View Single Post
Old 27 Feb 2016, 04:02
edgeless edgeless is offline
Join Date: Mar 2013
Okay. So there are now 3 methods described in this thread for precluding the vB blog sendtofriend exploit. And that tends to raise some questions... at least for me.

Those questions (in no particular order):
1. Has the blog permissions solution been tested against this precise threat?
2. Why didn't vBulletin include an optional permission within the blog permissions section to simply render the "Email Blog Entry" mechanism inaccessible to everyone (effectively turning it off)?
3. Since I know that the blog.php edit solution works (because Dan Druff implemented it back in 2014 and in so doing he has entirely eliminated the exploit from his blog component), and because my method of simply rendering the blog_send_to_friend template inoperative has absolutely and immediately worked for me to stop this remote spamming process cold, I would like to know the following:
a) Is one of the above solutions better than the other.. and if so, why?
b) Am I likely to encounter some negatives (i.e., functionality problems etc.) down the road stemming from my blog_send_to_friend template edit solution, which I would avoid by using the blog.php edit solution instead?
Here's why I'd like answers to the above questions. First, my template edit is currently in place and I've already proven that it's working perfectly to keep the spammers out. So is there a compelling reason for me to change solutions? And next, the remote spam sending campaigns that utilize this vulnerability can be quite few and far between. So it's not that easy to confirm that a replaced solution is actually working. Therefore, changing solutions may leave me wondering indefinitely. Whereas right now I have peace of mind that I have precluded the problem. But again, if there's a negative side-effect from my method that I'm unaware of, that may be a game changer.

Any comments will be appreciated.
Reply With Quote