Disallow HTML code in Thread Titles v1.01

Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

Marco van Herwaarden.


By Jason Williams/Andrew Calderbank
03/09/2006

Recently there has been a spate of members posting html redirection code in thread titles, which when parsed on the forum homepage runs and redirects to whatever site they insert into the title.

This code simply disallows the characters < and > from being used in the thread titles, this is also is checked when editing the post.

It's fairly simple but puts to and end members signing up and posting redirect links. I don't know whether you'd class this as a hack or bug fix, but I hope this helps other members who are frustrated with this issue.

2 file edits
1 new phrase

Should be fairly straightforward to install.

**ALWAYS BACK UP FILES BEFORE YOU EDIT THEM!!**

v1.00

Original release

v1.01

Slight code update

Reserved for updates

Good idea, steadicamop.

edit: there seems to be a problem in: /includes/functions_newpost.php find:

error:
Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /includes/functions_newpost.php on line 379

Good idea, steadicamop.

edit: there seems to be a problem in: /includes/functions_newpost.php find:

error:
Warning: preg_match(): Delimiter must not be alphanumeric or backslash in /includes/functions_newpost.php on line 379

Ok, replace the code for this:

elseif (preg_match('/<|>/',$vbulletin->GPC['title']))
eval(standard_error(fetch_error('nohtml')));

That should solve it.

Both those files have hooks, can these changes not be done via plugins ?

I'll look into remaking it as a plugin - I've never dealt with creating plugins before so it's something I will have to my research on.

Thanks for this! :)

Okay, just asking.

I think far more people are likely to make use of it if no file edits are involved. :)

Okay, just asking.

I think far more people are likely to make use of it if no file edits are involved. :)

Something I'm going to try and do right now :D

so even if you dont allow html they can still post html in thread titles? if thats the case it seems strange that vbulletin wouldnt patch that. as you could just do this all day long with a google search finding vbulletin sites. would suck to have to use a plugin, hack, php file edit what ever to stop it and secure your site.

Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru :)

Isn't this a vBulletin bug you are fixing?

Ok, replace the code for this:

elseif (preg_match('/<|>/',$vbulletin->GPC['title']))
eval(standard_error(fetch_error('nohtml')));

That should solve it.
replace what code with that exactly ?

if (preg_match('/<|>/',$post['title']))
$errors[] = fetch_error('nohtml');

^^ that?

The ideea is very good , but i have a problem.

I wrote in the title a HTMl code and it worked (the html code) . I wrote the second time and the message :Could not find phrase 'nohtml' appeared.

Please tell me how can I solve the problem .

Thanks .

you need to add the phrase in the text file, its the last step in the instructions:

In the AdminCP -> Language & Phrases -> Phrase Manager -> Add New Phrase

Phrase Type : Front-End Error Messages
Product : VBulletin
Varname : nohtml
Text : Sorry, you are not allowed to post HTML in Thread titles, please go back and change it.

HTH

Vb 3.5.4 ? Please :rolleyes:

Thx ... these Guys tried it at my Project ! ;)

Vb 3.5.4 ? Please :rolleyes:

Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.

replace what code with that exactly ?

if (preg_match('/<|>/',$post['title']))
$errors[] = fetch_error('nohtml');

^^ that?

Only replace the code with that if you installed v1.00 - which I think didn't last too long before the update, the new file has the correct code in.

Have you tried searching for the code in the 3.5.4 files (I'm not totally sure whether postings.php exists in that version), it's something I could look into for that version too.

it does exist but the coding for the includes/functions_newpost.php (or something like that) is different so it can't work with 3.5.4 :cry: if you could do one for 3.5.4 it would be greatly appreciated as someone is constantly doing it to my forum.

Hello,

I was wondering if this security issue applies to 3.5.4 and will this fix work with 3.5.4? Or how to I get the same result making code changes with 3.5.4. Advice would be appreciated.



Thank You,

Nuguru :)

Hello,

I was wondering if this fix works for vb 3.5.4? If not, is there a way it could?


Thank You,

Nuguru :)

I did that what you said , but nothing changed .

Not working at all for me

You can add this HTML-stuff do your bad word list, this works fine at my board.

For those working in vb3.5.4, try this quick fix I found here (http://www.vbulletin.com/forum/showthread.php?p=1204007#post1204007).

Go into you AdminCP and under vB Options choose Censorship Options.

In the Censored Words window add this.

{meta} >>>> {http-equiv} "Refresh" """"That will put an end this nonsense.

Great idea lol :)

You can add this HTML-stuff do your bad word list, this works fine at my board.

Good work ;)

hi i can't found in my Admin Cp this Phrase Type : Front-End Error Messages. can any one help me i using vbb 3.6

vBulletin does not allow HTML code in thread titles, the problem is the TopXStats modification which does absolutely no checking before storing / displaying data.

I'm thinking this thread should be closed since its going to cause a misconception that its a vBulletin problem, the much easier solution is to fix your TopXStats modification.

It also doesn't fix the cases where you can use things other than >, what about injecting a new parameter.

" onmouseover="window.location='www.hax0r.com'"

That should work as a title as well.

<font size="3">Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.</font>

vBulletin does not allow HTML code in thread titles, the problem is the TopXStats modification which does absolutely no checking before storing / displaying data.

I'm thinking this thread should be closed since its going to cause a misconception that its a vBulletin problem, the much easier solution is to fix your TopXStats modification.

It also doesn't fix the cases where you can use things other than >, what about injecting a new parameter.

" onmouseover="window.location='www.hax0r.com'"

That should work as a title as well.

so your saying TopXStats still needs to be fixed? or the new version fixed the problem? sorry for posting this in this thread but I figured you wouldnt see it in that one.

The new version of TopXStats should solve all known exploits in that modification.

thanks Marco and thanks for the response.

Staff Note:
Unmodified vBulletin will not evaluate HTML in thread titles. Using this modification without a hack installed that has security vulnerabilities is useless.

Also installing this modification, even with a modification installed that would make your board vulnerable to this type of HTML posting in thread titles, only will give you a false sense of security since there are many other options to exploit this, even without the use of the ">" character.

Everyone is encouraged to remove or update the vulnerable modification instead of using this hack.

If this is causing issues, please delete it, I'd rather not cause confusion or issues for other members.

Jason