Hi y2ksw ,

from some days, an unknown users, uses "sql injection" in the rbs_banners table appending malware script in the field "text"

there are vulnerabilities to be corrected?
Can you help me ?

Thank you
Sandro
vbulletin: 3.8.9 Patch Level 1
PHP: 5.3.8
MYSQL: 5.5.16

Hello

My banner images on my server. How can I put local link without www like /banner/sample.gif ? My other problem is start and end date always change when I edit any banners,why ?

Regards

Everything is correctly escaped, but if some malicious software has access to your forum, it can do what it wants.

The most recent WORM attacks write directly to the plugin cache and are untraceable through the plugin list. The real problem however are one or more scripts which have been introduced to your system or site, which can be called from attackers at will.

I have solved the problem with a dedicated server and strict rules: 1 forum administrator, 1 system operator, secure Apache build (no fast_cgi etc) with security modules enabled, binding and local security rules for PHP (open_basedir, upload_tmp_dir to dedicated folders for each site), and, last not least, fail2ban against insisting hackers.

To clean a broken system, practice has revealed that downloading all scripts and passing them through Avast helps to find all hacked scripts and intruders, while printing styles, plugins and cache tables help to find already injected code.

All together it takes 10-20 minutes to clean an infected system, but unless then, everything is "mayhem".

You can use the "Text" field in order to use HTML, if the standard does not fit your needs.

Start and end dates may change on edit depending on your server settings and some time setting discrepancies between the system server and mysql server. I don't know the exact reason, but some servers work flawlessly while others do cause even irregular time skips, such as 1 hour and 42 minutes. It might be a missing or defective time synchronization between both.

Thanks for your reply :) Is it possible to show all banner stats in one clear table in admin cp ?

Regards

The full statistics are available only at the database level and require some additional work (queries or scripts). It has worked out that in the end, even the single banner statistics were too detailed to most of the users, and the banner lists were just the statistics everybody needed.

Hi Again,

I'm sure some time problem in this product. When I enter any start or end time for example

Start : 23 Sep 2016 17:00
End : 25 Sep 2016 15:00

And save this and enter again same banner time seems like that

Start: 24 Sep 2016 03:00
End: 26 Sep 2016 01:00

+10 hours different when I enter again. Our server time is sync and mysql also sync with same clock. And never seen before similar problem. My forum version is 4.2.3

Here is my server result

root@ [~]# date
Thu Sep 29 20:24:25 EEST 2016

root@ [~]# mysql -e "SELECT NOW();"
+---------------------+
| NOW() |
+---------------------+
| 2016-09-29 20:24:30 |
+---------------------+

Any idea ? Because I never see any problem before other software or plugin etc.

I have no solution for this problem.

Who know :D ? Because time read is wrong, when I edit banner time get wrong and I forgot sometimes correction again. This is bug

It is not a blocking bug. It is an annoyance to which there is no real solution, because there are many server settings and there is no such thing as a "right" setup.

The queries you made in order to find out, are relative to the user account. If you query the system time of your server, you can only rely upon UTC.

Similarily, the mysql server time relies upon the settings of the server and your timezone settings for that mysql server, which may or may not differ. Thus, a mysql query

may or may not show the current date and time. If you have a 10 hours offset each time you save, then you have probably a largely different UTC time compared to your "user" time.