vb.org Archive
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=33)
-   -   Disable conditional function filters (https://vborg.vbsupport.ru/showthread.php?t=67947)

CarCdr 09-02-2004 09:17 AM
You can execute any PHP function without requiring a mod, simply by inserting something between the name of the function and the parenthesis of the argument list.

For example, the following examples will work fine:
Code:


<if condition="$foobar = time/**/()">
Time: $foobar
</if>

<if condition="execute_some_function/**/()">

</if>

HiDeo 09-02-2004 09:28 AM
Good job thanks ;)

Xenon 09-02-2004 04:37 PM
@Car: have you reported this as a bug?

CarCdr 09-03-2004 09:03 AM
Quote:
Originally Posted by Xenon
@Car: have you reported this as a bug?
No Xenon. There is no good way to fix it without writing a complete PHP expression parser, and, I do not think it should be fixed. If an administrator wants to use this trick, I see no reason to disallow it.

In all the time that vB has been used at sites, I doubt very strongly that anyone has done this accidently.

BTW, I think that one could probably go as far as defining and running functions in a template, if one was so twisted. :)

Xenon 09-03-2004 07:24 PM
Well, but it IS a bug and therefore it should be reported in my eyes.

The defs will then say themselve if they want to fix it or not.

Actually i see a reason for it. Because why are some functions not allowed is because they didn't want to let every admin change the permissions themselves, but with that bug, it's easyli possible, and therefore it's a security problem (still normally if you make someone and admin, you should trust him that far, but hey, i have not designed the permission system ;))

CarCdr 09-03-2004 07:37 PM
The permission system has little to do with this imo. If you make someone an admin, they hardly need to mess about with writing funky template conditionals to subvert permissions. By definition, if you give AdminCP access to someone who can overwrite template, with or without conditionals, it is someone you trust.

The list of allowed functions is pretty silly anyway. Why aren't the hundred other benign PHP functions allowed? I mean, what damage can one do with 'strlen(...)'.

Anyway, we need not argue. If you think it is a bug, you know what to do. :)

Cheers

Xenon 09-03-2004 07:46 PM
I meant the Adminpermission system.
Why have it if those admins can change them themselves ;)

but as you already said, it's nothing we have to argue about, i'll just report it and we'll see what the dev's think about.

Scott MacVicar 09-09-2004 03:17 PM
Was to stop people putting backdoors into styles, you make a nice style with a backdoor and post it on your website and an unsuspecting admin installs it.

Its easy to see hacks with backdoors but if you think about styles, there could be 1000's of lines of code.


All times are GMT. The time now is 07:35 PM.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01858 seconds
  • Memory Usage 1,727KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (8)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete