one two three”) delete the jobs but don’t remove the job applications) category were displayed which could lead to huge results because if you’re on the index page you will get *ALL* active jobs from the DB
- fixed: allow to install jobberbase in a folder called “jobs” – thanks to links
- fixed: the total number of applications/searches was not computed correctly; return meaningful data even if there are no applications/searches in class.Stats.php
- fixed: the number of jobs per company was wrong – it also included jobs that are not active
- fixed: CheckPosterEmail was called needlessly when displaying jobs thus degrading performance (see http://www.jobberbase.com/forum/post2994.html)
- fixed: although set, the job type (ie: full time, part time) was not remembered in the pagination process and thus the pagination was incorrect
- fixed: a database query exception was thrown if more than one city was found from the search keywords
- fixed: the URLs in the mail that is sent after a job is actived by the administrator are wrong
- fixed: multiple emails were sent to the job poster if the jobberbase based site had google ads – thanks to links
- fixed: moved stats in admin (/admin/stats/)
- fix/enh: tweaked the query that gets the job applications so that only applications which still point to a job are returned (in case you manually
- enh: GetJobsCountForAllCategs makes a single query now instead of a query for *each* category
- enh: now, only one query is used to get the number of jobs per companies, instead of one query for *each* company
- enh: if the search query is empty, do nothing – until now (which was pretty confusing from end user point of view), all the jobs for the current
- added: i18n for labels inside javascript files
- new: possibility to show cities in sidebar instead of categories (configurable from config.php)
- new: SEO for Job Categories – thanks to CtCoder
- new: spotlight jobs (sponsored jobs) – thanks to chronos
- new: ‘Edit post’ functionality in admin
This release would not be possible without the hours put in by putypuruty and links. Thank you, my friends!
Go ahead and download jobberBase.
I’ve just uploaded a bug-fix version, so check it out!
* Admin bug fix – activation/deactivation of ads now works;
* Search fix (a bit smarter now);
* SQL dump update: utf8_general_ci collation for the pages table (instead of latin1_swedish);
* Some other small bugs fixed.
We’re extremely happy to announce that Jacques Crocker — “jedi” Rails developer — has just released version 0.0.0.0.1 of jobberBase ported to Ruby on Rails: JobberRails.
It’s open-source, of course, and available for download at github.com/jcnetdev/jobberrails/.
There’s also a hosted demo of the app on jobberrails.morphexchange.com and… it looks just like jobberBase!
The app is still in its infancy and anyone is WELCOME to join the development.
This is really great news!
Having fixed a lot of bugs reported in 1.4 beta, I’m glad to announce the launch of a bug-fix (mainly) version of jobberBase!
If you’re running 1.4 beta and have made customizations, you can probably live without this update.
However, newcomers will skip a few bugs, happy them!
One more thing: I’ve added a “powered by” link in the footer, with a link to jobberbase.com. You’re not required to keep it, but I’ll sure appreciate it if you do!
Have fun!
