vb.org Archive
Page 15 of 30 « First 51314 15 161725 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Modification Graveyard (https://vborg.vbsupport.ru/forumdisplay.php?f=224)
-   -   Miscellaneous Hacks - Rules and User Agreement Hack (https://vborg.vbsupport.ru/showthread.php?t=97699)

JD210 04-24-2006 03:52 PM
Quote:
Originally Posted by vibe
When I click on agree and submit, browser takes me to this URL

Code:
http://www.agalico.com/php/php.exe?f=65...

Security Alert! The PHP CGI cannot be accessed directly.

This PHP CGI binary was compiled with force-cgi-redirect enabled. This means that a page will only be served up if the REDIRECT_STATUS CGI variable is set, e.g. via an Apache Action directive.
I ran into the exact same problem. Any idea why and what is causing it?

bashy 04-26-2006 04:58 PM
Hi peeps

I appear to have an uncached template for "forumrules"
The only thing that i can think of thats caused this would be this hack perhaps?

Can anyone advise please?

Rude Awakening 04-28-2006 02:08 PM
UAE if you ever manage to see this I've got a slight problem. I've noticed that some of the other guys have this issue too.

I wanted the Rules hack to only work for the Registered Users and not Guests. I wanted the Guests to freely surf the forums, but once registered, required to accept the Rules.

Right now even a guest is required to accept the hack which is pretty bad for Crawlers and Bots. I might be missing something but until then I'll have to uninstall.

Thanks.

Update:

Although I didnt find a way to solve the problem above, I did find a way around it. Instead of having it show up when "viewing" a thread I switched it to "new thread" and "new reply". Guests cant post replies or new threads on my forums anyways. :)

Sometimes you just gotta beat the system ;)

Bubble #5 05-04-2006 01:08 AM
How should we fix this?

Instead of becoming part of the Forums and Moderators section, it started its own Forum and Moderators section so now we have two of them showing :(

How/where do we rename it?

Bubble #5 05-04-2006 01:20 AM
What are the two new templates called, and where (what section) can we find them?

SimCityForum 05-04-2006 11:35 PM
I've discovered one can force a SQL error by adding a single quote to an URL for a registration confirmation (e.g. http://gfxcontests.com/register.html?a=act&u=312&i=19120597'). Apparently there isn't an error checking to clean URLs of stray single quotes before passing them into the SQL string to look for rules that belong to said URL.

A full version of the error result is:
Code:
Database error in vBulletin 3.5.3:

Invalid SQL:
SELECT * FROM tblruleshack
                        WHERE (fileurl LIKE 'http://gfxcontests.com/register.html?a=act&u=312&i=19120597'' AND exactmatch = 1 )
                        OR (fileurl LIKE 'http://gfxcontests.com/register.html%' AND exactmatch = 0 ) AND active = 1 ORDER BY ruleid;

MySQL Error  : You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://gfxcontests.com/register.html%' AND exactmatch = 0 ) AND
Error Number : 1064
Date        : Thursday, May 4th 2006 @ 08:30:57 PM
Script      : http://gfxcontests.com/register.html?a=act&u=312&i=19120597'
Notice how feeding the extra single quote into the URL passes straight into the SQL statement. I could see someone exploiting this to force a SQL injection.

The solution to this error is to find the following statements in the product-rulesagreement.xml file;
Code:
                  $ruleneed = $vbulletin->db->query_first("SELECT * FROM " . TABLE_PREFIX . "ruleshack
                        WHERE (fileurl LIKE '" . $urluri . "' AND exactmatch = 1 )
                        OR (fileurl LIKE '" . $scripturl1 . "%' AND exactmatch = 0 ) AND active = 1 ORDER BY ruleid");
AND

Code:
                $sql = "SELECT * from " . TABLE_PREFIX . "ruleshack
                        WHERE
                        (
                        (forumid = $fid)
                        OR
                        (fileurl LIKE '" . $urluri . "' AND exactmatch = 1 )
                        OR
                        (fileurl LIKE '" . $scripturl1 . "%' AND exactmatch = 0 )
                        OR
                        (forumid IN ($parents))
                        )
                        AND
                        (ruleid not in (" . $vbulletin->userinfo['agreedrule'] . "))
                        AND
                        active = 1
                        ORDER BY ruleid";
and add the following code above the two statements above:
Code:
                  $urluri = addslashes($urluri);
                  $scripturl1 = addslashes($scripturl1);
If you have already installed this mod, then use the plugin manager to find "Hook Location : parse_templates" and edit "Rules And User Agreement" to add in the code above.

bashy 05-05-2006 07:04 AM
Hi

Whoopsy, wrong hack :o

arossphoto 05-13-2006 05:45 PM
Is there any way to use this with paid subscriptions, so the user has to agree to my rules regarding cancellations, refunds, etc?

Thanks,

Andrew

Bubble #5 05-13-2006 06:02 PM
Quote:
Originally Posted by arossphoto
Is there any way to use this with paid subscriptions, so the user has to agree to my rules regarding cancellations, refunds, etc?
Ummm... shouldn't that be handled before the initial payment is made? ;)

arossphoto 05-13-2006 06:25 PM
Quote:
Originally Posted by Bubble #5
Ummm... shouldn't that be handled before the initial payment is made? ;)
Yes, of course. That's what I'm talking about.


All times are GMT. The time now is 11:59 AM.
Page 15 of 30 « First 51314 15 161725 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01205 seconds
  • Memory Usage 1,750KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_code_printable
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (2)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete