vb.org Archive - Possible bug/security issue

Page 1 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB5 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=263)

- - Possible bug/security issue (https://vborg.vbsupport.ru/showthread.php?t=313451)

Gokkesokken

08-04-2014 09:19 PM

Possible bug/security issue

found this in core/includes/functions_login.php

Code:

if ($postvars['securitytoken'] = 'guest')

                                {

                                        $vbulletin->userinfo['securitytoken_raw'] = sha1($vbulletin->userinfo['userid'] . sha1($vbulletin->userinfo['secret']) . sha1(vB_Request_Web::$COOKIE_SALT));

                                        $vbulletin->userinfo['securitytoken'] = TIMENOW . '-' . sha1(TIMENOW . $vbulletin->userinfo['securitytoken_raw']);

                                        $postvars['securitytoken'] = $vbulletin->userinfo['securitytoken'];

                                        $vbulletin->GPC['postvars'] = sign_client_string(json_encode($postvars));

                                }

I am no php expert but i don't think '=' is a comparison operator, at least not according to php.net: http://php.net/manual/en/language.op...comparison.php

ozzy47

08-04-2014 09:23 PM

No it is not a comparison operator, it is a string operator, http://php.net/manual/en/language.operators.string.php

Not a bug or security issue.

Gokkesokken

08-04-2014 09:30 PM

Quote:

Originally Posted by ozzy47 (Post 2509766)

No it is not a comparison operator, it is a string operator, http://php.net/manual/en/language.operators.string.php

Not a bug or security issue.

I understand that this operator assigns $postvars['securitytoken'] with 'guest', but is this intended? And if it is, what does the if do there? please forgive my curiosity.

ozzy47

08-04-2014 09:42 PM

No it does not assign, $postvars['securitytoken'] with 'guest'

What it is is part of the login redirect, saying if the user logging in is a guest, to do this.

Dave	08-05-2014 01:20 AM

I think he means that

if($postvars['securitytoken'] = 'guest')

Will assign guest to the $postvars['securitytoken'] variable.
However, it should be this:

if($postvars['securitytoken'] == 'guest')

I don't know the rest of the code so this might be intended by whoever wrote the script.

Zachery

08-05-2014 01:48 AM

I believe he is correct, it looks like a typo from the vb4 version of the same code.

tbworld

08-05-2014 02:36 AM

This was fixed in vBulletin v4.1.11. :)

Gokkesokken

08-05-2014 03:16 AM

Quote:

Originally Posted by tbworld (Post 2509804)

This was fixed in vBulletin v4.1.11. :)

Thanks for letting me know but this is from vb5.

/*================================================= =====================*\
|| ################################################## ################## ||
|| # vBulletin 5.1.2 Patch Level 3 - Licence Number ##########
|| # ---------------------------------------------------------------- # ||
|| # Copyright ?2000-2014 vBulletin Solutions Inc. All Rights Reserved. ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/

I could upload the file as proof, if it doesn't get me into trouble for copyright violations.

tbworld

08-05-2014 03:19 AM

Quote:

Originally Posted by Gokkesokken (Post 2509808)

Thanks for letting me know but this is from vb5.

You know I thought I checked the forum category, right before I posted. Oh well, I am loosing it. :) I guess vb goofed then, and good fine. :)
VB5 was ported from VB4 before they fixed it in VB4, so it makes sense. Make sure you post it to JIRA, or if you do not want to bother let me know and I will handle it.

Gokkesokken

08-05-2014 03:39 AM

Quote:

Originally Posted by tbworld (Post 2509811)

Thanks for letting me know, I think your explanation is very plausible and also the most likely given the circumstances. The reason I posted this here first was because I didn't want to submit an inaccurate bug report.

All times are GMT. The time now is 01:46 AM.

Page 1 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01228 seconds Memory Usage 1,739KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_code_printable (4)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: