|
Who do I contact in regards to a bug/glitch issue for vbplaza?
Hey all.. before I post this to you all directly with the fix for the bug in question... I have sent a msg to the admins of this forum and the main Coder himself.. However since I notice the coder has not been here since July 2006.. I am not sure who else to contact 1st.
Was wondering if anyone else knows. I wish to provide a fix for a issue that can stir up some trouble for forums when using a specfic action in the plaza. If I cannot reach anyone, I will provide the fix here myself for users to prevent issues on their forums. Thanks. |
Anyone? Or do I just post the issue and solution?
|
Its not supported... =\
|
What isnt?
|
this hack, the author has abandoned it.
|
Quote:
|
there is no conformation, but the author hasnt been on since july and there have been no more updates and there are bugs everywhere. I have ibproarcade and vbplaza working
|
Quote:
OMG! You have the plaza and ibpro working?! Could you help me out? I've been struggling w/ trying to find someone that might know what' wrong... I'm having probs w/ my vbplaza and arcade (namely the jackpot). All the admin cp settings are activated and set right... it should cost 10 per game to play but points aren't being deducted. Also, I have the raised jackpot turned on but it won't raise, nor is it awarded. Did you ever have this prob? Have any idea how to fix it? MANY Thanks. :) |
well as of now this hack is suggested to be disabled due to a XSS vulnerability
|
PLEASE release your fx! lol
|
Quote:
Sheesh... this is a bummer - I'm eager to get my forum "live" and yet here is another delay... ACK! lol But BTW, did you ever have the jackpot issue I mentioned? |
Quote:
|
I'd either like to see the vuln so I can patch it myself, or see a patch released. My members are acting like they can't live without getting a few cents per post.
|
Well the author contacted me btw, I gave him the info I have. Also, yes I know about the XSS one too. If you wanna patch that real quick like, Goto the "Manage Items" and for "Donate" set it to "No" for Send PM to user.
Thats one of em. The most common used. I wont say what the user could do since I dont know if its allowed or not. But yea, that should set you back up. Either way was a couple things I patched for and so far smooth sailing again. Will wait for the author to reply back again. Oh I will say this, should someone need me, just send me a PM or so, Ill see what I can do. Only reason I dont post anything is cause I am not sure its my place to say it out in public or release a patch without the authors ok. |
did u get ibpro and vbplaza to successfully give out and deduct points?
|
Hrm.. I mean seems to work for me, I mean arcade works fine, normal users can buy arcade passes and then pay per play while subscribed users get it for free. I mean if you wanna see the work I do, http://forums.qj.net
|
well the donate is not the only problem btw
you can reproduce the same bug with all things that send pm. (gift, ribbon etc, where the user is typing a message) the simplest method to fix this is clean the input as i had written in the other thread. The only problem being that only the author or the admins would know of any other vulnerabilities apart from this one, thats why we can't claim that it is a fix. |
The main issue basically is that it doesnt have certain text input checking... which I added on mine to avoid it. Yes the author has to be the one to look at it, however if not, we may just release the patch.
Basically I think the biggest thing is to not allow it to use any form of scripts or ascii that isnt standard.. that would solve alot right there. |
thats what i said.. instead of strip tags just make that htmlentity and it will protect you from xss exploit. You have to do that at 5-6 places. (HERE)
the only issue being if someone can confirm thats the only issue .. lol |
If that's the fix to it, can somebody post the zip? I have to reinstall it but I can't find it anywhere...
|
Quote:
|
Quote:
That way we can use it at our own risk for the time being. also i'm sure if you release a fix, the admins at this site would be able to test if any of the exploits still existed in your fix. as an example of a fix tut, all you would have to do is something like this. file: file name find this: dikgjdijdjf change to this: jdgjdiogjd template: xyz find this:ikdgkdgd change to this:digidg That way we can make the changes our self if you cant release a file. Thanks for anything you can offer, if not, its cool, and hopefully you will be able to keep us udpated with anything you hear. Thanks. |
Quote:
|
Ill give it another week before I release my notes. This way I know nothing else on my forum got messed up or is at risk.
|
Quote:
|
Just rem, there are 2 things to consider.
1: You patch like me and thus removing some function as it was designed. or 2: You attemp to use html strippers, etc that should in theory negate any harmful script or text input. Oh yea, forgot, there is a apache mod too for harmful scripts... In a nutshell, I may give my users elements from the items, but I may disable things from it. All I know is nothing too major has come up yet with all the stuff I do. =) Just wish I had a way to upgrade to 3.6 without losing all my work.. sigh... thats the only reason I dont upgrade is because I have alot of custom coded work in there. |
| All times are GMT. The time now is 03:28 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
| X vBulletin 3.8.12 by vBS Debug Information | |
|---|---|
|
|
 More Information |
|
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|