PDA

View Full Version : vbBux / vbPlaza v1.5.8 has been released!


Pages : [1] 2

CMX_CMGSCCC
07-13-2006, 10:57 PM
A quick release to address a critical bug.

Get it at --> https://vborg.vbsupport.ru/showthread.php?t=106953

A NOTE: This will be one of the last releases of vbBux / vbPlaza in its V1.x format.

But do not fear, vbBux / vbPlaza V2.0 is in the pipeline and will be bigger and better than before :)

U ask how can it be bigger and better? Stay tuned!!!

-CMX

Skyline_GT
07-13-2006, 11:00 PM
thanks a lot:D

sinn3d
07-14-2006, 10:21 AM
Thanks so much! ;)

Snake
07-14-2006, 11:03 AM
Thank you very much! Been waiting for this. :)

stonner
07-19-2006, 08:45 PM
when is vbBux / vbPlaza V2.0 coming?

shall i wait or install now the older version? is it easy then to update?

TTG
07-19-2006, 11:29 PM
thanks for the update .. if there was a way around having to do all the template edits I'd install it now on 3.6.0 RC2, but I think I'll wait till the final release.

TamCaVBoy3
07-30-2006, 01:37 AM
should have the option to use points to buy hidden post (using hide bbcode). it is probably a greatest feature to me

org knopper
08-04-2006, 08:11 AM
Your usergroup does not have permission to purchase vbPlaza Options.

How To Edit usergroup permission eaven admin can't see options :( sorry for stupid question i am noob

vitnuce
08-04-2006, 01:42 PM
How To Edit usergroup permission eaven admin can't see options :( sorry for stupid question i am noob
Admin CP - Usergroups - Usergroup Manager - ( Select Group) -> Edit Group

Zia
08-07-2006, 08:18 AM
cmx..

i gez we have to wait till die to get the intigration with ecdownload
:S

phpdevrus
08-08-2006, 07:08 PM
thanks.. waiting on 2.0 ;-)

snake-boy
08-11-2006, 09:31 AM
Bug: If you give a gift to someone and make it PRIVATE, anyone can read the message you supplied with the gift by going to the vbplaza, select item history for gifts.

Totally defeats the point of making it private.

Is there a workaround or a fix for this? I've searched the options as well as this thread and found nothing.

ANY help would be appreciated as I really don't want to have to turn off the item history completely to get around this.

-snake

Don.Hanks
08-25-2006, 10:55 AM
great stuff, works well but found a problem.

when I am trying to view 'most sold', it says 'You are not allowed to view Item History.', why?

sorry, have to ask again.

Insert Username
09-20-2006, 03:07 PM
This was asked in another thread, but I'll ask here.

Sigs, user titles, invisibility mode, and possibly others, aren't working properly. Users purchase them from the store but are then told they don't have permission to have it. Basically, the admin settings in vB are overriding vbPlaza. Is there a fix for this?

nir
09-27-2006, 06:35 PM
uShop uCash 3.6.0 Released?

phpdevrus
10-04-2006, 09:09 PM
any updated on v2.0?

looking forward to it ;-)

smsmasters
10-06-2006, 09:47 PM
I hope it will be compatible with 3.6.2

Shazz
10-07-2006, 12:46 AM
I hope it will be compatible with 3.6.2
Made on
13. Jul 2006, 17:57
Current Version at time : 3.5.4

Many bugs on 3.6

JamieLee2k
10-07-2006, 07:38 AM
So I am confused here, v1.5.7 was released after 1.5.8 and 1.5.7 is for 3.6.0 BETA 3 (which is a newer version of VB) and 1.5.8 was released 6 months before 1.5.7 and is for 3.5.4 now correct me if I am wrong, shouldn't the versions go up and not down? and the only difference I see in the title is 1.5.8 has Points + Store System in it. So this tells me it is a different release.

Anyways I have tested this out and I love it, Not sure if I should wait for 2.0

smsmasters
10-07-2006, 12:23 PM
^Jamie what vb version are you running?

JamieLee2k
10-07-2006, 09:03 PM
3.6.2

radarhunter
10-09-2006, 04:43 PM
hi there is a site named : www.funenclave.com

now this site has nickels system which is based on vbplaza

Can we seperate vbux and vbplaza ????

If yes how and how can i change my system to have one point type that is like in this site. Not like having points and bank seperatly.

Jus` wat the total is only that i should know and nothing else.


Is this possible to have exactly the same thing

Please don`t ask me to ask the admin of the site. He is not telling.

Can anyone help me ???????

sylem
10-25-2006, 11:21 PM
ye 3.6.2 has mass issues. I can't figure out how to implement the template changes into my Skynet skin, many templates don't line up with what they ask. Also when I CAN get the link to it, I keep getting access denied, saying my usergroup doesn't have permission, even though I have all the settings right, and I'm the main admin lol. Hope they update soon.

Shazz
10-26-2006, 12:30 AM
ye 3.6.2 has mass issues. I can't figure out how to implement the template changes into my Skynet skin, many templates don't line up with what they ask. Also when I CAN get the link to it, I keep getting access denied, saying my usergroup doesn't have permission, even though I have all the settings right, and I'm the main admin lol. Hope they update soon.
This has been pendable for many ages

sylem
10-26-2006, 08:57 PM
any word when they will?

Shazz
10-26-2006, 11:30 PM
any word when they will?
Mostly up to CSG, but err. Maybe when 3.7 comes out :)

goga123
10-28-2006, 11:41 PM
Hey Man
Where Will Me Forum Root Directory
Plz Someone Help Me To Install Vb Plaza

The Chief
11-02-2006, 02:45 PM
This is an essentiel part of my community in which I will miss.

Looking forward for this to work for vBulletin 3.6...

radarhunter
11-02-2006, 02:51 PM
Hey Man
Where Will Me Forum Root Directory
Plz Someone Help Me To Install Vb Plaza

i can help you if you want ???

Lachrymose
11-12-2006, 06:49 AM
I just upgraded to vb 3.6.3. I also upgraded my vbplaza and v3arcade.

However, now the arcade access feature through the vbplaza does not seem to be letting anyone play the arcade.

Any ideas here? It worked fine on vb 3.6.0 .

Romanthic
11-22-2006, 05:15 PM
How do i change it other languages ?

thepub
12-01-2006, 03:45 PM
I installed the arcade and it doesn't work at all. :( How much longer til the new version of vbplaza comes out? I'd really like to see a pm system implemented letting the person being robbed know they were just robbed, it could be funner like that.

Shazz
12-01-2006, 09:23 PM
He hasen't been on since July =\

Artificial_Alex
01-12-2007, 12:36 AM
Ever since I installed this, rep is being dropped to 0 for all the users...and no one is "buying" thief rep..Why is it deleting all the members rep?

Pure Dope
01-16-2007, 09:34 AM
how does this work with 3.6.4?

Shazz
01-16-2007, 10:51 AM
how does this work with 3.6.4?

Read the thread posts

bolly.beats
01-22-2007, 12:39 AM
I am tryin to put this in BlueLife Skin on this website http://bestindiantv.com ...only one template change is not workin :(

B) Inside template 'navbar':

Find:

<td class="vbmenu_control"><a href="calendar.php$session[sessionurl_q]">$vbphrase[calendar]</a></td>
<if condition="$show['popups']">


Add Below:

<!-- vbPlaza start -->
<if condition="$show['member']">
<if condition="$vboptions['vbplaza_enabled']"><td id="vbplazamenu" class="vbmenu_control"><a href="$show[nojs_link]#vbplazamenu">$vbphrase[vbplaza_name] $vbphrase[vbplaza_menu]</a> <script type="text/javascript"> vbmenu_register("vbplazamenu"); </script></td></if>
</if>
<!-- vbPlaza end -->


I did the secon navbar template change, but cant find or put this one. I try to find wat it says there that calender.php but it's not finding it. I don't know where to put that code to fix it into Navbar... please Help... Thank youuu :D

(2)

Also whenever any other group other than ADMIN try to send Gift or anything i get this Message:

"You are not allowed to purchase this item."

so Only Admin can send but other GROUPS people cant. I did set permission from Usergroup Permissions but still why is it not workin :(? where do i do permission for that? I cant find pelase Help thank youuu...

stangger5
01-22-2007, 01:13 AM
I am tryin to put this in BlueLife Skin on this website http://bestindiantv.com ...only one template change is not workin :(



I did the secon navbar template change, but cant find or put this one. I try to find wat it says there that calender.php but it's not finding it. I don't know where to put that code to fix it into Navbar... please Help... Thank youuu :D

(2)

Also whenever any other group other than ADMIN try to send Gift or anything i get this Message:

"You are not allowed to purchase this item."

so Only Admin can send but other GROUPS people cant. I did set permission from Usergroup Permissions but still why is it not workin :(? where do i do permission for that? I cant find pelase Help thank youuu...

On that skin,,,your navbar is in the header template.
Look for:

<td class="lhbar">
<a href="calendar.php?">Calendar</a></td>

Now for the Gift permissions..
Go to the vbPlaza in admincp >> Manage Categories >> Misc. Options..
Put check mark beside the Usergroups you want to have permission,,then Save Settings..

bolly.beats
01-22-2007, 02:55 AM
thanx buddy...really helped ;)thanx a lottt :p :D >:D<

NameClan.com
01-23-2007, 02:02 AM
this is nice

sim tech
02-05-2007, 09:16 PM
I just received these emails, but the links are not present (at least for my account):



vbBux / vbPlaza v1.5.8 (Points + Store System)
https://vborg.vbsupport.ru/showthread.php?threadid=106953


Official Security Exploit Warning:

The staff has been notified of a potential XSS vulnerability in the vbBux / vbPlaza modification. We have confirmed the exploit along with additional exploits in varying degrees. This notification is to serve as an official warning - it is HIGHLY recommended that you disable/uninstall the modification until a fix is provided.

Greek76
02-05-2007, 09:20 PM
Same here no permission to view thread.

Artificial_Alex
02-05-2007, 09:21 PM
Yes, I reported it.


I would say how its being exploited, but I don't think I can post it publicly. :p

Deimos
02-05-2007, 09:24 PM
I assume the links were to the old threads with the attachments in them
So they've probably been moved to a hidden area till the scripts get fixed.

Artificial_Alex
02-05-2007, 09:25 PM
It was being exploited to get users/staff's passwords.

My WHOLE staff got their passwords obtained by this person exploiting it.

Deimos
02-05-2007, 09:25 PM
Really? good lord..

Artificial_Alex
02-05-2007, 09:28 PM
Yeah....x___x


Atleast Princeston[sp=?] reacted quickly to my PM.

Ididn't think he'd believe me, the way the exploit worked, but they did, and i was right. :p

zappsan
02-05-2007, 10:26 PM
It was being exploited to get users/staff's passwords.


My WHOLE staff got their passwords obtained by this person exploiting it.
Wow, thank you very much for reporting it.
I disabled the hack for now, hope I'm safe.

I really hope CMX won't abandon this completely and fix the problem.

tpearl5
02-05-2007, 11:05 PM
ugg.. really hope this exploit gets fixed soon!

Shazz
02-05-2007, 11:11 PM
Errm, maybe it could be explained how they got in?
:|

Artificial_Alex
02-05-2007, 11:22 PM
All I will say is its to do with the donate feature and a script.

Pete C
02-06-2007, 12:55 AM
I got the same Email, so I checked back here to be sure it was for real . . this has been a very popular hack, and I wanted to be sure before taking it off.

Despite the annoyance of having to do that, I'd like to say a BIG thank you for the heads-up, and my appreciation to vB for acting on the info so fast.

I can't see the thread either, so it's obviously been removed for good reason - but I would have clicked it uninstalled ;) . . at least till something can (hopefully) be done to address the exploits.

Good info, sad loss.

Shazz
02-06-2007, 01:36 AM
All I will say is its to do with the donate feature and a script.

Your post was strong enough to scare away over 50 users of vbplaza now :o

Artificial_Alex
02-06-2007, 01:38 AM
Meh, you asked. ;D

MThornback
02-06-2007, 01:58 AM
Thanks for the save :) we all appreciate it!

NFLfbJunkie
02-06-2007, 02:07 AM
What can happen if someone decides to keep this MOD active on their boards?

Shazz
02-06-2007, 02:48 AM
What can happen if someone decides to keep this MOD active on their boards?

Well its not like every board with vBplaza will just die
Unless the exploit was posted on some site which gave more people that oppertunity to do it on more sites -.-

Pete C
02-06-2007, 02:52 AM
Your post was strong enough to scare away over 50 users of vbplaza now :o
I only got 50 members, and now there's nothing to bribe 'em in with - gonna have to seriously update my content now . . . lmao!

Seriously though, if there was no risk, I'm sure that would be clarified - instead the entire hack has been removed and vB have taken the trouble to mail-out to all the installers . . no smoke without fire imo - it ain't fear it's logic.

I'd sure like to see it fixed though - good luck to the guys working on it.

What can happen if someone decides to keep this MOD active on their boards?

Well, you could end up with a whole bunch of Admins . . or worse ;)

It was being exploited to get users/staff's passwords.

My WHOLE staff got their passwords obtained by this person exploiting it.

NFLfbJunkie
02-06-2007, 02:56 AM
I'd sure like to see it fixed though - good luck to the guys working on it.

Is there someone in fact working on a fix?

Greek Wizard
02-06-2007, 08:05 AM
All I will say is its to do with the donate feature and a script.

If we disable just the donate function, will this allow the rest of the hack to be active and safe?

wilburshere
02-06-2007, 08:11 AM
disabled here now *bugger* Iliked this mod

Artificial_Alex
02-06-2007, 08:41 AM
If we disable just the donate function, will this allow the rest of the hack to be active and safe?

Yes. But I'd still advise you to wait for staff to fix the bug or something.

Deimos
02-06-2007, 09:51 AM
Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?

fly
02-06-2007, 11:19 AM
Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?

nope

MThornback
02-06-2007, 11:31 AM
Nothing worth the effort...besides most hacks that tie into VBPlaza would also have a bunch of dead code in them.....*sigh*

BrandiDup
02-06-2007, 12:31 PM
Thanks to the vbulletin team for keeping us safe and up to date. It's very much appreciated.

This hack was a huge, huge part of our site so I sincerely hope it won't be abandoned :( I'd be more than willing to donate some $$ to help get things patched up.

Acers
02-06-2007, 12:53 PM
Based on my understanding of the code, (and please note i can be wrong) i reckon that anything that sends out pm's with user input data will create a problem. The issue is that a user can for example in donation enter a custom message that is sent in the pm after passing through the php strip_tags function. Now that function can be exploited (http://www.securityspace.com/smysecure/catid.html?id=52371). You can do your own research on google.
Please note that i am venturing a guess here and not saying anything with surety. If this is indeed the reason a replacement with htmlentities might do the trick. (or with vb's own function)

EDIT: Ok i have reproduced the problem on my test site so please note that this is a sure bug.

thepub
02-06-2007, 01:25 PM
As many awesome coders we have on this board and somebody can't replicate another store/points hack? :confused:

NFLfbJunkie
02-06-2007, 01:28 PM
Acres, with your knowledge of the problem, is their a fix? If so, how does one get the fix approved and implemented in to the already existing code, posted on the board for users to add to their code? Just hoping this fabulous MOD can be saved.

Acers
02-06-2007, 01:29 PM
here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

$message = strip_tags($message);
make that
$message = htmlspecialchars($message);

go to
vbplaza/action.admindonate.php (line 133)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);


goto
vbplaza/action.changeotherusertitle.php (line 136)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.changeusertitle.php (line 87)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.donate.php (line 164)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);




goto
vbplaza/action.gift.php (line 209)
$action['giftmessage'] = strip_tags($action['giftmessage']);
make that
$action['giftmessage'] = htmlspecialchars($action['giftmessage']);


goto
vbplaza/action.ribbons.php (line 218)
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);
make that
$action['ribbonmessage'] = htmlspecialchars($action['ribbonmessage']);



the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me :D

UncoderMom
02-06-2007, 02:25 PM
ACERS you rock!

Is vb.org attempting a patch?

CMX_CMGSCCC
02-06-2007, 02:59 PM
Yes, I reported it.


I would say how its being exploited, but I don't think I can post it publicly. :p

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

BrandiDup
02-06-2007, 03:04 PM
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

Awesome!! :up: :D

Universal
02-06-2007, 03:18 PM
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

You might want to PM the vbulletin.org admin if you have not been in contact already as I believe there are other exploits found other than this one or other coders may want to post about other exploits.

Sorry to hear about your board but nice find Artificial Alex, especially with other exploits found. Just deleting the code for or turning off Donation or even using a coding fix for this one main exploit might not be all that is needed. A great add on for a forum and exploits are fixable, patience is a virtue. :D

thepub
02-06-2007, 03:30 PM
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX
Oh man where have you been? We are dying for the new version of this and well, we missed you too. :o

Sooner95
02-06-2007, 05:00 PM
Ah cool, the Author returns!

CMX_CMGSCCC
02-06-2007, 05:03 PM
Oh man where have you been? We are dying for the new version of this and well, we missed you too. :o

Unfortuntely my real job has had me in shambles as of late, too many games to make cheat codes for, and other projects at work. So I havent had much time for vbBux / vbPlaza.

I am, however, working on a v2 version with a much more cleaned up coding engine, as well as a crapload of new features, items for purchase in the vbPlaza.

But as far as a release goes, I'm not sure, I've started it a little at a the www.vbplaza.com URL, but I'm not sure the url is public as of yet either, due to it still having a bit that needs completing. (I'd say its about 75% finished currently.)

I hope to try and finish it up soon, but I honestly cant give an accurate ETA as of yet. I apologize for the inconvenience, but I can also assure u, it will be worth the wait.

ALSO: I've been away for a while and noticed a ton of posts about the v1.5.8. I do not have time to reply to every single post, and with the amount of rewrite that has occurred in the v2 version I am currently working on, it would be even more time involving to check on every problem as the problem may not exist anymore in the v2 version I'm writing. I apologize for any inconvenience this may cause.

-CMX

Artificial_Alex
02-06-2007, 05:09 PM
WOW!

Long time no see. :O

amagazi
02-06-2007, 08:35 PM
Glad to see the author has returned to work on a fix. :)

Shazz
02-06-2007, 08:45 PM
Unfortuntely my real job has had me in shambles as of late, too many games to make cheat codes for, and other projects at work. So I havent had much time for vbBux / vbPlaza.

I am, however, working on a v2 version with a much more cleaned up coding engine, as well as a crapload of new features, items for purchase in the vbPlaza.

But as far as a release goes, I'm not sure, I've started it a little at a the www.vbplaza.com URL, but I'm not sure the url is public as of yet either, due to it still having a bit that needs completing. (I'd say its about 75% finished currently.)

I hope to try and finish it up soon, but I honestly cant give an accurate ETA as of yet. I apologize for the inconvenience, but I can also assure u, it will be worth the wait.

ALSO: I've been away for a while and noticed a ton of posts about the v1.5.8. I do not have time to reply to every single post, and with the amount of rewrite that has occurred in the v2 version I am currently working on, it would be even more time involving to check on every problem as the problem may not exist anymore in the v2 version I'm writing. I apologize for any inconvenience this may cause.

-CMX

Glad to see you back CMX_CMGSCCC !
Thought you were gone for good :)

Detomah
02-06-2007, 08:52 PM
Unfortuntely my real job has had me in shambles as of late, too many games to make cheat codes for, and other projects at work. So I havent had much time for vbBux / vbPlaza.

I am, however, working on a v2 version with a much more cleaned up coding engine, as well as a crapload of new features, items for purchase in the vbPlaza.

But as far as a release goes, I'm not sure, I've started it a little at a the www.vbplaza.com URL, but I'm not sure the url is public as of yet either, due to it still having a bit that needs completing. (I'd say its about 75% finished currently.)

I hope to try and finish it up soon, but I honestly cant give an accurate ETA as of yet. I apologize for the inconvenience, but I can also assure u, it will be worth the wait.

ALSO: I've been away for a while and noticed a ton of posts about the v1.5.8. I do not have time to reply to every single post, and with the amount of rewrite that has occurred in the v2 version I am currently working on, it would be even more time involving to check on every problem as the problem may not exist anymore in the v2 version I'm writing. I apologize for any inconvenience this may cause.

-CMX

I for one fully appreciate the pressure and stresses of real life outside of this stuff that you and probably many others, including myself go through all to often and I appreciate the time you've given up to create vbplaza and everything you have done to date and know you will continue to improve it again once time becomes available to you.

However, in the mean time, myself and probably every single other person who has the vbplaza hack instally would seriously appreciate you even more, if you would be willing to sacrifice a little time to find out exactly what the current exploits with vbplaza are and releasing a fix for them as quickly as you possibly can, so that we may continue to use this superb hack without fear of our sites being exploitable. I would personally even go so far as to make a generous donation to you via paypal for such a service, as vbplaza has become an essential part of my website.

WhyDoesItMatter
02-06-2007, 09:29 PM
Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

Omg you're back! Welcome back! Wow so shocked to see you, yet so happy.. woohoo

Deimos
02-06-2007, 09:37 PM
Good to see ya back CMX

Acers
02-07-2007, 02:31 AM
here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

$message = strip_tags($message);
make that
$message = htmlspecialchars($message);

go to
vbplaza/action.admindonate.php (line 133)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);


goto
vbplaza/action.changeotherusertitle.php (line 136)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.changeusertitle.php (line 87)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.donate.php (line 164)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);




goto
vbplaza/action.gift.php (line 209)
$action['giftmessage'] = strip_tags($action['giftmessage']);
make that
$action['giftmessage'] = htmlspecialchars($action['giftmessage']);


goto
vbplaza/action.ribbons.php (line 218)
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);
make that
$action['ribbonmessage'] = htmlspecialchars($action['ribbonmessage']);




Just changes the the php function with vb's own cleaning class.

includes/function_vbplaza.php(line 152)

$message = strip_tags($message);
make that

$message = $vbulletin->input->clean($message, TYPE_NOHTML);


go to
vbplaza/action.admindonate.php (line 133)
$action['reason'] = strip_tags($action['reason']);
make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML);



goto
vbplaza/action.changeotherusertitle.php (line 136)
$newusertitle_stripped = strip_tags($newusertitle);
make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML);



goto
vbplaza/action.changeusertitle.php (line 87)
$newusertitle_stripped = strip_tags($newusertitle);
make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML);



goto
vbplaza/action.donate.php (line 164)
$action['reason'] = strip_tags($action['reason']);
make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML);





goto
vbplaza/action.gift.php (line 209)
$action['giftmessage'] = strip_tags($action['giftmessage']);
make that
$action['giftmessage'] = $vbulletin->input->clean($action['giftmessage'], TYPE_NOHTML);



goto
vbplaza/action.ribbons.php (line 218)
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);
make that
$action['ribbonmessage'] = $vbulletin->input->clean($action['ribbonmessage'], TYPE_NOHTML);

rjmjr69
02-07-2007, 04:59 AM
Well its great the author is back. I look forward to seeing version 2.0 real soon I hope. I too am willing to make a nice donation if it gets things done a bit faster....

sim tech
02-07-2007, 05:19 AM
This is one of the most popular mods on my board as well.

wilburshere
02-07-2007, 05:41 AM
excellent ill keep it disabled until v2 comes out

this mod was a huge feature on my sites as well

BTW welcome back we did miss you

Zia
02-07-2007, 08:30 AM
https://vborg.vbsupport.ru/external/2007/02/25.jpg

Where Have u been for a long time ?

We r waiting for the fix...

thnx

Shazz
02-07-2007, 12:45 PM
You all welcome back CMX_CMGSCCC for a FIX and not actually just giving him time to do so.

xchewbaka
02-07-2007, 06:03 PM
Thank you Acers for your work :-)

realy good job , works fine

da420
02-07-2007, 06:40 PM
We r waiting for the fix...
Addiction is a terrible thing.

X-Files
02-08-2007, 06:32 PM
Is this what we need to patch this? Can someone provide a definitive answer? I think this version at least needs a fix applied since we have no idea when v2 will be out.

Just changes the the php function with vb's own cleaning class.

includes/function_vbplaza.php(line 152)

$message = strip_tags($message);
make that

$message = $vbulletin->input->clean($message, TYPE_NOHTML);


go to
vbplaza/action.admindonate.php (line 133)
$action['reason'] = strip_tags($action['reason']);
make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML);



goto
vbplaza/action.changeotherusertitle.php (line 136)
$newusertitle_stripped = strip_tags($newusertitle);
make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML);



goto
vbplaza/action.changeusertitle.php (line 87)
$newusertitle_stripped = strip_tags($newusertitle);
make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML);



goto
vbplaza/action.donate.php (line 164)
$action['reason'] = strip_tags($action['reason']);
make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML);





goto
vbplaza/action.gift.php (line 209)
$action['giftmessage'] = strip_tags($action['giftmessage']);
make that
$action['giftmessage'] = $vbulletin->input->clean($action['giftmessage'], TYPE_NOHTML);



goto
vbplaza/action.ribbons.php (line 218)
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);
make that
$action['ribbonmessage'] = $vbulletin->input->clean($action['ribbonmessage'], TYPE_NOHTML);

fly
02-08-2007, 06:52 PM
<font size="5">CMX, WHERE CAN I SEND DONATIONS TO? THANKS FOR COMING BACK!</font>

silvermerc
02-08-2007, 07:16 PM
Erm....I can't download it for some reason.The link to the thread is broken

zappsan
02-08-2007, 07:26 PM
Welcome back, CMX :)

Erm....I can't download it for some reason.The link to the thread is broken
Yes, there was a security problem so the hack has been removed.

Shazz
02-08-2007, 08:30 PM
Could have just closed the thread.
Now many people are going to be confused where to get the store

kjhkjh
02-09-2007, 03:47 AM
Err... I want this hack, never installed it before, have seen the security threat mentioned, seems to be a fix a few posts above me... but does anyone know if a new version is coming out or if there is somewhere that I can download the current version from and fix it?

Thx

sinpeople
02-09-2007, 01:39 PM
Never experienced this before. Anyone can tell typically how long such issue can be closed?

If it takes more than one month, maybe consider other point system is a not bad choice.
Thanks.

hitboy
02-09-2007, 02:47 PM
Never experienced this before. Anyone can tell typically how long such issue can be closed?

If it takes more than one month, maybe consider other point system is a not bad choice.
Thanks.

Another point system? lol uh there alot of people on here that have been using the hack for months that would screw everything up and as far as i can see for 3.6.4 there is only icash and its very simple mod its good but not the best alternative compared to vbbux

Aclikyano
02-09-2007, 06:04 PM
This hack has an EXPLOIT IN IT !.
a few sites as I recall somewere on this board were HACKED thru the donation feature!.
it has been removed until the ex is fixed.

HPIA
02-09-2007, 06:55 PM
/me lubs CMX

Shazz
02-09-2007, 07:26 PM
This hack has an EXPLOIT IN IT !.
a few sites as I recall somewere on this board were HACKED thru the donation feature!.
it has been removed until the ex is fixed.

Yes, there should be a announment in the vBplaza forum about it..

Brandon Sheley
02-09-2007, 08:28 PM
Could have just closed the thread.
Now many people are going to be confused where to get the store

actually, close the thread and we have no clue, but remove the file and no one else will be infected and we know whats going on.


just my 2 cents on that

i hope a fix is found soon, altho I don't use this hack, I know many ppl that do.

Shazz
02-09-2007, 09:29 PM
actually, close the thread and we have no clue, but remove the file and no one else will be infected and we know whats going on.


just my 2 cents on that

i hope a fix is found soon, altho I don't use this hack, I know many ppl that do.

Closing thread removing file, posting one final post on the exploit would answer many questions and wouldn't confuse anyone who is looking for it..

my 2 cents :D

fly
02-09-2007, 09:35 PM
Closing thread, posting code to exploit hack, eating cookies, kick a dead horse..

I think that should be the order

my 2 cents

Ski-Whiz
02-10-2007, 09:02 PM
I think they (staff here), should at least provide some feedback to the members which have it installed..

We don't have any clue whether it was only the donation part in which it was exploited. We are guessing at the fix. Now I know CMX knows, but to just uninstall the mod/hack is not an option for most.

Now I have disabled it, but how long do we have to wait before they release the exploit? I mean if CMX is busy, then at least let some coders know, so they can give temp advice etc..

Just my $.02.....

Universal
02-11-2007, 04:12 AM
I think they (staff here), should at least provide some feedback to the members which have it installed..

We don't have any clue whether it was only the donation part in which it was exploited.


Below was said in another thread. Even though they do not mention how the exploits work, it does mention other exploits involved. I agree in part with them not sharing the in-depth information as then coders might even take advantage of the exploit themselves, although some people have mentioned what the main exploit is.

Artificial_Alex reported an exploit which we investigated and confirmed - not only that but the investigations revealed other exploits in the code as well. As per our policy on such matters, the modification has been removed until such time as the holes are fixed.

The staff are not here to fix broken/exploited modifications, occasionally one may do so if they have the time (or use the mod themselves) but that's all. Fixing is the responsibility of the author.


This is part of the email people got who clicked install for this hack.


Official Security Exploit Warning:

The staff has been notified of a potential XSS vulnerability in the vbBux / vbPlaza modification. We have confirmed the exploit along with additional exploits in varying degrees. This notification is to serve as an official warning - it is HIGHLY recommended that you disable/uninstall the modification until a fix is provided.



Hope that helps a bit.

fly
02-11-2007, 05:24 AM
I think they (staff here), should at least provide some feedback to the members which have it installed..

We don't have any clue whether it was only the donation part in which it was exploited. We are guessing at the fix. Now I know CMX knows, but to just uninstall the mod/hack is not an option for most.

Now I have disabled it, but how long do we have to wait before they release the exploit? I mean if CMX is busy, then at least let some coders know, so they can give temp advice etc..

Just my $.02.....

You sure are asking a lot for the price. Maybe you should pay with your hard earned time to fix it for us

hitboy
02-11-2007, 12:21 PM
I dont think the staff should fix it nor say anything but they should at least tell the orginal coder of this new exploits so it can be fixed lol just my 2 cents

Zia
02-11-2007, 04:46 PM
I dont think the staff should fix it nor say anything but they should at least tell the orginal coder of this new exploits so it can be fixed

i gez staff inform the author.
So far i can remember ecDownlods by R0n1n also had exploit problem.By this time R0n1n got inactive.The co-author Westpointer(dont know he changed his nick to something) pick that up and release a new ver. with new name.

with that ref. i think CMX got information. only staff can confirm weather they inform or not.


but qus is that how long it will take to get the fix....
See here..
https://vborg.vbsupport.ru/showpost.php?p=1179908&postcount=37

MThornback
02-12-2007, 04:28 AM
How bout we all cool it and give the author time to work this out...I'm sure we all got what we paid for....so "are we there yet" isn't spurring faster work so much as annoyance....

msorin
02-12-2007, 02:41 PM
Can anyone tell me why I can't access https://vborg.vbsupport.ru/showthread.php?threadid=106953 ??? I get a message that says that I do not have permission to access this page.

Thank you

Shazz
02-12-2007, 02:42 PM
Because they have removed the vBPlaza to a closed part of the site

ehsanix
02-12-2007, 03:47 PM
so what this means?

fly
02-12-2007, 04:04 PM
so what this means?

It means don't use it.

rjp0615
02-12-2007, 05:04 PM
perhaps for the simple ppl, maybe someone can reup vbplaza with the code modification?

fly
02-12-2007, 05:52 PM
perhaps for the simple ppl, maybe someone can reup vbplaza with the code modification?

No one is even 100% sure what the exploit is, so that's not possible.

Shazz
02-12-2007, 07:42 PM
No one is even 100% sure what the exploit is, so that's not possible.

Actually a couple people do or more, They don't want to speak out of it though due to security purpases

fly
02-12-2007, 08:10 PM
Actually a couple people do or more, They don't want to speak out of it though due to security purpases

Well then it stands to reason they don't want us to know how to fix it then either, correct?

Shazz
02-12-2007, 08:14 PM
Well then it stands to reason they don't want us to know how to fix it then either, correct?

CMX or someone else in future time will have the fix or the whole vBplaza up-reloaded don't know the exact details

cOuNtErFiET
02-12-2007, 08:42 PM
how come it says i dont have access to the fix? get that all the time and pissin me off anyone help me says i dont have permission or some shit and just renewed my license?

Guest190829
02-12-2007, 08:54 PM
how come it says i dont have access to the fix? get that all the time and pissin me off anyone help me says i dont have permission or some shit and just renewed my license?

No fix has been uploaded, so I am not sure what you are talking about?

Shazz
02-12-2007, 08:58 PM
how come it says i dont have access to the fix? get that all the time and pissin me off anyone help me says i dont have permission or some shit and just renewed my license?

The vBPlaza thread is closed
There for you wouldn't have access to it

kjhkjh
02-12-2007, 09:00 PM
is there anything similar to vbplaza out there? or is there an idea of when this might be fixed...

a reward system like this is something that my forum definitely needs...

Shazz
02-12-2007, 09:02 PM
is there anything similar to vbplaza out there? or is there an idea of when this might be fixed...

a reward system like this is something that my forum definitely needs...

Closest thing I can think of is eBux :|
And thats very small...

kjhkjh
02-12-2007, 09:10 PM
I did a few searches on "ebux" but nothing came up.

I think I'm best to hold out for this mod being fixed.

Do we know if it's being worked on?
Would it help if we donated to the coder?
Would just be nice to have an idea of when it will be done, but I guess it's even more frustrating for those who have had to disable it on their boards.... and have to wait for the green light!

I guess this is what happens when we come to rely on great mods!

Fearlessninja
02-12-2007, 09:23 PM
I guess Ebux had security problems as well T_T"

Shazz
02-12-2007, 10:10 PM
I guess Ebux had security problems as well T_T"

really?
Maybe related exploits :confused:

rjmjr69
02-12-2007, 11:11 PM
Jeez if people took two minutes to read past post's in this very thread they would not have to post any further of the same question. I can understand everyones eagerness to get a fix and to find out more information but like it says in about 30 post's in this thread. The coder has been notified he has stated he is working on a fix but yet 50 people still ask what the deal is and all the same stuff over and over.
I find it very annoying. sorry for ranting.

subnet_rx
02-12-2007, 11:52 PM
Thanks for that info rjm. I had read through some of the thread, but hadn't noticed where the developer said he was working on a fix. The last post that I saw was that he was wanting to know what the exploit was so he could work on a fix.

rjp0615
02-13-2007, 01:45 AM
well didnt what that guy posted earlier patch the exploit?

browie
02-13-2007, 03:36 AM
That's too bad. I'm glad some one found the problem.

Deimos
02-13-2007, 04:17 AM
simplest thing would be to close this thread, create a NEW sticky thread titled "VBPlaza plugin removed due to exploit, READ THIS"
Then any updates, get posted in that thread.

But I agree, it would be nice to know for SURE whether this is being worked on or not.

Zia
02-13-2007, 03:53 PM
<a href="http://www.vbplaza.com/" target="_blank">http://www.vbplaza.com/</a>

try to stick with that site too..

Sooner95
02-13-2007, 10:30 PM
Honestly, I think i would just wait for v2.0

Hornstar
02-14-2007, 11:06 PM
As long as version 2 wont loose any users points and settings i will be happy to wait as well :) if it is true tha cmx is back, it is not such a bad day afterall, he was great coder.

cOuNtErFiET
02-15-2007, 03:16 AM
No fix has been uploaded, so I am not sure what you are talking about?


o i thought the first post was the fix sry....

Skedoozy
02-16-2007, 01:41 AM
Is this ever going to be updated? Or are we just stuck waiting for 2.0?

Shazz
02-16-2007, 01:43 AM
Is this ever going to be updated? Or are we just stuck waiting for 2.0?

Whatever CMX feels like doing, Its been asked millions of times :|
his PM box is probablly full

kjhkjh
02-16-2007, 02:54 AM
Do we even have the time frame for v2.0??


I guess even if you don't get an update for the broken version you could just credit your members with currency in the new version.

I was about to install this version a few weeks ago but didnt get around to it... not sure if it's a blessing or not... would be interested to know when the new version is out and would donate if it was soonish :)

fly
02-16-2007, 12:21 PM
<font size="5">HEY GUYS, LETS ASK WHEN ITS GONNA BE FIXED. REPEATEDLY!</font>
woohooo

MThornback
02-16-2007, 01:09 PM
Didn't you know? Its like pressing the elevator button a bunch of times it makes it come faster

*sigh*

LILMORA4
02-17-2007, 03:45 AM
What does this mean?
Fatal error: Call to undefined function log_admin_action() in C:\Inetpub\Lilmora\Forum\vbplaza.php on line 28
PHP Fatal error: Call to undefined function log_admin_action() in C:\Inetpub\Lilmora\Forum\vbplaza.php on line 28

Shazz
02-17-2007, 03:47 AM
What does this mean?

vBPlaza is not support right now :|

LILMORA4
02-17-2007, 04:48 AM
vBPlaza is not support right now :|

Ohhh my....Mkaaay!

Deimos
02-17-2007, 09:47 AM
Bit frustrating, especially considering this plugin is very popular and has it's own "Premium Modification" forums
If there's no support, why does it even exist?

So many hacks/plugins are made, then abandoned and it's (in my opinion) really unfair to just leave people in the dark, especially if there's security holes in the code itself.

Necrosaro420
02-17-2007, 02:14 PM
Ugh, that link on the front page does not work for me to download, says I dont have permission? Anyone else having this issue? I need to reinstall mine, I dorked it up fairly bad =( Thanks!

brvheart
02-17-2007, 04:26 PM
in redards to the exploit....if I disable it via vb settings in the admincp....that turns off all exploits right?

TrekkerOfFiles
02-17-2007, 04:34 PM
Ugh, that link on the front page does not work for me to download, says I dont have permission? Anyone else having this issue? I need to reinstall mine, I dorked it up fairly bad =( Thanks!

It's been disabled / removed because there are a bunch of major security flaws in it.

in redards to the exploit....if I disable it via vb settings in the admincp....that turns off all exploits right?

Uhm, not really, since you don't know for sure what the exploit(s) are.

So many hacks/plugins are made, then abandoned and it's (in my opinion) really unfair to just leave people in the dark, especially if there's security holes in the code itself.

Why's it unfair? It's a free modification coded on a person's free time. If you paid for it, that might ring true, but since this modification is a priverlage given to people rather then a right, you just need to accept it as it comes and be thankfull it was coded in the first place.

You get what you pay for.

MThornback
02-18-2007, 02:46 AM
You've got a lot of nerve complaining that something isn't being done as fast as you want....you paid for a licence to VB not for a personal coder or to shoot your mouth off....give the coder TIME.

ffs people.

Rickeo
02-21-2007, 03:29 PM
It is abit annoying tho it is taking ages I mean are we even guranteed that it will be back out again I have been waiting for this for ages :(

Ahhhhh well I understand people have other things to do as well :)

Just have to be a little more patient lol

~Rick~

fly
02-21-2007, 04:46 PM
It is abit annoying tho it is taking ages I mean are we even guranteed that it will be back out again

nope

BrandiDup
02-21-2007, 06:02 PM
Well, I can be patient for the fix but I would like to at least know if it's going to ever happen. If not, then I might as well just trash the store. If there is a fix in the works for anytime in the fairly near future, then I'll hang tight. I'm not trying to be pushy but I don't think a simple yes or no answer is too much to ask, especially since I amongst others have offered to donate some money towards the project. I'd just like to know yes or no, that's all.

cashpath
02-21-2007, 06:06 PM
Well there has been a yes answer.. but it's not a guarantee...

The author of the hack has posted that while he doesn't have much time he has been working on version 2.0

But no time for a release date or guarantee that he will finish it.

fly
02-21-2007, 06:06 PM
Well, I can be patient for the fix but I would like to at least know if it's going to ever happen. If not, then I might as well just trash the store. If there is a fix in the works for anytime in the fairly near future, then I'll hang tight. I'm not trying to be pushy but I don't think a simple yes or no answer is too much to ask, especially since I amongst others have offered to donate some money towards the project. I'd just like to know yes or no, that's all.

Is the store hurting you sitting there disabled? Do you really think CMX doesn't know that we want more info? Do you think everyone posting about it will change his mind? Do you think that a flea jumping at a 45 angle to the equator will reach the equator faster or slower than one jumping at 40 degree angle?

BrandiDup
02-21-2007, 06:13 PM
Is the store hurting you sitting there disabled? Do you really think CMX doesn't know that we want more info? Do you think everyone posting about it will change his mind? Do you think that a flea jumping at a 45 angle to the equator will reach the equator faster or slower than one jumping at 40 degree angle?

Hey, hey. No need for the attitude ;) I was just stating my opinion which I think I'm rightfully entitled to, as you are. I wasn't asking for the fix to be released. All I was asking for is a simple yes or no answer to whether it definitely will be fixed or not. Being as this is/was a supported premium modification with hundreds of installs, I truly do not think I'm out of line by asking for the author or administration to say "yes, it's being fixed" or "no, there's no use in waiting around for it". You act like I'm snapping my fingers and ordering the author to fix it today. Geez. :rolleyes:

fly
02-21-2007, 06:26 PM
Hey, hey. No need for the attitude ;) I was just stating my opinion which I think I'm rightfully entitled to, as you are. I wasn't asking for the fix to be released. All I was asking for is a simple yes or no answer to whether it definitely will be fixed or not. Being as this is/was a supported premium modification with hundreds of installs, I truly do not think I'm out of line by asking for the author or administration to say "yes, it's being fixed" or "no, there's no use in waiting around for it". You act like I'm snapping my fingers and ordering the author to fix it today. Geez. :rolleyes:

My point was that you didn't say anything that wasn't already said and none of it is helping. :D

Shazz
02-21-2007, 08:52 PM
uggh, I hope this thread gets closed.
It would help the confusion and repeating...

BrandiDup
02-21-2007, 10:22 PM
uggh, I hope this thread gets closed.
It would help the confusion and repeating...

People will still keep posting new threads asking the same things until some sort of official word is put out though.

fly
02-22-2007, 12:37 AM
People will still keep posting new threads asking the same things until some sort of official word is put out though.

Can it get more official?

Shazz
02-22-2007, 01:27 AM
:confused: People will still keep posting new threads asking the same things until some sort of official word is put out though.

If you search CMX last 3-4 posts he made he said it...
What more could people ask for?

BrandiDup
02-22-2007, 01:56 AM
I haven't searched his posts but what I'm trying to say is that most people who have this modification installed are not going to go searching through his posts. I just figured a sticky or something should be posted since everyone is so annoyed by people repeating the same questions. He may have said something officially within some post somewhere but the majority of people have not and will not see that post. I'm truly not trying to piss any one off or make any demands. I'm just saying that people will continue to post the same exact questions and beat the dead horse until there is some sort of email update sent out (such as the one we received about the exploit) or a sticky or something. :)

Anyhow, I've said my piece so I'm done :)

cOuNtErFiET
02-22-2007, 02:55 AM
EDIT: whoops forgot about other pages sry disregard

jheigl
02-22-2007, 03:11 PM
anyone know where i can find any version of this to download? this is the main reason i bought vb and now i cant find it anywhere!

fly
02-22-2007, 03:25 PM
anyone know where i can find any version of this to download? this is the main reason i bought vb and now i cant find it anywhere!

lol

rjmjr69
02-22-2007, 06:40 PM
Theres another site working on making a new plaza........... Seems like its going to be a bit better than this one for sure

Deimos
02-22-2007, 07:14 PM
Theres another site working on making a new plaza........... Seems like its going to be a bit better than this one for sure

Which site is that?

rjmjr69
02-22-2007, 09:18 PM
<a href="http://www.zikihideout.com/products/105-zh-credit-system-zh-credit-shop.html#post315" target="_blank">http://www.zikihideout.com/products/...p.html#post315</a>

Pretty cool little site. He's asking what features and options people would like to see included so go post up some suggestions

Shazz
02-22-2007, 09:23 PM
Post #8
I highly doubt that

fly
02-22-2007, 09:39 PM
http://www.zikihideout.com/products/105-zh-credit-system-zh-credit-shop.html#post315

Pretty cool little site. He's asking what features and options people would like to see included so go post up some suggestions

Sweet Jesus!

jheigl
02-23-2007, 12:30 AM
lol

whats so funny? i asked a simple straight forward question

rjmjr69
02-23-2007, 12:33 AM
Sweet Jesus!

? Just found the site seems pretty interesting small start up

fly
02-23-2007, 12:47 AM
whats so funny? i asked a simple straight forward question

The last 10 pages of this thread have been about the hack getting pulled due to a security issue.

Forza
02-23-2007, 11:31 AM
*tips everyone to click install when downloading a hack from here*

my board has been hacked twice the past weeks and i thought i was from some modification i made myself... untill i noticed something weird going on today with the plaza, after some googling i found a topic about this on another forum... lets hope they fix this soon.

btw, i currently disabled the donate function, will this do? Or should i disable the entire product in the Manage Products settings?

cashpath
02-23-2007, 02:40 PM
If you want to be safe.. disable the product.. if you want to be even safer uninstall it.

majorxp
02-23-2007, 07:25 PM
Is the store hurting you sitting there disabled? Do you really think CMX doesn't know that we want more info? Do you think everyone posting about it will change his mind? Do you think that a flea jumping at a 45 angle to the equator will reach the equator faster or slower than one jumping at 40 degree angle?

My point was that you didn't say anything that wasn't already said and none of it is helping. :D


...someone piss in your Wheaties?

Expect this thread to continue with people asking when it is going to be fixed and bring attention to the issue. If you can't handle that, I suggest not reading this thread any longer.:rolleyes:

Shazz
02-23-2007, 07:31 PM
...someone piss in your Wheaties?

Expect this thread to continue with people asking when it is going to be fixed and bring attention to the issue. If you can't handle that, I suggest not reading this thread any longer.:rolleyes:

Just my opinion...
Had to visit the thread again because it keeps getting bumped every hour...

Since its known that the donation part is the one causing it, What if you just disabled or deleted that whole function?

majorxp
02-23-2007, 08:03 PM
I haven't looked at the code yet, but there have been several reports of a 'fix'. I personally don't know if that fixes all the issues, but if there isn't a fix by CMX or one of the admins here in the next week or so, I'm going to break down and review the code.

fly
02-23-2007, 09:33 PM
...someone piss in your Wheaties?

Expect this thread to continue with people asking when it is going to be fixed and bring attention to the issue. If you can't handle that, I suggest not reading this thread any longer.:rolleyes:

And expect me to continue chiding them, because its just as productive and more fun!

Exitilus
02-23-2007, 11:54 PM
I also know Tehste is working on a Point System (Paid) and eventually a store as well. So hopefully other options will come around.

Shazz
02-24-2007, 12:56 AM
I also know Tehste is working on a Point System (Paid) and eventually a store as well. So hopefully other options will come around.

Also the other guy the name starting with a "w"
Posted one about a new paid one as well.

Deimos
02-24-2007, 01:07 AM
Urgh, I can see where this is going

Rather than having one well made point/store system, we're going to have 2+ different versions, bit like the 2 arcade scripts out there
Would be alot better, in my opinion, if everyone worked together to make one kick ass system.

thepub
02-24-2007, 01:51 AM
question about the bank and points, how can the admin reset the bank and all the users points to zero without having to manually do it one member at a time?

Insert Username
02-24-2007, 02:52 AM
question about the bank and points, how can the admin reset the bank and all the users points to zero without having to manually do it one member at a time?

In the Admin CP, go to vbBux > Mass Points Givaway. At the bottom of that page is an option to reset all points to zero.

Greek Wizard
02-24-2007, 08:52 AM
here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

$message = strip_tags($message);
make that
$message = htmlspecialchars($message);

go to
vbplaza/action.admindonate.php (line 133)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);


goto
vbplaza/action.changeotherusertitle.php (line 136)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.changeusertitle.php (line 87)
$newusertitle_stripped = strip_tags($newusertitle);
make that
$newusertitle_stripped = htmlspecialchars($newusertitle);


goto
vbplaza/action.donate.php (line 164)
$action['reason'] = strip_tags($action['reason']);
make that
$action['reason'] = htmlspecialchars($action['reason']);




goto
vbplaza/action.gift.php (line 209)
$action['giftmessage'] = strip_tags($action['giftmessage']);
make that
$action['giftmessage'] = htmlspecialchars($action['giftmessage']);


goto
vbplaza/action.ribbons.php (line 218)
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);
make that
$action['ribbonmessage'] = htmlspecialchars($action['ribbonmessage']);



the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me :D

For those using this fix, I have discovered that when you change this:

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

$message = strip_tags($message);
make that
$message = htmlspecialchars($message);

when a user quotes another user, instead of them getting 3 or 5 vbBux (whatever you have set) for a regular reply, it in fact gives them 50+ for each quote

Acers, any idea why this would cause that?

giovannicosta
02-24-2007, 12:21 PM
when I click the link in the first post it says I don't have permission to access it

Shazz
02-24-2007, 12:41 PM
when I click the link in the first post it says I don't have permission to access it

:mad:

Its currently removed from vB.org untill the exploit is either fixed or a new version comes out

tfusion
02-24-2007, 01:17 PM
arghh... Wish i find a download for it...

I heard its only the PM part fo the vbplaza that has the problem..

Black Widow
02-24-2007, 04:19 PM
can someone give me a download link of this hack so i can try to find a fix?

Shazz
02-24-2007, 04:32 PM
arghh... Wish i find a download for it...

I heard its only the PM part fo the vbplaza that has the problem..

Donation part :|

katilkuzu
02-27-2007, 12:06 AM
can someone give me a download link of this hack so i can try to find a fix?

also i need, i wanna try it

thank you

Acers
02-27-2007, 12:50 AM
Donation part :|
no its not just the donations part, there are other areas also.
when a user quotes another user, instead of them getting 3 or 5 vbBux (whatever you have set) for a regular reply, it in fact gives them 50+ for each quote

Acers, any idea why this would cause that?
i have that option disabled, i will have a look. try using the second round of fix i had given, not the first one. They would use the vbulletins own cleaning class.

Shazz
02-27-2007, 02:00 AM
no its not just the donations part, there are other areas also.

i have that option disabled, i will have a look. try using the second round of fix i had given, not the first one. They would use the vbulletins own cleaning class.

Other areas such as...
Is there a list?

I mean don't need to show where the exploit is, or anything just gives us areas

Acers
02-27-2007, 11:45 AM
well just see what part in the donation that can be exploited and see where else it occurs. There are till last count 7 areas. (I had missed one but Mysticales suggested a new one)
well there is no list cos this is as much as we have found out looking at the code.

JBMoney
02-28-2007, 02:31 PM
Does anyone have a distribution zip of this last version that they can forward on to me?

I recently did a lot of upgrading, lost my copy and I need to do some work with it, with or without bugs.

PM me if you do. Thanks.

Zia
03-01-2007, 05:23 AM
Does anyone have a distribution zip of this last version that they can forward on to me?

I recently did a lot of upgrading, lost my copy and I need to do some work with it, with or without bugs.

PM me if you do. Thanks.

i wll try.
i gez vb dont have any objection for it.

jheigl
03-01-2007, 12:55 PM
i also need a version if anyone can send it to me

Shazz
03-01-2007, 02:57 PM
They closed and removed the thread temp. for a reason -.-

JBMoney
03-02-2007, 01:51 PM
They closed and removed the thread temp. for a reason -.-

HEY! Looks like you've read the thread too!!! :up:

VBUsers
03-03-2007, 05:12 AM
hope this gets fixed soon.

Shazz
03-03-2007, 05:16 AM
HEY! Looks like you've read the thread too!!! :up:

Errm ok?
What did that statement have to do with anything?

SyndicateZ3ro
03-04-2007, 03:58 AM
Anyone know when it will be back up?

Shazz
03-04-2007, 04:20 AM
Anyone know when it will be back up?

There is no exact date

Gsmdenis
03-05-2007, 02:36 AM
i have not permission to check about this , pls admin help check

Shazz
03-05-2007, 02:47 AM
i have not permission to check about this , pls admin help check

Because it has been removed...
If you take a peak at any page in this thread it will say that :l

myvbweb
03-05-2007, 07:40 AM
Hello, I wanted to know how to download vbplaza, but when I click on the link, it says

<<
myvbweb, you do not have permission to access this page. This could be due to one of several reasons:

1. Your user account may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
2. If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
>>

How do I download the mod? Thanks.

Sooner95
03-05-2007, 02:57 PM
I am wondering if anyone reads the posts.

Deimos
03-05-2007, 02:59 PM
Well the creator of the hack hasn't been to these boards since early Feb, so I wouldn't count on it being fixed at all
I'd imagine he'll bring out a new version of the hack, but I don't see it happening anytime soon

Btw, has anyone thought of pooling some funds for CMS as an incentive to bring out the new version and a thankyou for all the fun his addon provides?

HMBeaty
03-05-2007, 03:45 PM
Btw, has anyone thought of pooling some funds for CMS as an incentive to bring out the new version and a thankyou for all the fun his addon provides?

It's already been done

myvbweb
03-05-2007, 09:47 PM
does anyone have the latest version? thanks.

Deimos
03-05-2007, 10:00 PM
It's already been done


Oh darn
Was this recently? or before this mod was taken down?

HMBeaty
03-05-2007, 10:02 PM
Both

Deimos
03-05-2007, 10:07 PM
Ah well..

fly
03-05-2007, 11:53 PM
does anyone have the latest version? thanks.

Yep, everyone but you!

Shazz
03-06-2007, 12:10 AM
Yep, everyone but you!

:rolleyes:
That just causes more confusion for new comers lmao

fly
03-06-2007, 01:00 AM
:rolleyes:
That just causes more confusion for new comers lmao

Does it matter at this point? lol

myvbweb
03-06-2007, 05:06 AM
Where can I get the latest version, even with the bug? What is the bug that is there right now?

Is there a place I can still d/l it?

HMBeaty
03-06-2007, 05:06 AM
Where can I get the latest version, even with the bug? What is the bug that is there right now?

Is there a place I can still d/l it?

No.

geevest.com
03-06-2007, 08:23 AM
i can't access https://vborg.vbsupport.ru/showthread.php?t=106953 what happen?

Shazz
03-06-2007, 11:42 AM
Please read the last page
As it has been stated in the last 10 pages +

BrandiDup
03-06-2007, 12:29 PM
Well the creator of the hack hasn't been to these boards since early Feb, so I wouldn't count on it being fixed at all
I'd imagine he'll bring out a new version of the hack, but I don't see it happening anytime soon

Btw, has anyone thought of pooling some funds for CMS as an incentive to bring out the new version and a thankyou for all the fun his addon provides?

I'd be more than happy to contribute to something IF there had been some sort of guarantee but the problem is that there hasn't even been a definite yes or no given. Additionally, when I installed this, I was under the impression that this was going to be supported. Since he hasn't been on in over a month and no word of any type of fix, even a temporary one, I don't know if I'm going to continue using it even if a new version does come out. I have to wonder if it will just be abandoned again. I know people get busy but crimeny. Just a simple log in to say "Hey, I'm working on a fix" or "Sorry, I'm not going to be updating" would be great.

I would be thrilled to pay for a store modification if that means it will be supported and updated, especially when there is a security issue.

Deimos
03-06-2007, 06:18 PM
Given that this hack has little/no support now, why does it still get to keep the "Premium" forum status?

Shazz
03-06-2007, 07:36 PM
Given that this hack has little/no support now, why does it still get to keep the "Premium" forum status?

What would the forum rather be?
Still should show appreciation to the past :p

Sinistra
03-07-2007, 07:13 PM
I would want this mod regardless the security edit this hack should of stated up and download at your own risk type thing because I need this hack

fly
03-07-2007, 08:18 PM
I would want this mod regardless the security edit this hack should of stated up and download at your own risk type thing because I need this hack

Might as well post your admin id/pass for your forums please. thx

Sinistra
03-07-2007, 08:34 PM
what a .htaccess for the admin CP lockout I sure do. I guess because my host supports it I mean you use that hou shouldn't have many problems only you and your trsited staff have access to the admin CP

thetopday21122
03-07-2007, 10:53 PM
I can't see it.

HMBeaty
03-07-2007, 11:04 PM
I can't see it.

It's been taken down due to an exploit

Shazz
03-07-2007, 11:43 PM
It's been taken down due to an exploit

I can't download it, could you please repeat that.

HMBeaty
03-08-2007, 12:39 AM
I can't download it, could you please repeat that.

:) If only all these people could read, or better yet, SEARCH, Shazz, they would make everything so much easier on us and themselves

Shazz
03-08-2007, 01:05 AM
Make a thread about it sumerizing it up, then get it requested to be stickyd :p

*EDIt
you did know I was joking right?

HMBeaty
03-08-2007, 01:10 AM
Yes

And I think theres already been a request to have a sticky thread explaining all of this. But I'm positive people still would not read it.

Hayes
03-08-2007, 01:09 PM
This is hellish. I literally bought a vBulletin licence over a month ago with the sole intention of using this mod and it still has not been fixed/re-released. :(

Sinistra
03-08-2007, 07:23 PM
well acording to the vBPlaza home forum I hope everyone is ready to shell out a few bucks to buy the script.

MThornback
03-08-2007, 08:29 PM
well acording to the vBPlaza home forum I hope everyone is ready to shell out a few bucks to buy the script.

How bout not inciting riots :p are you sure you don't mean paying for the branding free option?

fly
03-08-2007, 11:41 PM
well acording to the vBPlaza home forum I hope everyone is ready to shell out a few bucks to buy the script.

wtf are you talking about?

LisaD1
03-09-2007, 01:47 AM
well acording to the vBPlaza home forum I hope everyone is ready to shell out a few bucks to buy the script.


What?

HMBeaty
03-09-2007, 01:58 AM
well acording to the vBPlaza home forum I hope everyone is ready to shell out a few bucks to buy the script.

Thats for the branding free option. Read it again

Tom_S
03-09-2007, 06:16 PM
A quick release to address a critical bug.

Get it at --> https://vborg.vbsupport.ru/showthread.php?t=106953

A NOTE: This will be one of the last releases of vbBux / vbPlaza in its V1.x format.

But do not fear, vbBux / vbPlaza V2.0 is in the pipeline and will be bigger and better than before :)

U ask how can it be bigger and better? Stay tuned!!!

-CMX

I would like to take a look at that but it says I don't have access and I am a licensed member. What is it I am not seeing access wise?

Shazz
03-09-2007, 07:37 PM
I would like to take a look at that but it says I don't have access and I am a licensed member. What is it I am not seeing access wise?

Read the posts above and only ONLY one page back

Sinistra
03-09-2007, 11:21 PM
How bout not inciting riots :p are you sure you don't mean paying for the branding free option?

wtf are you talking about?

What?

This v2.0 has take up quite a bit of my time as well. In reality, the script is getting to where it has to become a paid script in the end. So the final release of v2.0 will probably be a "lite" for the vB.org and other vBulletin hacker sites community downloads. And the v2.0 Full version will be a purchased script. I hope this doesn't upset too many people, and I will try to keep the price very reasonable as I know this will be a popular script. IMHO, some of the other paid scripts out there just plain cost too much.
So I will be very fair with the pricing. When you see the price and the amount of new bells, whistles, items, admin security, and other features, you won't feel cheated in the slightest.

http://www.vbplaza.com/forums/showthread.php?t=237

about second to last paragraph?

cashpath
03-10-2007, 01:09 AM
It should be a paid script BUT once a bunch of people pay for it... I hope he doesn't abadoned it like he did this time. Of course this is assuming 2.0 ever gets released.

HMBeaty
03-10-2007, 01:25 AM
Of course this is assuming 2.0 ever gets released.

Exactly

Shazz
03-10-2007, 01:34 AM
Request a forum close :|

HMBeaty
03-10-2007, 01:43 AM
Yes, PLEASE close this!!! CMX hasn't been on in the last month again, so this is most likely dead

Deimos
03-10-2007, 05:08 PM
Given the lack of updates and the fact he doesn't obvioulsy have time to fix or release a new version
It'd be abit odd to charge for a copy of the new VBPlaza unless he suddenly had free time to devote to maintaining it.
And yes, this thread should be closed, he hasn't even been on his own forums in 2? months, so it's doubtful we'll see a new version.

HMBeaty
03-10-2007, 08:51 PM
he hasn't even been on his own forums in 2? months, so it's doubtful we'll see a new version.

Its been longer than that. Try 7 months

LisaD1
03-10-2007, 10:53 PM
Honestly I have no issue paying for it and I am certain that my members would donate to it. I am certain that if the price is ok that others would too, BUT like the others, it would be a real tick off to "buy" it and then have the creator disappear again.
Or has someone else step up to the plate and taken over? I kinda get that idea.

Deimos
03-11-2007, 01:48 AM
Its been longer than that. Try 7 months
Sure about that?

"Last Activity: 01-10-2007 05:17 PM "

Shazz
03-11-2007, 01:49 AM
Now hes being stocked lmao