vb.org Archive
Page 5 of 8 « First 34 5 67 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)
-   -   Administrative and Maintenance Tools - Private Messages & Email Log (https://vborg.vbsupport.ru/showthread.php?t=245243)

Vitaly 01-07-2011 02:53 PM
TimesOut, Britmovies,

Checks, that you have uploaded source files to server, and set ptoper permission. That file exists in archive.

Paul. 01-15-2011 12:32 PM
Since it has been updated after I installed it, is it necessary to download and replace all the files again? Is that how you do it? Download it again as if you never had it and let it replace what is there already?

Vitaly 01-19-2011 03:49 AM
Yes, all files have been changed. You have to reupload all (override old ones, if any).

mplode 02-22-2011 09:12 AM
Invalid SQL:
Code:
SELECT DISTINCT  COUNT(cr.logid) AS count
              FROM((SELECT
                      pm.logid AS logid
                  FROM
                      rcd_log_pm AS pm
                  WHERE
                fromusername = 'Qui's World' ) UNION (SELECT
                      pm.logid AS logid
                  FROM
                      rcd_log_pm AS pm
                  WHERE
                tousername = 'Qui's World' )) AS cr;
Got a bit of an SQL injection going there. Might want to fix that.

edit: two actually. You need to sanitize $user_name

Additionally, there's XSS on the search fields. You need to sanitize those for HTML usage as well. And everywhere where it lists usernames.

Vitaly 02-22-2011 01:22 PM
Try the latest version frim github

https://github.com/shkuropat/vb-pm_log

Updated nick escapeing.

mplode 02-22-2011 11:50 PM
Thanks for the quick response! I have some remarks, however.

Why are you applying htmlspecialchars_uni() to the usernames before using them in the query? That should be unnecessary and in fact will probably cause problems with users who have <>& or similar signs in their usernames. $db->escape_string() should be enough there.

Code:
    print_input_row($vbphrase['username'], 'username', $user_name, false);
    print_input_row($vbphrase['keywords'], 'keywords', $search_keywords, false);
in these lines, you have not yet sanitized the HTML on the other hand;
Code:
    print_input_row($vbphrase['username'], 'username', htmlspecialchars_uni($user_name), false);
    print_input_row($vbphrase['keywords'], 'keywords', htmlspecialchars_uni($search_keywords), false);
And I think you need to sanitize the username in the search results etc. as well. In case someone has a username like "<script>alert(1)</script>" or "<!--" or something.

Vitaly 02-23-2011 03:42 AM
You could check on real data fist. Nicks in db are html-escaped.

mplode 03-05-2011 06:45 PM
Ah. Yeah, I wasn't too sure about that one.

RedHacker 03-10-2011 08:06 AM
Fatal error: Call to undefined function rcd_pm_log_CacheTemplates() in /home/xxxxxxx/public_html/includes/class_bootstrap.php(1312) : eval()'d code on line 363

I cant use anything with update

Vitaly 03-21-2011 03:44 PM
Updated version to fix bug with SQL, reported by mplode.


All times are GMT. The time now is 03:55 PM.
Page 5 of 8 « First 34 5 67 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01380 seconds
  • Memory Usage 1,734KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_code_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete