vb.org Archive
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Advanced Warning System (AWS) (https://vborg.vbsupport.ru/forumdisplay.php?f=105)
-   -   Very Big Sql Injection Hole (https://vborg.vbsupport.ru/showthread.php?t=77743)

sirbutts 03-10-2005 07:52 PM
Quote:
Originally Posted by sv1cec
Pimpery, not all of us have extreme experience in SQL or php or the works. From the example you show, I can assume two things :

1. The problems is that anyone can see the admin's warnings.
2. The slash at the end may allow hackers to insert code (for this I am not sure, but having spend some time reading articles I got containing the "SQL injection" phrase here, that's what I assume.

I am going to spend some more time today, figuring out this whole issue, but what I fail to understand is the function you provided.

So, please, instead of just posting a warning thread, saying VERY BIG HOLE WOLF, WOLF, you could spend some minutes helping me out understand how to close the hole and how to use that code. As I said, not all of us were born with that knowledge.

Rgds
pimpery did post an explanation on how to patch it. goto the first post blindy :nervous:
and how did he say WOLF WOLF....just because you cant code doesnt mean you have to take it out on him. He did explain why there's a big hole in the first post as well.
Code:
Input isnt escaped before being put into the sql query. Seriously, what the ****. A premium modification that doesn't even check the input

j_86 03-10-2005 10:08 PM
sirbutts;

Please recreate a simmilar warning system with more features than this one and then i'm sure the majority of the users here will consider reading what you posted :)

pimpery 03-11-2005 12:18 AM
sirbutts, thank you for backing me up. and, nubster, not everyone has a ++++load of time. and amount of time you spend on something, doesn't make you a better coder. he could suck but have a lot of time to do this kind of stuff.

sv1cec 03-11-2005 03:14 AM
Quote:
Originally Posted by pimpery
sirbutts, thank you for backing me up. and, nubster, not everyone has a ++++load of time. and amount of time you spend on something, doesn't make you a better coder. he could suck but have a lot of time to do this kind of stuff.
Sirbutts and pimpery,

I may be speaking to the expert programmers on php and vBulletin, so apologies if my hack was not up to your level. As far as I remember, in the original hack's thread, I clearly said that I am no expert (like you two). Has it occured to you that this thread was the first time I heard the expression "SQL Injection"?

And in my answer to Pimpery, I asked specific questions. Pimpery provided a function, with no instructions on how to use it. Am I suppose to guess or to take the advise of experts? He did posted this thread, and I asked a question. He didn't bother answering, instead Soup jumped in and provided some explanation. Shall I consider Pimpery's attitude as "the arrogance of the experts"?

And yes Pimpery, I have a ****load of time in my hands. With two sites to maintain, two 3 year old kids to take care of, and a family of 5. You are right, the amount of time you invest in something doesn't make you a better coder, as much as the amount of time you live on this earth doesn't make you a better person, but some times it polishes your skills. I sincerely hope you are very very young.

In any case, the hole is closed, so that's history.


All times are GMT. The time now is 06:50 AM.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01459 seconds
  • Memory Usage 1,727KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (4)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete