Thanks everyone for helping out.

Nuguru :)

I'm sorry for not fixing the problem sooner but when I got an email saying that there was a problem I patched my own code. Apparently when the vB.org admins patched this version though, they only patched one instance. Anyway I've uploaded the version CURRENTLY running on my site (of which a "hacker" tried to attack but was unsuccesful and got laughed away), my version also shows the full security friendly version of the title when you mouseover the truncated version in the latest threads and also adds the missing phrases to vB3.6 versions.

InfiniteWebby nice to see you come back and fix the problem. Not to many would come back and do that.

Thanx for the update-

OH BOY The zip was there now its gone did something happen? ahh I see n/m

Hello,

I have made the changes suggested earlier in this thread:

so I am wondering if I need to go ahead and do the overwrite with this new updated version?

I am using 3.5.4. with Top Stats 1.6.1a


Thank You for the Effort!

Nuguru :)

Persoanly I would remove it and reinstall it to be sure. I mean the hack takes 2 mins to setup. And I dont think I would keep the other code installed.

i get this error now, anyone know why?

When trying to import product. Trying to overwrite.

3.5.2

Database error in vBulletin 3.5.2:

Invalid SQL:

### INSERT QUERY GENERATED BY fetch_query_sql() ###
INSERT INTO plugin
(`active`, `executionorder`, `title`, `hookname`, `phpcode`, `product`)
VALUES
('1', '5', 'Top \'X\' Stats by InfiniteWebby', 'cache_templates', 'if (THIS_SCRIPT == \"index\" OR THIS_SCRIPT == \"topXstats\") {\r\n\r\n global $globaltemplates;\r\n\r\n $globaltemplates = array_merge($globaltemplates, array(\'topXstats_stats_bit\', \'topXstats_member_bit\', \'topXstats_poster_bit\', \'topXstats_thread_bit\'));\r\n\r\n}', 'topXstats');

MySQL Error : Unknown column 'executionorder' in 'field list'
Error Number : 1054

I've uploaded a 3.5.x version of the fixed modification. If you are using 3.5.x please make sure that you download and use the 3.5.x zip file.

Thank you very much for the fix :)

One last question (a stupid one I admit...does not regard the vulnerability fix)

Take a look at the screenshot:

http://www.beyondfear.de/da.jpg

The previous TopXStat version I had installed was German (I don?t remember where I got that one), but the one I downloaded here is English, so now I want to change back the descriptions into German (Top Posters, Newest Members and so on). Which file/template do I have to look into? I have absolutely no idea, couldn?t find it yet :( Please help!

Thanks!

Edit: Fixed version works fine :) They registered again and tried to do their little trick (:D) but it didn?t work this time :)

Thank you for fixing this plugin. It's a great plugin I might add, the perfect addition to any VB install. Also being updated by email each time the plugin is updated is also a live saver :)

Personally I don't use this, but only because I already have a customised latest threads hack running.

However I know it's a popular hack, and I just wanted to say you are to be applauded for coming back and adding all the required fixes, security issues can happen with any code, what is important is that it is fixed.

your templates are not grouped ....
product Top'X'Stats
hook location "template_groups"

php code

plugin active yes

all done

where are you adding that too?

Sorry Guys, but we are at 3.6 ! Where is the update for 3.6 Users ?

Update :

And why did nobody move this to 3.6 Section ?

its right there 1.2.2

add a new plugin to the product at hook location "template_groups" then the templates the system uses will be grouped together

Yeah I forgot to post that I had got it. But thanks for replying. This way maybe it helps others.

The 3.6.x update was the one with no suffix. I've added a suffix to it so that it is clearer which zip is for which version.

I like this hack.. But, I seem to be getting a lot of people signing up on my website to try and use the exploit, I had to close down my registration hoping they'd go away, but nope.. I checked out my sites search ref's, and sure enough topxstats.php is there... Is there anyway to make it viewable to users only?, I had to uninstall this hack even though it's been patched =/

thanks

Hi,

Yes even though the plugin has been updated with the aparent fix, users are still
managing to re-direct the forum via it-Any idea why?

Thanks

the fix does'nt work with other characters likes: french, chinese ....

lol what are they redirecting it with french, chinese and so on now?

How about censoring < and > I'm sure they are the same in any language. :)

To completely remove this product do I need to do anything besides uninstall the product via the admincp, and delete the .php file?

-Raymond

it's showing weird characters like 7&###&98

Could someone please give an example of the other language exploit mentioned above? I'd like to test it on my forum to see what happens.

personally i dont think thats a good idea to post it here on the site i dont think the staff would either. i know the new version is patched and working

Sorry, I meant via PM.

I did the patch too and it still got hacked again using this..

I like the feature but I am un installing it !!!!!!!!!!!!!!!

Were you using 1.2.2? If so, could you PM me the title they used? So far I haven't gotten reports of this happening on my forums with 1.2.2 but I'm really thinking of uninstalling this just to stop the attempts.

How about a version for the vbb 3.6 gold?

one for 3.6 is right at the top.

Please PM me the title they used to bypass the fix as well. I'd like to take a look and see if there's anything more that can be done to the fix to improve it.

hmm its strange all these new people want a link so they can bypass it. I dont think they had the newerst version installed.

I don't see any bugs in the new one... looks clean

I ran just the upgrade yesterday, but someone still got through today. I uninstalled the hack then reinstalled it to see if that helps.

That's strange indeed. The fix I implemented on my own has not failed me yet, with the most recent attack attempt today. I've not examined the official patch yet, but from the discussions here it seems to basically be based on what I posted, so if there is still a problem with the fix, I'd certainly like to know about it.

Yeah, looks like the security fix hasn't fixed this at all. :\

Just got attacked with it.