Hey all.. before I post this to you all directly with the fix for the bug in question... I have sent a msg to the admins of this forum and the main Coder himself.. However since I notice the coder has not been here since July 2006.. I am not sure who else to contact 1st.

Was wondering if anyone else knows. I wish to provide a fix for a issue that can stir up some trouble for forums when using a specfic action in the plaza.

If I cannot reach anyone, I will provide the fix here myself for users to prevent issues on their forums. Thanks.

Anyone? Or do I just post the issue and solution?

Its not supported... =\

What isnt?

this hack, the author has abandoned it.

this hack, the author has abandoned it.

Are you saying that CMX isn't working on vbplaza anymore? Is this a *for sure* thing? BTW... does anyone have or know someone who has ibproarcade and vbplaza successfully integrated?

there is no conformation, but the author hasnt been on since july and there have been no more updates and there are bugs everywhere. I have ibproarcade and vbplaza working

there is no conformation, but the author hasnt been on since july and there have been no more updates and there are bugs everywhere. I have ibproarcade and vbplaza working

Ah well, guess that makes sense.

OMG! You have the plaza and ibpro working?! Could you help me out? I've been struggling w/ trying to find someone that might know what' wrong...

I'm having probs w/ my vbplaza and arcade (namely the jackpot). All the admin cp settings are activated and set right... it should cost 10 per game to play but points aren't being deducted. Also, I have the raised jackpot turned on but it won't raise, nor is it awarded. Did you ever have this prob? Have any idea how to fix it?

MANY Thanks. :)

well as of now this hack is suggested to be disabled due to a XSS vulnerability

PLEASE release your fx! lol

well as of now this hack is suggested to be disabled due to a XSS vulnerability

What is an XSS vulnerability? And does that mean it won't work at all even tho it's installed on my forum?

Sheesh... this is a bummer - I'm eager to get my forum "live" and yet here is another delay... ACK! lol

But BTW, did you ever have the jackpot issue I mentioned?

What is an XSS vulnerability? And does that mean it won't work at all even tho it's installed on my forum?

Sheesh... this is a bummer - I'm eager to get my forum "live" and yet here is another delay... ACK! lol

But BTW, did you ever have the jackpot issue I mentioned?

It will still work if you keep it installed. However, the vulnerability can open your site up to being hacked. So, I would strongly recommend you uninstall.

I'd either like to see the vuln so I can patch it myself, or see a patch released. My members are acting like they can't live without getting a few cents per post.

Well the author contacted me btw, I gave him the info I have. Also, yes I know about the XSS one too. If you wanna patch that real quick like, Goto the "Manage Items" and for "Donate" set it to "No" for Send PM to user.

Thats one of em. The most common used. I wont say what the user could do since I dont know if its allowed or not. But yea, that should set you back up.

Either way was a couple things I patched for and so far smooth sailing again. Will wait for the author to reply back again.

Oh I will say this, should someone need me, just send me a PM or so, Ill see what I can do. Only reason I dont post anything is cause I am not sure its my place to say it out in public or release a patch without the authors ok.

did u get ibpro and vbplaza to successfully give out and deduct points?

Hrm.. I mean seems to work for me, I mean arcade works fine, normal users can buy arcade passes and then pay per play while subscribed users get it for free. I mean if you wanna see the work I do, http://forums.qj.net

well the donate is not the only problem btw
you can reproduce the same bug with all things that send pm. (gift, ribbon etc, where the user is typing a message)
the simplest method to fix this is clean the input as i had written in the other thread.
The only problem being that only the author or the admins would know of any other vulnerabilities apart from this one, thats why we can't claim that it is a fix.

The main issue basically is that it doesnt have certain text input checking... which I added on mine to avoid it. Yes the author has to be the one to look at it, however if not, we may just release the patch.

Basically I think the biggest thing is to not allow it to use any form of scripts or ascii that isnt standard.. that would solve alot right there.

thats what i said.. instead of strip tags just make that htmlentity and it will protect you from xss exploit. You have to do that at 5-6 places. (HERE (https://vborg.vbsupport.ru/showpost.php?p=1176508&postcount=84))
the only issue being if someone can confirm thats the only issue .. lol

If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...

If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

could you release an unofficial release tut or file on how to fix things that you are aware of.

That way we can use it at our own risk for the time being. also i'm sure if you release a fix, the admins at this site would be able to test if any of the exploits still existed in your fix.


as an example of a fix tut, all you would have to do is something like this.

file: file name
find this: dikgjdijdjf
change to this: jdgjdiogjd

template: xyz
find this:ikdgkdgd
change to this:digidg

That way we can make the changes our self if you cant release a file.

Thanks for anything you can offer, if not, its cool, and hopefully you will be able to keep us udpated with anything you hear.

Thanks.

Issue is.. some of us know and fixed by hand.. however, we dont wanna release anything since its up to the author to look and get back to us on things. Not that we patch with a unoffical thing and something else goes wrong. But the author IS alive, he PMed me recently about things. =)

Thank you for your response...it's very appreciated...next to the Arcade, it's the most popular thing on my board. I'll just have to be patient and wait and hope the author comes back with it...

Ill give it another week before I release my notes. This way I know nothing else on my forum got messed up or is at risk.

Ill give it another week before I release my notes. This way I know nothing else on my forum got messed up or is at risk.

Thanks.

Just rem, there are 2 things to consider.
1: You patch like me and thus removing some function as it was designed.
or
2: You attemp to use html strippers, etc that should in theory negate any harmful script or text input.

Oh yea, forgot, there is a apache mod too for harmful scripts...

In a nutshell, I may give my users elements from the items, but I may disable things from it. All I know is nothing too major has come up yet with all the stuff I do. =) Just wish I had a way to upgrade to 3.6 without losing all my work.. sigh... thats the only reason I dont upgrade is because I have alot of custom coded work in there.