vb.org Archive
Page 19 of 41 « First 91718 19 202129 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vbBux / vbPlaza (https://vborg.vbsupport.ru/forumdisplay.php?f=171)
-   -   vbBux / vbPlaza v1.5.8 has been released! (https://vborg.vbsupport.ru/showthread.php?t=121138)

Shazz 02-24-2007 12:56 AM
Quote:
Originally Posted by Exitilus (Post 1189451)
I also know Tehste is working on a Point System (Paid) and eventually a store as well. So hopefully other options will come around.
Also the other guy the name starting with a "w"
Posted one about a new paid one as well.

Deimos 02-24-2007 01:07 AM
Urgh, I can see where this is going

Rather than having one well made point/store system, we're going to have 2+ different versions, bit like the 2 arcade scripts out there
Would be alot better, in my opinion, if everyone worked together to make one kick ass system.

thepub 02-24-2007 01:51 AM
question about the bank and points, how can the admin reset the bank and all the users points to zero without having to manually do it one member at a time?

Insert Username 02-24-2007 02:52 AM
Quote:
Originally Posted by thepub (Post 1189500)
question about the bank and points, how can the admin reset the bank and all the users points to zero without having to manually do it one member at a time?
In the Admin CP, go to vbBux > Mass Points Givaway. At the bottom of that page is an option to reset all points to zero.

Greek Wizard 02-24-2007 08:52 AM
Quote:
Originally Posted by Acers (Post 1175961)
here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

PHP Code:
$message strip_tags($message); 
make that
PHP Code:
$message htmlspecialchars($message); 
go to
vbplaza/action.admindonate.php (line 133)
PHP Code:
$action['reason'] = strip_tags($action['reason']); 
make that
PHP Code:
$action['reason'] = htmlspecialchars($action['reason']); 

goto
vbplaza/action.changeotherusertitle.php (line 136)
PHP Code:
$newusertitle_stripped strip_tags($newusertitle); 
make that
PHP Code:
$newusertitle_stripped htmlspecialchars($newusertitle); 

goto
vbplaza/action.changeusertitle.php (line 87)
PHP Code:
$newusertitle_stripped strip_tags($newusertitle); 
make that
PHP Code:
$newusertitle_stripped htmlspecialchars($newusertitle); 

goto
vbplaza/action.donate.php (line 164)
PHP Code:
$action['reason'] = strip_tags($action['reason']); 
make that
PHP Code:
$action['reason'] = htmlspecialchars($action['reason']); 



goto
vbplaza/action.gift.php (line 209)
PHP Code:
$action['giftmessage'] = strip_tags($action['giftmessage']); 
make that
PHP Code:
$action['giftmessage'] = htmlspecialchars($action['giftmessage']); 

goto
vbplaza/action.ribbons.php (line 218)
PHP Code:
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']); 
make that
PHP Code:
$action['ribbonmessage'] = htmlspecialchars($action['ribbonmessage']); 


the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me :D
For those using this fix, I have discovered that when you change this:

Quote:
go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

PHP Code:
$message strip_tags($message); 
make that
PHP Code:
$message htmlspecialchars($message); 
when a user quotes another user, instead of them getting 3 or 5 vbBux (whatever you have set) for a regular reply, it in fact gives them 50+ for each quote

Acers, any idea why this would cause that?

giovannicosta 02-24-2007 12:21 PM
when I click the link in the first post it says I don't have permission to access it

Shazz 02-24-2007 12:41 PM
Quote:
Originally Posted by giovannicosta (Post 1189653)
when I click the link in the first post it says I don't have permission to access it
:mad:

Its currently removed from vB.org untill the exploit is either fixed or a new version comes out

tfusion 02-24-2007 01:17 PM
arghh... Wish i find a download for it...

I heard its only the PM part fo the vbplaza that has the problem..

Black Widow 02-24-2007 04:19 PM
can someone give me a download link of this hack so i can try to find a fix?

Shazz 02-24-2007 04:32 PM
Quote:
Originally Posted by tfusion (Post 1189683)
arghh... Wish i find a download for it...

I heard its only the PM part fo the vbplaza that has the problem..
Donation part :|


All times are GMT. The time now is 03:55 PM.
Page 19 of 41 « First 91718 19 202129 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01278 seconds
  • Memory Usage 1,770KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (16)bbcode_php_printable
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (2)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete