Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Disallow HTML code in Thread Titles Details »
Disallow HTML code in Thread Titles
Mod Version: 1.01, by steadicamop (Member) steadicamop is offline
Developer Last Online: Dec 2014 I like it Show Printable Version Email this Page

This modification is in the archives.
vB Version: 3.6.0 Rating: (0 vote - 0 average) Installs: 18
Released: 03 Sep 2006 Last Update: 03 Sep 2006 Downloads: 73
Not Supported Code Changes  

Disallow HTML code in Thread Titles v1.01

Originally Posted by Staff Note
Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

Marco van Herwaarden.
By Jason Williams/Andrew Calderbank
03/09/2006

Recently there has been a spate of members posting html redirection code in thread titles, which when parsed on the forum homepage runs and redirects to whatever site they insert into the title.

This code simply disallows the characters < and > from being used in the thread titles, this is also is checked when editing the post.

It's fairly simple but puts to and end members signing up and posting redirect links. I don't know whether you'd class this as a hack or bug fix, but I hope this helps other members who are frustrated with this issue.

2 file edits
1 new phrase

Should be fairly straightforward to install.

**ALWAYS BACK UP FILES BEFORE YOU EDIT THEM!!**

v1.00

Original release

v1.01

Slight code update

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #16  
Old 04 Sep 2006, 16:11
apdcanari apdcanari is offline
 
Join Date: May 2005
Location: Belgique
Real name: Cédric
Vb 3.5.4 ? Please
Reply With Quote
  #17  
Old 04 Sep 2006, 17:37
redlabour's Avatar
redlabour redlabour is offline
 
Join Date: Mar 2004
Real name: André
Thx ... these Guys tried it at my Project !
Reply With Quote
  #18  
Old 04 Sep 2006, 19:46
steadicamop's Avatar
steadicamop steadicamop is offline
 
Join Date: Jul 2004
Real name: Jason Williams
Originally Posted by apdcanari
Vb 3.5.4 ? Please
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
Reply With Quote
  #19  
Old 04 Sep 2006, 19:52
steadicamop's Avatar
steadicamop steadicamop is offline
 
Join Date: Jul 2004
Real name: Jason Williams
Originally Posted by chimaira
replace what code with that exactly ?


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

^^ that?
Only replace the code with that if you installed v1.00 - which I think didn't last too long before the update, the new file has the correct code in.
Reply With Quote
  #20  
Old 05 Sep 2006, 05:14
smoothfuego smoothfuego is offline
 
Join Date: Apr 2006
Originally Posted by steadicamop
Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.
it does exist but the coding for the includes/functions_newpost.php (or something like that) is different so it can't work with 3.5.4 :cry: if you could do one for 3.5.4 it would be greatly appreciated as someone is constantly doing it to my forum.
Reply With Quote
  #21  
Old 05 Sep 2006, 05:24
Nuguru's Avatar
Nuguru Nuguru is offline
 
Join Date: Jun 2006
Question Does this fix work for vb 3.5.4?

Originally Posted by Nuguru
Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru
Hello,

I was wondering if this fix works for vb 3.5.4? If not, is there a way it could?


Thank You,

Nuguru
Reply With Quote
  #22  
Old 05 Sep 2006, 13:06
xman_79's Avatar
xman_79 xman_79 is offline
 
Join Date: Jun 2006
Real name: Suleiman
I did that what you said , but nothing changed .
Reply With Quote
  #23  
Old 05 Sep 2006, 17:26
filmking filmking is offline
 
Join Date: Apr 2006
Not working at all for me
Reply With Quote
  #24  
Old 05 Sep 2006, 17:29
captainslater's Avatar
captainslater captainslater is offline
 
Join Date: Dec 2005
Real name: Dominic
You can add this HTML-stuff do your bad word list, this works fine at my board.
__________________
If you need a translation to german - I'm your man!
Reply With Quote
  #25  
Old 05 Sep 2006, 17:52
karlm's Avatar
karlm karlm is offline
 
Join Date: Jul 2006
Real name: Karl
For those working in vb3.5.4, try this quick fix I found here.

Go into you AdminCP and under vB Options choose Censorship Options.

In the Censored Words window add this.


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

That will put an end this nonsense.
Reply With Quote
  #26  
Old 05 Sep 2006, 18:03
bashy bashy is offline
 
Join Date: Nov 2005
Great idea lol

Originally Posted by captainslater
You can add this HTML-stuff do your bad word list, this works fine at my board.
__________________
Bashy

Bashys Place ~ Bashys Hosting
Reply With Quote
  #27  
Old 05 Sep 2006, 19:26
TAL_NEW TAL_NEW is offline
 
Join Date: Aug 2006
Good work
Reply With Quote
  #28  
Old 06 Sep 2006, 13:06
tuanvic tuanvic is offline
 
Join Date: Jun 2006
hi i can't found in my Admin Cp this Phrase Type : Front-End Error Messages. can any one help me i using vbb 3.6

Last edited by tuanvic; 06 Sep 2006 at 13:48.
Reply With Quote
  #29  
Old 06 Sep 2006, 13:11
Scott MacVicar Scott MacVicar is offline
 
Join Date: Oct 2001
vBulletin does not allow HTML code in thread titles, the problem is the TopXStats modification which does absolutely no checking before storing / displaying data.

I'm thinking this thread should be closed since its going to cause a misconception that its a vBulletin problem, the much easier solution is to fix your TopXStats modification.

It also doesn't fix the cases where you can use things other than >, what about injecting a new parameter.

" onmouseover="window.location='www.hax0r.com'"

That should work as a title as well.
__________________
Scott MacVicar
vBulletin Developer

Last edited by Scott MacVicar; 06 Sep 2006 at 13:25.
Reply With Quote
  #30  
Old 06 Sep 2006, 13:32
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 12:48.

Layout Options | Width: Wide Color: