vb.org Archive
Page 7 of 12 « First 56 7 89 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.5 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=113)
-   -   Banner Rotator (Definitive Mod) (https://vborg.vbsupport.ru/showthread.php?t=103477)

Turbosport 01-27-2006 08:29 AM
There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:
        $db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");
I have called the VB function to make the variables SQL safe.

andrefedalto 01-27-2006 12:01 PM
Quote:
Originally Posted by redspider
can this work with flash banners?
yes, you must edit brotator.php in /admincp/ and look for GIF and follow the sequence and add SWF
then edit the plugin and make it show swf, i'm not used to swf, but i'm pretty sure it doesnt shows up with <img> code

andrefedalto 01-27-2006 12:02 PM
Quote:
Originally Posted by inspiration100
installed this and works a treat, but when a banner is clicked it puts my board url before the url of the banners site url....e.g http://www.site1.com/http://www.site2.com.

Any help appreciated.
i think you are filling the add-banner form site like this: "www.site.com" instead of "http://www.site.com"

try using http:// before to see if works fine

andrefedalto 01-27-2006 12:03 PM
Quote:
Originally Posted by DarKNull
PHP Code:
<!-- logo -->
<a name="top"></a>
<div id="vbwrapper">
<div id="logostrip"><center><div style="background: url($stylevar[imgdir_misc]/desihotty3eb.gif) no-repeat;width:100%;height: 158px"></div></div>
<div id="submenu"><a href="search.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_search.gif" alt="desi" /></a><a href="memberlist.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_members.gif" alt="desi" /></a><a href="calendar.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_calendar.gif" alt="desi" /></a><a href="faq.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_faq.gif" alt="desi" /></a></div></center>
<div id="vbwrapper2">
<div id="vbwrapper3">
<div id="bordertop"><div id="bordertopleft"><img src="$stylevar[imgdir_misc]/border_top_l.gif" alt="desi" /></div><div id="bordertopright"><img src="$stylevar[imgdir_misc]/border_top_r.gif" alt="desi" /></div></div>
<div id="vbwrapper4">
$spacer_open
<!-- content table -->

$_phpinclude_output 
I have installed this hack but now how do i replace the $banner code please help
what is the filename of your current banner?

andrefedalto 01-27-2006 12:04 PM
Quote:
Originally Posted by Turbosport
There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:
        $db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");
I have called the VB function to make the variables SQL safe.
this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?

inspiration100 01-27-2006 12:57 PM
andrefedalto, du'h silly me thnx man

Turbosport 01-27-2006 02:16 PM
Quote:
Originally Posted by andrefedalto
this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?
As a fellow coder I am not knocking the hack, in fact I really like it and it was exactly what I was looking for!

But its important that we as a community look out for and fix any security flaw we find, no matter how insignificant.

My admins are fully trusted, I run hourly snapshots of my database, so I like you probably have nothing to worry about, however there are others out there who are less fortunate. Maybe they have opened it up to thier Moderators and on a busy site this could end up being a few people.

The other worry is that someone will come along and reuse the code somewhere less secure not fully understanding the security issues.


An Admin on my site caused an SQL error by placing an apostrophy in the description field i.e. Dave's picture.

On examination it was a classic SQL injection hole.

I did a quick fix to stop this happening, but I intend to rewrite it to use one of the core VB functions for coverting strings to SQL safe, that way when VB find any other injection type issues and fix them the fix will be reflected in this hack.

Anyway if your interested here is my quick fix:

Code:
        $factv = addslashes(htmlspecialchars($_POST["bact"], ENT_QUOTES));
        $fdesc = addslashes(htmlspecialchars($_POST["balt"], ENT_QUOTES));
then the query:

Code:
        $db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
I changed the other query further down using the same method.



I also added a little check before the query, for the odd occasion that theres an error in uploading the file:

Code:
        move_uploaded_file($ftemp, $dir.$fname);


if (file_exists($_SERVER['DOCUMENT_ROOT']."C:/SITES/TSWEB/BBS/images/banners/"."$fname")){

        $db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
        print_cp_message($vbphrase['brotator_add_success'], "banner_rotator.php?do=add", "1");
}
else {        print_stop_message('brotator_uploaderror');}
endif;

andrefedalto 01-27-2006 04:02 PM
thanks turbo, i'll update the hack asap and i'll also add the check if file uploaded, just have to put the absolute path string, otherwise everyone would change it...

92GreenGT 03-06-2006 04:36 AM
Warning: move_uploaded_file(): open_basedir restriction in effect. File(/home/ftfhostc/fullthrottleforums.com/images/banners/Banner3.jpg) is not within the allowed path(s): (/dh/web/phpmyadmin:/tmp:/usr/local/tmp:/dh/solidclient:/usr/local/lib/php:/home/ftfhostc:/home/.beaver/ftfhostc) in /admincp/banner_rotator.php on line 56

Ok, I get the error also. I went and changed the two files and took the /forum off all the places it was in the original files. Why wont this work? If you go to http://www.fullthrottleforums.com/im...rs/Banner2.jpg it works, so how would I need to modify the two files for it to show the correct path? Thanks

JsnakeJ 03-06-2006 04:41 AM
Try chmodding the banners directory to 0777


All times are GMT. The time now is 01:43 AM.
Page 7 of 12 « First 56 7 89 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01170 seconds
  • Memory Usage 1,767KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_code_printable
  • (1)bbcode_php_printable
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete