I just received these emails, but the links are not present (at least for my account):

Same here no permission to view thread.

Yes, I reported it.


I would say how its being exploited, but I don't think I can post it publicly. :p

I assume the links were to the old threads with the attachments in them
So they've probably been moved to a hidden area till the scripts get fixed.

It was being exploited to get users/staff's passwords.

My WHOLE staff got their passwords obtained by this person exploiting it.

Really? good lord..

Yeah....x___x


Atleast Princeston[sp=?] reacted quickly to my PM.

Ididn't think he'd believe me, the way the exploit worked, but they did, and i was right. :p

Wow, thank you very much for reporting it.
I disabled the hack for now, hope I'm safe.

I really hope CMX won't abandon this completely and fix the problem.

ugg.. really hope this exploit gets fixed soon!

Errm, maybe it could be explained how they got in?
:|

All I will say is its to do with the donate feature and a script.

I got the same Email, so I checked back here to be sure it was for real . . this has been a very popular hack, and I wanted to be sure before taking it off.

Despite the annoyance of having to do that, I'd like to say a BIG thank you for the heads-up, and my appreciation to vB for acting on the info so fast.

I can't see the thread either, so it's obviously been removed for good reason - but I would have clicked it uninstalled ;) . . at least till something can (hopefully) be done to address the exploits.

Good info, sad loss.

Your post was strong enough to scare away over 50 users of vbplaza now :o

Meh, you asked. ;D

Thanks for the save :) we all appreciate it!

What can happen if someone decides to keep this MOD active on their boards?

Well its not like every board with vBplaza will just die
Unless the exploit was posted on some site which gave more people that oppertunity to do it on more sites -.-

I only got 50 members, and now there's nothing to bribe 'em in with - gonna have to seriously update my content now . . . lmao!

Seriously though, if there was no risk, I'm sure that would be clarified - instead the entire hack has been removed and vB have taken the trouble to mail-out to all the installers . . no smoke without fire imo - it ain't fear it's logic.

I'd sure like to see it fixed though - good luck to the guys working on it.

Well, you could end up with a whole bunch of Admins . . or worse ;)

Is there someone in fact working on a fix?

If we disable just the donate function, will this allow the rest of the hack to be active and safe?

disabled here now *bugger* Iliked this mod

Yes. But I'd still advise you to wait for staff to fix the bug or something.

Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?

nope

Nothing worth the effort...besides most hacks that tie into VBPlaza would also have a bunch of dead code in them.....*sigh*

Thanks to the vbulletin team for keeping us safe and up to date. It's very much appreciated.

This hack was a huge, huge part of our site so I sincerely hope it won't be abandoned :( I'd be more than willing to donate some $$ to help get things patched up.

Based on my understanding of the code, (and please note i can be wrong) i reckon that anything that sends out pm's with user input data will create a problem. The issue is that a user can for example in donation enter a custom message that is sent in the pm after passing through the php strip_tags function. Now that function can be exploited . You can do your own research on google.
Please note that i am venturing a guess here and not saying anything with surety. If this is indeed the reason a replacement with htmlentities might do the trick. (or with vb's own function)

EDIT: Ok i have reproduced the problem on my test site so please note that this is a sure bug.

As many awesome coders we have on this board and somebody can't replicate another store/points hack? :confused:

Acres, with your knowledge of the problem, is their a fix? If so, how does one get the fix approved and implemented in to the already existing code, posted on the board for users to add to their code? Just hoping this fabulous MOD can be saved.

here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

make that
go to
vbplaza/action.admindonate.php (line 133)
make that

goto
vbplaza/action.changeotherusertitle.php (line 136)
make that

goto
vbplaza/action.changeusertitle.php (line 87)
make that

goto
vbplaza/action.donate.php (line 164)
make that



goto
vbplaza/action.gift.php (line 209)
make that

goto
vbplaza/action.ribbons.php (line 218)
make that


the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me :D

ACERS you rock!

Is vb.org attempting a patch?

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

Awesome!! :up: :D

You might want to PM the vbulletin.org admin if you have not been in contact already as I believe there are other exploits found other than this one or other coders may want to post about other exploits.

Sorry to hear about your board but nice find Artificial Alex, especially with other exploits found. Just deleting the code for or turning off Donation or even using a coding fix for this one main exploit might not be all that is needed. A great add on for a forum and exploits are fixable, patience is a virtue. :D

Oh man where have you been? We are dying for the new version of this and well, we missed you too. :o

Ah cool, the Author returns!

Unfortuntely my real job has had me in shambles as of late, too many games to make cheat codes for, and other projects at work. So I havent had much time for vbBux / vbPlaza.

I am, however, working on a v2 version with a much more cleaned up coding engine, as well as a crapload of new features, items for purchase in the vbPlaza.

But as far as a release goes, I'm not sure, I've started it a little at a the www.vbplaza.com URL, but I'm not sure the url is public as of yet either, due to it still having a bit that needs completing. (I'd say its about 75% finished currently.)

I hope to try and finish it up soon, but I honestly cant give an accurate ETA as of yet. I apologize for the inconvenience, but I can also assure u, it will be worth the wait.

ALSO: I've been away for a while and noticed a ton of posts about the v1.5.8. I do not have time to reply to every single post, and with the amount of rewrite that has occurred in the v2 version I am currently working on, it would be even more time involving to check on every problem as the problem may not exist anymore in the v2 version I'm writing. I apologize for any inconvenience this may cause.

-CMX

WOW!

Long time no see. :O

Glad to see the author has returned to work on a fix. :)

Glad to see you back CMX_CMGSCCC !
Thought you were gone for good :)