vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   VBPager (https://vborg.vbsupport.ru/showthread.php?t=153398)

talenak 07-25-2007 09:31 PM
VBPager
 
Is there any information about the vulnerability? I'd like a little info to figure out what the risk is. My forum is STILL reeling from losing vbplaza and now they are going to friggin riot. lol

I just want to know what I'm getting myself in to if I keep it, or if I need to just hold my breath and jump in the croc pond and uninstall it.

Kirk Y 07-25-2007 09:54 PM
We cannot disclose the nature of its vulnerabilities as this information could be used to exploit boards who have not disabled or uninstalled it.

budswope 07-25-2007 10:09 PM
I cannot download the zip for vbpager. I can't seem to find it on my computer either. I have uninstalled the product but I want to be sure I revert all the template edits and delete all the files but I need the zip to do it. How can I get it?

talenak 07-25-2007 10:40 PM
Right Kirk, I don't want to know HOW to do it. Just what they can do to my forum if they know the exploit.

Like, can they delete posts? Members? Steal cookies? That kind of thing.

Kirk Y 07-25-2007 10:42 PM
I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.

MorrisMcD 07-27-2007 02:23 PM
Quote:
Originally Posted by Kirk Y (Post 1301712)
I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.
Good enough for me to shut it off.. and keeping it a secret is the best idea.. It makes the vulnerability worse if you start publishing what it does

Dismounted 07-28-2007 11:25 AM
Here's the readme, for those who need it:
Quote:
/*================================================= =====================*\
|| ################################################## ################## ||
|| # vB Pager 3.0.4 for vBulletin 3.5.x # ||
|| #-------------------------------------------------------------------------------------------------------------------------# ||
|| # Copyright ?2000–2005 WwW.UAEWEB.COM All Rights Reserved. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| #----------------------------- VBULLETIN IS NOT FREE SOFTWARE -------------------------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/

vB Pager is a text-based instant messaging system over the community between members.
For more Informations and Updates, visit: https://vborg.vbsupport.ru/showthread.php?t=104609

################################################## ###########################
############################# New Installation ###################################
################################################## ###########################

Step 1. Upload all the files from the "files" directory in this zip into your forum directory.
Step 2. Import product-pager.xml as a new product.
Step 3. Edit templates as instructed below.

################################################## ###########################
############################## TEMPLATE EDITS ###############################
################################################## ###########################

In the template: MEMBERINFO
=============================
FIND
=============================
<if condition="$show['pm']">
<tr>
<td>
$vbphrase[private_message]:<br />
<a href="private.php?$session[sessionurl]do=newpm&amp;u=$userinfo[userid]" rel="nofollow"><phrase 1="$userinfo[username]">$vbphrase[send_private_message_to_x]</phrase></a>
</td>
</tr>
</if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<tr>
<td>
$vbphrase[pager_vbpager]:<br />
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$userinfo[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><phrase 1="$userinfo[username]">$vbphrase[pager_send_pager_message_to_x]</phrase></a>
</td>
</tr>
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
=============================


In the template: modifyoptions
=============================
FIND
=============================
$customfields[messaging]
=============================
ABOVE ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
<if condition="$show['pager']">
<fieldset class="fieldset">
<legend><label for="cb_pageroption">$vbphrase[pager_vbpager]</label></legend>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td>
$vbphrase[pager_features_pager_messaging_system]
</td>
</tr>
<tr>
<td><label for="cb_pageroption"><input type="checkbox" name="pageroption" value="1" id="cb_pageroption" onclick="toggle_disabled(this.checked, 'pageroptiontbody')" $checked[pageroption] />$vbphrase[pager_enable_pager_messaging]</label></td>
</tr>
<tbody id="pageroptiontbody"<if condition="!$bbuserinfo[pageroption]"> disabled="disabled"</if>>
<tr>
<td><br />$vbphrase[pager_features_pager_messaging_from_buddylist]</td>
</tr>
<tr>
<td><label for="cb_pagerbuddyoption"><input type="checkbox" name="pagerbuddyoption" value="1" id="cb_pagerbuddyoption" $checked[pagerbuddyoption] />$vbphrase[pager_enable_pager_messaging_from_buddylist]</label></td>
</tr>
<if condition="$vboptions['vbpager_playsound']">
<tr>
<td><label for="cb_pagersoundoption"><input type="checkbox" name="pagersoundoption" value="1" id="cb_pagersoundoption" $checked[pagersoundoption] />$vbphrase[pager_enable_pager_sound_notification]</label></td>
</tr>
</if>
</tbody>
</table>
</fieldset>
<else />
<input type="hidden" name="pageroption" value="$bbuserinfo[pageroption]" />
<input type="hidden" name="pagerbuddyoption" value="$bbuserinfo[pagerbuddyoption]" />
<input type="hidden" name="pagersoundoption" value="$bbuserinfo[pagersoundoption]" />
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
=============================

In the template: navbar
=============================
FIND
=============================
<if condition="$show['pmstats']"><br /><phrase 1="$vbphrase[unread_x_nav_compiled]" 2="$vbphrase[total_x_nav_compiled]" 3="$session[sessionurl_q]">$vbphrase[private_messages_nav]</phrase></if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
<if condition="$show['pager']"><br /><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?action=pager&do=log&folder=inbox','pager inbox','statusbar=no,menubar=no,toolbar=no,scrollb ars=yes,resizable=yes,width=650,height=500'); return false;">$vbphrase[pager_pager_messages]</a><phrase 1="$bbuserinfo[pagerunread]" 2="$bbuserinfo[pagertotal]">$vbphrase[pager_messages_nav_x_y]</phrase></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
=============================

FIND
=============================
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('misc.php?$session[sessionurl]do=buddylist&amp;focus=1','buddylist','statusbar=n o,menubar=no,toolbar=no,scrollbars=yes,resizable=y es,width=250,height=300'); return false;">$vbphrase[open_buddy_list]</a></td></tr>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?$session[sessionurl]do=buddylist','pagerbuddylist','statusbar=no,menub ar=no,toolbar=no,scrollbars=yes,resizable=yes,widt h=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;">$vbphrase[pager_open_vbpager]</a></td></tr>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
=============================

In the template: footer
=============================
FIND
=============================
<script type="text/javascript">
<!--
// Main vBulletin Javascript Initialization
vBulletin_init();
//-->
</script>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
$pagermessage
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
=============================

In the template: postbit (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" border="0" /></a> &nbsp;</if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo[userid]">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a> &nbsp;</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
=============================

In the template: postbit_legacy (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" border="0" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" /></a></if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
=============================

################################################## ###########################
############################### EDITS END ###############################
################################################## ###########################

Step 4. From The Admincp, Edit vB Pager Options and Usergroup Permissions.
Step 5: Enjoy your new hack. And if you haven't already, click install at vBulletin.org.

################################################## ###########################
############################### Many thanks to #############################
################################################## ###########################

- nexialys, for his help with the design and style.
- Zero Tolerance and Andreas a.k.a. KirbyDE, for their vB 3.5 tutorials.

################################################## ###########################
################################### THE END #################################
################################################## ###########################

Swampfox 07-30-2007 12:04 PM
Not asking for details about the vulnerability, I understand why they shoudnt be disclosed, I just have one basic question

In order to use the exploit, someone would have to have access to the pager system, correct?, Im thinking of limiting access to it to just a specific usergroup on my site, with only people I trust.

Dismounted 07-30-2007 12:10 PM
Yes, users need to be able to access the pager to actually use the vulnerability.

talenak 07-31-2007 02:06 AM
My members have voted unanimously to remove the security risk. So away it goes. Thank you for your answer Kirk!

xfaethorx 08-02-2007 04:37 PM
i have had to disable this plugin as well , is there an alternative that allows for messages to be sent without the need of java based apps or refreshing. Vbpager was good because of its ajax features and I'm looking for a replacement.

MorrisMcD 08-20-2007 01:06 AM
I was really hoping someone would have fixed this by now.. Unfortunately no one can help fix it not knowing the exploit yet it is very understandable to not release info about the exploit.. Is anyone on staff working on this or is it a lost cause?

jambo_1969 09-10-2007 09:42 AM
Are any of the other "pager" systems in the same bracket - i.e. open to vulnerability ?

Dismounted 09-10-2007 11:59 AM
Quote:
Originally Posted by jambo_1969 (Post 1336094)
Are any of the other "pager" systems in the same bracket - i.e. open to vulnerability ?
Not to my knowledge, no.

themajor 09-12-2007 02:52 AM
my site got destroyed this week... totally gutted... is it possible this happened because i was running the pager?

Dismounted 09-12-2007 07:11 AM
Yes, it is possible. I am sorry to hear about your board but we did advise everyone to uninstall it. It was left up to you if you were to do it.

themajor 09-12-2007 06:07 PM
Quote:
Originally Posted by Dismounted (Post 1337484)
Yes, it is possible. I am sorry to hear about your board but we did advise everyone to uninstall it. It was left up to you if you were to do it.
i am not a regular of these boards sad as it is.

let me ask this... if i create a user group of only select individuals who are allowed to use the pager will i be protected?

Paul M 09-12-2007 06:15 PM
Quote:
Originally Posted by themajor (Post 1337776)
let me ask this... if i create a user group of only select individuals who are allowed to use the pager will i be protected?

Without going through the code we really couldn't say, there are multiple security holes in it. The only advice it not to use it.


Quote:
Originally Posted by MorrisMcD (Post 1321318)
Is anyone on staff working on this or is it a lost cause?

No one on the staff is working on it, nor are they likely to.

themajor 09-12-2007 06:23 PM
well then does anyone know of the mod closest to this one?


All times are GMT. The time now is 11:29 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01188 seconds
  • Memory Usage 1,804KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (6)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (19)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete