Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
  #61  
Old 06 Feb 2007, 10:11
wilburshere's Avatar
wilburshere wilburshere is offline
 
Join Date: May 2005
disabled here now *bugger* Iliked this mod
__________________
late nites and too much coffee :tired:
Reply With Quote
  #62  
Old 06 Feb 2007, 10:41
Artificial_Alex Artificial_Alex is offline
 
Join Date: Nov 2006
Real name: '
Originally Posted by Greek Wizard View Post
If we disable just the donate function, will this allow the rest of the hack to be active and safe?
Yes. But I'd still advise you to wait for staff to fix the bug or something.
Reply With Quote
  #63  
Old 06 Feb 2007, 11:51
Deimos Deimos is offline
 
Join Date: Oct 2002
Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?
Reply With Quote
  #64  
Old 06 Feb 2007, 13:19
fly fly is offline
 
Join Date: Oct 2003
Originally Posted by Deimos View Post
Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?
nope
Reply With Quote
  #65  
Old 06 Feb 2007, 13:31
MThornback's Avatar
MThornback MThornback is offline
 
Join Date: Apr 2005
Location: Canada
Nothing worth the effort...besides most hacks that tie into VBPlaza would also have a bunch of dead code in them.....*sigh*
Reply With Quote
  #66  
Old 06 Feb 2007, 14:31
BrandiDup's Avatar
BrandiDup BrandiDup is offline
 
Join Date: Jun 2005
Real name: Brandi
Thanks to the vbulletin team for keeping us safe and up to date. It's very much appreciated.

This hack was a huge, huge part of our site so I sincerely hope it won't be abandoned I'd be more than willing to donate some $$ to help get things patched up.
__________________
MilitarySOS.com - November 2007 Board of the Month
TheWomanHood.com - vote us for May's Board of the Month
Reply With Quote
  #67  
Old 06 Feb 2007, 14:53
Acers's Avatar
Acers Acers is offline
 
Join Date: Feb 2005
Real name: Safin
Based on my understanding of the code, (and please note i can be wrong) i reckon that anything that sends out pm's with user input data will create a problem. The issue is that a user can for example in donation enter a custom message that is sent in the pm after passing through the php strip_tags function. Now that function can be exploited . You can do your own research on google.
Please note that i am venturing a guess here and not saying anything with surety. If this is indeed the reason a replacement with htmlentities might do the trick. (or with vb's own function)

EDIT: Ok i have reproduced the problem on my test site so please note that this is a sure bug.

Last edited by Acers; 06 Feb 2007 at 15:02.
Reply With Quote
  #68  
Old 06 Feb 2007, 15:25
thepub thepub is offline
 
Join Date: Aug 2006
As many awesome coders we have on this board and somebody can't replicate another store/points hack?
Reply With Quote
  #69  
Old 06 Feb 2007, 15:28
NFLfbJunkie NFLfbJunkie is offline
 
Join Date: Sep 2006
Acres, with your knowledge of the problem, is their a fix? If so, how does one get the fix approved and implemented in to the already existing code, posted on the board for users to add to their code? Just hoping this fabulous MOD can be saved.
Reply With Quote
  #70  
Old 06 Feb 2007, 15:29
Acers's Avatar
Acers Acers is offline
 
Join Date: Feb 2005
Real name: Safin
Arrow

here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

go to
vbplaza/action.admindonate.php (line 133)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


goto
vbplaza/action.changeotherusertitle.php (line 136)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


goto
vbplaza/action.changeusertitle.php (line 87)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


goto
vbplaza/action.donate.php (line 164)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.




goto
vbplaza/action.gift.php (line 209)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.


goto
vbplaza/action.ribbons.php (line 218)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.



the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me

Last edited by Acers; 06 Feb 2007 at 15:42.
Reply With Quote
  #71  
Old 06 Feb 2007, 16:25
UncoderMom's Avatar
UncoderMom UncoderMom is offline
 
Join Date: May 2006
Real name: Lisa
ACERS you rock!

Is vb.org attempting a patch?
Reply With Quote
  #72  
Old 06 Feb 2007, 16:59
CMX_CMGSCCC CMX_CMGSCCC is offline
 
Join Date: Sep 2003
Originally Posted by Artificial_Alex View Post
Yes, I reported it.


I would say how its being exploited, but I don't think I can post it publicly.
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX
__________________
http://www.cmgsccc.com/
Reply With Quote
  #73  
Old 06 Feb 2007, 17:04
BrandiDup's Avatar
BrandiDup BrandiDup is offline
 
Join Date: Jun 2005
Real name: Brandi
Thumbs up

Originally Posted by CMX_CMGSCCC View Post
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX
Awesome!!
__________________
MilitarySOS.com - November 2007 Board of the Month
TheWomanHood.com - vote us for May's Board of the Month
Reply With Quote
  #74  
Old 06 Feb 2007, 17:18
Universal Universal is offline
 
Join Date: Sep 2006
Originally Posted by CMX_CMGSCCC View Post
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX
You might want to PM the vbulletin.org admin if you have not been in contact already as I believe there are other exploits found other than this one or other coders may want to post about other exploits.

Sorry to hear about your board but nice find Artificial Alex, especially with other exploits found. Just deleting the code for or turning off Donation or even using a coding fix for this one main exploit might not be all that is needed. A great add on for a forum and exploits are fixable, patience is a virtue.

Last edited by Universal; 06 Feb 2007 at 17:22.
Reply With Quote
  #75  
Old 06 Feb 2007, 17:30
thepub thepub is offline
 
Join Date: Aug 2006
Originally Posted by CMX_CMGSCCC View Post
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX
Oh man where have you been? We are dying for the new version of this and well, we missed you too.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 03:07.

Layout Options | Width: Wide Color: