vBulletin Mods

The Official vBulletin Modifications Site
https://www.vbulletin.org/forum/showthread.php?t=177013

RedFoxy 25 Apr 2008 09:43

Quote:

Originally Posted by valdet (Post 1498687)
Does this MySQL query mean that it will insert the
Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

This will affect only templates that need the security token embedded right?

yep

shahryar_neo 25 Apr 2008 13:24

Quote:

Originally Posted by RedFoxy (Post 1498864)
yep

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .

:(

i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

Dismounted 25 Apr 2008 13:46

Have you even read the first reply to the thread regarding AJAX requests?

Opserty 25 Apr 2008 13:49

Quote:

Is use your code but my ajax problem not solved !

2- Thanks Plugin Doesn't work again and it doesn't work on this mod .
If you are experiencing problems with a modification post in the thread from which you downloaded it, this thread is intended to give advice to those with a small amount of knowledge of vBulletin, PHP and HTML. If you don't have this knowledge you must wait till the author releases a working version of the respective modification.

Quote:

Originally Posted by shahryar_neo (Post 1498970)
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

Either you have a partially working forum or one that is vulnerable to attacks, I know which one I'd choose.

baghdad4ever 25 Apr 2008 13:53

thanks

Wayne Luke 25 Apr 2008 15:51

Quote:

Originally Posted by shahryar_neo (Post 1498970)
i have a question to vBulletin Core Dev Team : Sorry , Did you thinking before release a version perfectly ? :confused: because about the 98% percent of the forums i think use the many mods and with your advices no thing gonna change! because no body can modify the all form !

I have 17 products installed comprised of 88 plugins and quite a few new templates. I had a problem with one product after upgrading to vBulletin 3.7.0 RC4 on my site. That was Princeton's Quick Reply in PMs. Adding the security token to the form took about 20 seconds and the site was fully operational again.

midwestce 25 Apr 2008 16:38

I did the find/replace fix and now on several pages I have an extra /> hanging around. Various mods are still not working. Any help is appreciated.

Golzarion 25 Apr 2008 18:47

Quote:

Originally Posted by Wayne Luke (Post 1498706)

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after it, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.

Thank you !:up: I do all the changes and now have no problem ..

lt was not too hard:) ... infact it is easy .. the other way is :

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

after each instances of the following code

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it


shahryar_neo 26 Apr 2008 11:36

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

sorry for my low information . can yoy simplified this instruction for using ajax requests using POST ?

sv1cec 26 Apr 2008 12:57

Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

Kaycee123 26 Apr 2008 16:15

Quote:

Originally Posted by RedFoxy (Post 1498253)
If you wanna search all template that you need to edit to add "<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />" you can use that query in your MySQL database:



I used it to fix all mod that i've installed in my vBulletin board

--------------- Added 24 Apr 2008 at 17:00 ---------------

calendarjump, FAQ, forumjump, WHOSONLINE don't need to be edited if you haven't modded it

I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

Dilmah 26 Apr 2008 17:09

Quote:

Originally Posted by sv1cec (Post 1499719)
Could some one PLEASE tell me how to close this vulnerability in vB 3.0.xx?

I would certainly appreciate it.

Upgrade.

powerful_rogue 26 Apr 2008 18:25

Quote:

Originally Posted by Dismounted (Post 1497947)
Also, you need to add the security token to AJAX requests using POST. This can be simply added using the variable "SECURITYTOKEN". An example is below.

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Hi,

Im trying to get one of my important mods to work, but not having much luck. Ive tried all the other advice, and the only thing I can think it could be is the Ajax.

This is the part of the mod:

Quote:

<script type="text/javascript">
var qstring = '';

function check_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php?action=pager&do=readpager&', 'nocache=' + (5 * Math.random() * 1.33) );
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Close_Pager(qstring)
{
check_pager(qstring);
}

function ShowPager()
{
var refreshtime = {$vboptions['vbpager_ajax_refresh']};
if (refreshtime > 0)
refreshtime = refreshtime * 1000;

if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{

// Ignore result if its "Fatal Error"
resultText = vbPage.handler.responseText;
isError = resultText.indexOf("Fatal error");
if (isError >= 0 && isError < 25)
vbPage.handler.responseText = '';

if (vbPage.handler.responseText)
{
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
setTimeout('check_pager()', refreshtime);
}
}
else
{ if (refreshtime > 0)
setTimeout('check_pager()', refreshtime);
}
}
}
check_pager();
</script>
Quote:

<script type="text/javascript">
var qstring = '';

function new_pager(qstring)
{
vbPage = new vB_AJAX_Handler(true);
vbPage.onreadystatechange(ShowPager);

if (qstring=='' || qstring==null)
{
return false;
}
else
{
vbPage.send('$vboptions[vbpager_forum_dir_name]pager.php', qstring);
}
}

function Pager(tform)
{
var users = new Array();
var arrCount = 0;
for (i = 0; i < tform.elements.length; i++)
{
var element = tform.elements[i];
if ((element.name != "allbox") && (element.type == "checkbox") && (element.checked == true))
{
users[arrCount] = element.value;
arrCount++;
}
}
if (arrCount == 0)
{
alert("$vbphrase[pager_no_user_selected]");
return false;
}
else
{
var querystring = "";
for (i = 0; i < users.length; i++)
{
querystring += "&userid[]=" + users[i];
}
}
querystring = "action=pager&do=newpagertouser&" + querystring;
new_pager(querystring);
}

function PagertoUser(userid)
{
if (userid != null || userid != '')
{
querystring = "action=pager&do=newpagertouser&userid[]=" + userid;
exec_refresh(1);
new_pager(querystring);
}
}

function ShowPager()
{
if (vbPage.handler.readyState == 4 && vbPage.handler.status == 200)
{
if (vbPage.handler.responseText)
{
var refreshtime = 5000;
document.body.style.cursor = 'default';
pagerbox = fetch_object('PLAYER');
pagerbox.innerHTML = vbPage.handler.responseText;
displayPager();
if (vbPage.handler.responseText == '' || vbPage.handler.responseText == null)
{
pagerbox.innerHTML = '';
}
}
else
{
toggle_disabled(1, 'buddylist_option');
}
}
}
</script>
Theres a few other mention, but from looking at those, where abouts would you suggest puttign the security token?

I would ask in the mod thread, however this has been unsupported a long time ago!

King Kovifor 26 Apr 2008 18:26

Quote:

Originally Posted by Kaycee123 (Post 1499846)
I have tried this query under Maintenance - Run SQL query, and also on my PHPMyAdmin database query

Both come back with the same error:

An error occurred while attempting to execute your query. The following information was returned.
error number: 1146
error desc: Table 'iwfu2_main.template' doesn't exist

That is because you most likely have a table prefix inside of it. Try following this post instead:

Quote:

Originally Posted by Wayne Luke (Post 1498706)
Forms are not equal to templates but some templates have forms in them.

A form is anywhere your users can submit data. If you have modifications that submit data and cannot update their templates then you need to post for support in the modification thread.

It isn't hard to find out where this needs to go.

In your Admin CP under Styles & Template select Search In Templates...

Search for: value="$session[sessionhash]"


In every template this occurs in add this line directly after the line containing the above, if it doesn't exist already:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

Save the template.


Boofo 26 Apr 2008 18:30

The bad part is that not all forms have value="$session[sessionhash]" in them in some of the hacks out there. I basically look for <form and then add the line anywhere underneath that where there is a <input type="hidden" line.


All times are GMT. The time now is 02:53.

Powered by vBulletin® Version 3.8.14
Copyright © 2021, MH Sub I, LLC dba vBulletin. All Rights Reserved. vBulletin® is a registered trademark of MH Sub I, LLC
Copyright ©2001 - , vbulletin.org. All rights reserved.