PDA

View Full Version : Major Additions - vBPlaza / vBux 1.6.0 (with security fixes)


eXtremeTim
05-03-2007, 10:00 PM
Edit: The staff who examined this has found that not all exploits detailed to the original author have been fixed in this version, plus permission was not obtained from the original author for this release, so therefore we have no alternative but to remove it again.


vbBux / vbPlaza v1.6.0 originally by CMX updated by eXtremeTim

v1.5.7 AND HIGHER are now compatible with vBulletin v3.5.x and v3.6.x :)

Welcome to the largest points/store system for vBulletin! READ THE ENTIRE POST AGAIN AS THERE HAVE BEEN CHANGES SINCE THE CONVERSION TO vbBux / vbPlaza!!

Credits: MrZeropage for ibProArcade Support, John for v3 Arcade Support, Caimakale for various additions including ribbons and his other addons for vbPlaza, defi for the addon for Paypal Subscriptions.

Now with 135 Options for purchasing at your forums and this is still rising folks!

NOTE: As of this version, there is a Template Patcher helper inside the Admin CP. Admin CP -> vbPlaza Maintenance -> Auto Patch Templates, when you run this the first time, it will just list the changes that it has found/not found. If you press Attempt Auto Patches, it will modify the template changes it has found only. It will also modify all styles for your forums. I have tested this on all 3 of my licensed vBulletin production websites and the patches all worked great.

UPDATED MUST READ NOTES:
1) RE-READ THE UPGRADING OR NEW INSTALLATION INSTRUCTIONS AS THEY HAVE CHANGED FROM THE PREVIOUS VERSIONS!!
2) IF UPGRADING FROM A PREVIOUS VERSION OF eBux / eStore. YOU MUST INSTALL THIS ONE FIRST TO SAVE YOUR SETTINGS. (BUT YOU WOULD KNOW THIS IF YOU READ THE UPGRADING INSTRUCTIONS!! DONT SAY I DIDNT WARN YOU!!)


Features List:
This section has been moved due to its length. Look in the file included insize the zip named features.txt.

Release Notes:
This section will only show the most recent changes. For the rest of the changes, look in the file included inside the zip named changes.txt.

NOTE: If you want ibProArcade, v3 Arcade or vBookie integration now, you'll have to install the appropriate Addon included in the download. The reason for these parts being packaged as Addons, is to make the install a little smaller for users who do not have an Arcade, and because both Arcades cant be installed simultaneously as well. So it saves space only installing the one that you currently have.

v1.5.8 Updates:
1) Bugfix: Quick editing a post with BB Codes, modified the post directly instead of modifying a copy.
2) Bugfix: Some phrases fixed.
3) Bugfix: TABLEPREFIX bug has been fixed.
4) Bugfix: Addon Product XML sheets do not have executionorder in them anymore for vB 3.5 compatibility.

Database Backups Recommended!
Although I have upgraded 3 forums with this script already, it IS recommended that you backup your database before installing this product!!

Upgrading Instructions:
NOTE: THESE INSTRUCTIONS ARE FOR UPGRADING IF YOU HAD A PREVIOUS VERSION OF eBux / eStore INSTALLED!!
1) DO NOT UNINSTALL eBux / eStore (UNLESS YOU WANT TO LOSE ANY AND ALL SETTINGS.)
2) Reupload all of the files in the upload folder to your forum's root folder. Make sure that all files are being overwritten. Do not move on to the next step until all files are transferred successfully!
NOTE: It could take a long time to install if you have a lot of registered users, be PATIENT! It should display the messages as it goes along to let you know that it IS working.
3) After finished with step 2!! Reimport the product-vbbuxplaza.xml file via Admin CP -> Plugin System -> Manage Products -> Add/Import Product. Make sure that Allow Overwrite is set to YES.
4) Refresh the Admin CP and you will see all of the vbBux / vbPlaza Admin CP features at the top.
5) UNINSTALL THE OLD eBux / eStore NOW!! Go to Admin CP -> Plugin System -> Manage Products -> eBux / eStore -> Uninstall.
6) You can delete all files/folders that have the word estore or elottery in them from the FTP as well.
7) You will need to redo the template edits listed below as almost all of them have changed since the previous eBux / eStore.

If upgrading from a previous version of vbBux / vbPlaza follow these instructions:
1) Reupload all of the files in the upload folder to your forum's root folder. Make sure that all files are being overwritten. Do not move on to the next step until all files are transferred successfully!
2) After finished with step 2!! Reimport the product-vbbuxplaza.xml file via Admin CP -> Manage Products -> Add/Import Product. Make sure that Allow Overwrite is set to YES.
3) Refresh the Admin CP and get to checking your settings!
NOTE: You will be happy know that NO templates have been updated from v1.5.0 to v1.5.2!

New Installation Instructions:
1) Upload all of the files/folders in the UPLOAD folder to your forum's root folder.
2) Import the product-vbbuxplaza.xml via Admin CP -> Manage Products -> Add/Import Product.
NOTE: It could take a long time to install if you have a lot of registered users, be PATIENT! It should display the messages as it goes along to let you know that it IS working.
3) Refresh the Admin CP and start setting up your settings!
4) You will need to do all of the template edits listed below as well.

Template Edits:
A) Inside templates 'postbit' AND 'postbit_legacy':

Find:
Code:
<div id="postmenu_$post[postid]">Replace With:
Code:
<!-- vbPlaza start -->
<div id="postmenu_$post[postid]" <if condition="$post['namestyle']">style="$post[namestyle]"</if>>
<!-- vbPlaza end --> Next Find:
Code:
<if condition="$post['usertitle']"><div class="smallfont">$post[usertitle]</div></if> Replace With:
Code:
<!-- vbPlaza start -->
<if condition="$post['usertitle']"><div class="smallfont" <if condition="$post['titlestyle']">style="$post[titlestyle]"</if>>$post[usertitle]</div></if>
<!-- vbPlaza end --> Then Find:
Code:
$vbphrase[posts]: $post[posts]Replace With:
Code:
$vbphrase[posts]: $post[posts]
<!-- vbPlaza start -->
<if condition="$show['pointsinpostbit']"><br />
$vbphrase[vbbux_points]: $post[points]<br />
$vbphrase[vbbux_bank]: $post[bank]<br />
<phrase 1="$vbphrase[vbbux_points]">$vbphrase[vbbux_total_points]</phrase>: $post[totalpoints]<br />
<a href="vbplaza.php?do=donate&amp;userid=$post[userid]">$vbphrase[vbplaza_donate]</a><br />
</if>
<!-- vbPlaza end --> Then Find:
Code:
<div>$post[icqicon] $post[aimicon] $post[msnicon] $post[yahooicon] $post[skypeicon]</div> Add Below:
Code:
<!-- vbPlaza start -->
<if condition="$post['giftsdisplay']"><div class="smallfont">$post[giftsdisplay]</div></if>
<if condition="$post['ribbonsdisplay']"><div class="smallfont">$post[ribbonsdisplay]</div></if>
<!-- vbPlaza end --> B) Inside template 'navbar':

Find:
Code:
<td class="vbmenu_control"><a href="calendar.php$session[sessionurl_q]">$vbphrase[calendar]</a></td>
<if condition="$show['popups']"> Add Below:
Code:
<!-- vbPlaza start -->
<if condition="$show['member']">
<if condition="$vboptions['vbplaza_enabled']"><td id="vbplazamenu" class="vbmenu_control"><a href="$show[nojs_link]#vbplazamenu">$vbphrase[vbplaza_name] $vbphrase[vbplaza_menu]</a> <script type="text/javascript"> vbmenu_register("vbplazamenu"); </script></td></if>
</if>
<!-- vbPlaza end --> Then Find:
Code:
<!-- / NAVBAR POPUP MENUS --> Add Above:
Code:
<!-- vbPlaza start -->
<if condition="$show['member']">
<!-- vbplaza tools menu -->
<div class="vbmenu_popup" id="vbplazamenu_menu" style="display:none">
<table cellpadding="4" cellspacing="1" border="0">

<tr><td class="thead"><a href="vbplaza.php?$session[sessionurl]">$vbphrase[vbplaza_name] $vbphrase[vbplaza_main]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=48">$vbphrase[vbplaza_lottery]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=27">$vbphrase[vbplaza_give_gifts]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=118">$vbphrase[vbplaza_give_ribbons]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=13">$vbphrase[vbbux_bank]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=7">$vbphrase[vbplaza_donate]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=16">$vbphrase[vbplaza_thief]</a></td></tr>

<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=richestusers">$vbphrase[vbbux_richest_users]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=userhistory">$vbphrase[vbplaza_history]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=mostsold">$vbphrase[vbplaza_most_sold]</a></td></tr>

<if condition="is_member_of($vbulletin->userinfo, $vboptions['vbplaza_adminusergroups'])">
<tr><td class="thead">$vbphrase[vbplaza_admin_only]</a></td></tr>
<tr><td class="vbmenu_option"><a href="vbplaza.php?$session[sessionurl]do=action&amp;itemid=12">$vbphrase[vbplaza_admin_donate]</a></td></tr>
</if>

</table>
</div>
<!-- / vbplaza tools menu -->
</if>
<!-- vbPlaza end --> C) Inside template 'MEMBERINFO':

Find:
Code:
<div class="bigusername">$userinfo[musername] $userinfo[onlinestatus]</div> Replace With:
Code:
<!-- vbPlaza start -->
<div class="bigusername" <if condition="$userinfo['namestyle']">style="$userinfo[namestyle]"</if>>$userinfo[musername] $userinfo[onlinestatus]</div>
<!-- vbPlaza end --> Next Find:
Code:
<if condition="$userinfo['usertitle']"><div class="smallfont">$userinfo[usertitle]</div></if> Replace With:
Code:
<!-- vbPlaza start -->
<if condition="$userinfo['usertitle']"><div class="smallfont" <if condition="$userinfo['titlestyle']">style="$userinfo[titlestyle]"</if>>$userinfo[usertitle]</div></if>
<!-- vbPlaza end --> Then Find:
Code:
<if condition="$vboptions['usereferrer']"> Add Above:
Code:
<!-- vbPlaza start -->
<if condition="$vboptions['vbbux_enabled']">$show[vbbuxuserinfo]</if>
<if condition="$show['gifts']">$show[gifts]</if>
<if condition="$show['ribbons']">$show[ribbons]</if>
<!-- vbPlaza end --> D) Inside template 'forumrules':

Find:
Code:
<div><phrase 1="$htmlcodeon">$vbphrase[html_code_is_x]</phrase></div> Add Below:
Code:
<!-- vbPlaza start -->
<if condition="$vboptions['vbbux_enabled']">
<if condition="!$show['codeonly']">
<hr />
<div><phrase 1="$vbphrase[vbbux_points]" 2="$foruminfo[points_perview]">$vbphrase[vbbux_points_perview]</phrase></div>
<div><phrase 1="$vbphrase[vbbux_points]" 2="$foruminfo[points_perthread]">$vbphrase[vbbux_points_perthread]</phrase></div>
<div><phrase 1="$vbphrase[vbbux_points]" 2="$foruminfo[points_perreply]">$vbphrase[vbbux_points_perreply]</phrase></div>
</if>
</if>
<!-- vbPlaza end --> E): Inside template 'USERCP_SHELL':

Find:
Code:
<if condition="$show['avatarlink']"> Add Above:
Code:
<!-- vbPlaza start -->
<if condition="$vboptions['vbplaza_enabled']">
<tr>
<td class="$navclass[vbplaza]" nowrap="nowrap"><a class="smallfont" href="vbplaza.php?$session[sessionurl]do=editvbpoptions"><phrase 1="$vbphrase[vbplaza_name]">$vbphrase[edit_vbplaza_options]</phrase></a></td>
</tr>
</if>
<!-- vbPlaza end --> F): Inside template 'threadbit':

Find:
Code:
$thread[title_editable]
<div> Replace With:
Code:
<!-- vbPlaza start -->
$thread[title_editable]
<div <if condition="$thread['titlestyle']">style="$thread[titlestyle]"</if>>
<!-- vbPlaza end --> vBulletin 3.5.x Only Edit:

Next Find:
Code:
<if condition="$show['gotonewpost']">
<strong><a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]">$thread[threadtitle]</a></strong>
<else />
<a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]">$thread[threadtitle]</a>
</if> Replace With:
Code:
<!-- vbPlaza start -->
<if condition="$show['gotonewpost']">
<strong><a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]" <if condition="$thread['titlestyle']">style="$thread[titlestyle]"</if>>$thread[threadtitle]</a></strong>
<else />
<a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]" <if condition="$thread['titlestyle']">style="$thread[titlestyle]"</if>>$thread[threadtitle]</a>
</if>
<!-- vbPlaza end --> vBulletin 3.6.x Only Edit:

Next Find:
Code:
<a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]"<if condition="$show['gotonewpost']"> style="font-weight:bold"</if>>$thread[threadtitle]</a> Replace With:
Code:
<a href="showthread.php?$session[sessionurl]t=$thread[threadid]$thread[highlight]" id="thread_title_$thread[realthreadid]"<if condition="$thread['titlestyle']">style="$thread[titlestyle]"</if>>$thread[threadtitle]</a>
G): Inside template 'memberlist_resultsbit':Find:
Code:
<a href="member.php?$session[sessionurl]u=$userinfo[userid]">$userinfo[musername]</a>
<if condition="$show['usertitlecol']"><div class="smallfont">$userinfo[usertitle]</div></if> Replace With:
Code:
<!-- vbPlaza start -->
<div <if condition="$userinfo['namestyle']">style="$userinfo[namestyle]"</if>><a href="member.php?$session[sessionurl]u=$userinfo[userid]" <if condition="$userinfo['namestyle']">style="$userinfo[namestyle]"</if>>$userinfo[musername]</a></div>
<if condition="$show['usertitlecol']"><div class="smallfont" <if condition="$userinfo['titlestyle']">style="$userinfo[titlestyle]"</if>>$userinfo[usertitle]</div></if>
<!-- vbPlaza end --> If you find any security issues please report them to me via pm so I can fix them asap. I have spent quite a bit of time reading through the code lately fixing any that I could find in the action modules.

I will be supporting this over at my site as well as here and for now I will continue to update it and improve on it.

CMX if you do show up please contact me so we can work out arrangements and possible see about joining teams to continue the development on vbplaza / vbux.

I am not perfect so please if I missed any security exploits that I overlooked in the reading of this mass amt of code please report them via pm and not via the thread.

bold
05-04-2007, 09:11 AM
Hooray!

eXtremeTim
05-04-2007, 09:15 AM
Reserved

Report any bugs you find with the system so that i can finish fixing 3.6.5 compatibility issues.

Special characters are broken for now till I have time to fix the security exploits in a manor to not break them.

TTG
05-04-2007, 09:18 AM
Wow .. 1st install
Well done Tim .. great achievement if it now works as originally designed.

eXtremeTim
05-04-2007, 09:29 AM
I just want to state for the record that I will be maintaining this hack since the original author is nowhere to be found and unreachable.

Yours Truly
05-04-2007, 09:39 AM
Wow you will be L O V E D lol

ngocha85
05-04-2007, 09:40 AM
With 1.5.8, do you want to fix Security Hole?+
OK. This is everything you need to do:

Go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
Just changes the the php function with vb's own cleaning class.
includes/function_vbplaza.php(line 152)

$message = strip_tags($message); make that

$message = $vbulletin->input->clean($message, TYPE_NOHTML); go to
vbplaza/action.admindonate.php (line 133)

$action['reason'] = strip_tags($action['reason']); make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML); goto
vbplaza/action.changeotherusertitle.php (line 136)

$newusertitle_stripped = strip_tags($newusertitle); make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML); goto
vbplaza/action.changeusertitle.php (line 87)

$newusertitle_stripped = strip_tags($newusertitle); make that

$newusertitle_stripped = $vbulletin->input->clean($newusertitle, TYPE_NOHTML); goto
vbplaza/action.donate.php (line 164)

$action['reason'] = strip_tags($action['reason']); make that

$action['reason'] = $vbulletin->input->clean($action['reason'], TYPE_NOHTML); goto
vbplaza/action.gift.php (line 209)

$action['giftmessage'] = strip_tags($action['giftmessage']); make that

$action['giftmessage'] = $vbulletin->input->clean($action['giftmessage'], TYPE_NOHTML); goto
vbplaza/action.ribbons.php (line 218)

$action['ribbonmessage'] = strip_tags($action['ribbonmessage']);make that
$action['ribbonmessage'] = $vbulletin->input->clean($action['ribbonmessage'], TYPE_NOHTML);

That's all!

Hornstar
05-04-2007, 09:56 AM
hey awesome work, been waiting for ages for this. its great to see it is supported! Thanks.

eXtremeTim
05-04-2007, 10:01 AM
i will be releasing an update shortly

Yours Truly
05-04-2007, 10:11 AM
Do you have much planned as in new features or will you just be maintaining this?

eXtremeTim
05-04-2007, 10:17 AM
I will be adding new stuff in as I get the ideas together for them.

So yes for now I will take over this modification and keep it updated and fix bugs ect.

1.6.0 repacked released this fixed a few remaining security holes.

Yours Truly
05-04-2007, 10:18 AM
Like i said you will be loved :D

Zowners
05-04-2007, 10:29 AM
Awesome :D

I will install asap :D

ngocha85
05-04-2007, 10:55 AM
@eXtremeTim: Thanks you!:d

eXtremeTim
05-04-2007, 11:00 AM
Your welcome. :)

bing11
05-04-2007, 11:04 AM
thank you so much

Zowners
05-04-2007, 11:06 AM
That auto template patcher works like a charm and saved me 30 minutes! Thanks a lot :D

eXtremeTim
05-04-2007, 11:18 AM
Next up fix the crons since they dont work as of 3.6.4 and proble earlier on.

Zowners
05-04-2007, 11:30 AM
At the bottom of the store this is there:

vbBux / vbPlaza v1.5.8 coded by CMX at vbPlaza.com - Graphics done by tab @ MySpaceRocks.com

Are you going to change v1.6.0? :P

Also, was that you have fixed the crons, or you are doing it now?

I've installed this hack, set everything up, and have found no bugs so far. Excellent work!

nexialys
05-04-2007, 11:31 AM
this thread will become a Love-In in no long.. lol

MThornback
05-04-2007, 12:10 PM
Your my hero! :)

eXtremeTim
05-04-2007, 12:11 PM
I am already working on fixing the crons right now for the few tasks that need them.

Snake
05-04-2007, 12:17 PM
Wow! I've been waiting for this and it's finally here. Thanks for the update, Tim! :)

sola
05-04-2007, 12:30 PM
eXtremeTim, could you add to the main post (for the benefit of those not familiar with this hack) what it does? And maybe a link to see it at work? I've heard a lot about it, but I have no inkling what it does. Thanks.

eXtremeTim
05-04-2007, 12:35 PM
Repack 2 release which fixes the cron problem on 3.6.4 and up.