PDA

View Full Version : Side-effects of Custom Who's Online


Gratisites
01-09-2008, 11:41 PM
Hello,
I paid a freelance programmer to find this solution for me, but since I'm not familiar with vBulletin code I'm a little worried to put his hack live because of potential side effects.

The point of the hack was to get who's online to track what people do on non-vB custom scripts. I'm using 3.6.8 Patch 2... here's what I've done:

includes/functions.php

Line 5,201, commented out the exit; on the print_output function

Added this at the top of my custom script, let's call it TEST_SCRIPT.php (my forums are in /forums/ and my script is in a level back so I needed to go this route)
$curdir = getcwd ();
chdir('./forums');
require_once('./global.php');
chdir ($curdir);Added this to the bottom of my custom script
print_output('<!--log-->', false);
mysql_query("update session set location='TEST_SCRIPT.php' where userid = '".$vbulletin->userinfo[userid]."' and host='".getenv(REMOTE_ADDR)."'");
echo(mysql_error());Then we added the references to that file in includes/functions_online.php and we were done. Who's online was now working 100% and tracking what guests / members were doing.

The part that has me paranoid is commenting out that "exit;". I'm sure it was there for a reason, have I opened up a pandoras box of problems or will I be fine? What are some side effects of not exiting that function right there?

Thank you in advance for your support.

sarahk
01-10-2008, 04:27 PM
I've re-read your post a few times and I'm not quite sure I follow it all.

However i'm concerned that your coder needed to change the directory to get his code to work ... so I'd wonder about the quality of the rest. Smacks of the newbie coding I did 8 years ago ;)

He also hasn't used internal vB database handling which is simpler but doesn't utilise some of the safeguards vB has provided.

Can "getenv(REMOTE_ADDR)" be hacked? Can it be used for an injection? You might want to check that too.