Does anybody know wether vb or vbSEO is utilizing the eval() language construct or not? I would like to disable that, cause the majority of hacking attacks seems to be done through eval() execution of base64 encoded shell commands.

As far as I checked the files and templates it seems the coders have tried to wrap an equal function to get eval-able results. So far it?s looking good..but there is this little residiual risk - and I just don?t want to break the live site and become beaten up ;)

'Eval' is used extensively throughout vBulletin.

Damn it, :eek:
I run the search in the archives for eval() instead of eval. I?m such a nut..

Note to myself: check, think, check again, ask a buddy face to face and drink your first coffee before you start making a fool out of yourself...

Eval is ok when used properly, but it can suffer the same problem as an SQL injection.
We don't ban SQL, we just use it properly

I wasn´t referring to a potential security hole in vb or addons. I guess with all the coders here a security issue wouldn´t stay undetected very long. We are running some other non-vb related things on the server and at least one was known for a security risk regarding eval`d code. The hole should have been patched in the latest version as the programmers say, but...ya never know.

Hey Marv...you're hip to the eval switch right? Most scanners wont find the rogue if it has gets switched to a lave......