vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 4.x Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=245)
-   -   Miscellaneous Hacks - login.php phishing patch (https://vborg.vbsupport.ru/showthread.php?t=264636)

GeekyDesigns 06-02-2011 10:00 PM
login.php phishing patch
 
1 Attachment(s)
Due to the recently announced Possibly Phishing Vector

I made a small/short patch which should stop a user from being exploited.

I've tested this internally and it seems to do the job.

GeekyDesigns 06-02-2011 10:57 PM
If there are other pages, that this can cause problems on, please let me know and I'll see what I can do to resolve it.

Special Pages 06-02-2011 11:45 PM
I'm using this for sure. Is this tested and working?

Zachery 06-03-2011 12:03 AM
I tested it as much as I could internally, it shouldn't ever impact normal users, only if someone, or something tries to pass url=X in the url.

MagicThemeParks 06-03-2011 12:26 AM
Will this work with all versions of vB?

Zachery 06-03-2011 12:58 AM
This should work on any version of vB4, the hook point im using I'm moderately sure isnt available in vb3.5-8

SuperTaz 06-03-2011 01:08 AM
Nice. Thank you. :)

Boofo 06-03-2011 01:56 AM
Quote:
Originally Posted by Zachery (Post 2202899)
This should work on any version of vB4, the hook point im using I'm moderately sure isnt available in vb3.5-8
init_startup is in init.php in 3.8.0. Not sure about earlier.

eJM 06-03-2011 03:16 AM
How will this affect things like VigLink?

Wonksta 06-03-2011 03:59 AM
Quote:
Originally Posted by eJM (Post 2202924)
How will this affect things like VigLink?
x2

AND - Does this phising vulnerability effect vB3.8.6?

worried 06-03-2011 11:50 AM
Did I install this wrong?

Product: vBulletin
Hook Location: init_startup
Title: Login php phishing patch
Execution Order: 5
Plugin PHP Code: paste text of xml file here

I got a blank screen when I clicked the What's New button.

BadgerDog 06-03-2011 02:16 PM
Installed with thanks on 4.1.3 .... :)

Regards,
Doug

Zachery 06-03-2011 05:19 PM
Quote:
Originally Posted by worried (Post 2203034)
Did I install this wrong?

Product: vBulletin
Hook Location: init_startup
Title: Login php phishing patch
Execution Order: 5
Plugin PHP Code: paste text of xml file here

I got a blank screen when I clicked the What's New button.
You should just install it.

Delphiprogrammi 06-03-2011 08:04 PM
Quote:
Originally Posted by worried (Post 2203034)
Did I install this wrong?

Product: vBulletin
Hook Location: init_startup
Title: Login php phishing patch
Execution Order: 5
Plugin PHP Code: paste text of xml file here

I got a blank screen when I clicked the What's New button.

probably you copied along a character that shouldn't be there and that is causing a blank page

Zachery 06-05-2011 03:33 PM
Quote:
Originally Posted by eJM (Post 2202924)
How will this affect things like VigLink?
I did not notice your question eJM, it shouldn'y have any effect what so ever on viglink or skimlinks. It only stops the &url varible from working on a very tiny portion of your site.

eJM 06-05-2011 04:50 PM
Thank you.

Alfa1 06-09-2011 05:10 PM
Could someone please make a vb3.8 version? With the announcement all over the net, it would be good to patch it.

BirdOPrey5 06-09-2011 05:37 PM
This will work in 3.8.

Alfa1 06-10-2011 12:09 AM
Thanks!

TheLastSuperman 06-10-2011 03:52 AM
Great idea *TheLastSuperman installs :D

Boofo 08-08-2011 05:37 AM
Is this mod still needed with vb 4.1.5?

Zachery 08-08-2011 05:25 PM
No, it isn't.

Boofo 08-08-2011 06:33 PM
The code is the same for the emailpassword section. Where was it fixed?

TheLastSuperman 08-08-2011 06:45 PM
Quote:
Originally Posted by Boofo (Post 2230779)
Is this mod still needed with vb 4.1.5?
Quote:
Originally Posted by Zachery (Post 2230968)
No, it isn't.
Do you mind updating the version when you have time? This way users on 4.1.5 for example won't waste time installing :cool:. Currently states "vB Version: 4.x.x"

Zachery 08-08-2011 07:32 PM
It does work on vB 4.x.x though :p

TheLastSuperman 08-08-2011 09:41 PM
Quote:
Originally Posted by Zachery (Post 2231015)
It does work on vB 4.x.x though :p
O.o I'm lost now, so your saying we can still continue to utilize this w/ 4.1.5 up or that this was in fact remedied/included with their recent patch?

Zachery 08-08-2011 09:43 PM
It doesn't stop working on newer versions of the software, it just doesn't fix anything.

Boofo 08-08-2011 10:01 PM
So, should we run it on 4.1.5, or not?

TheLastSuperman 08-08-2011 10:33 PM
Quote:
Originally Posted by Zachery (Post 2231047)
It doesn't stop working on newer versions of the software, it just doesn't fix anything.
Ahh ok TY for that. Now do you see what I meant? ;)

Quote:
Originally Posted by Boofo (Post 2231053)
So, should we run it on 4.1.5, or not?
From the above - No, basically you can leave it installed and it won't hurt a thing or since you know it's not required uninstall :cool:.

Boofo 08-08-2011 10:46 PM
Well, Zachery beating around the bush doesn't make things very clear.

Zachery 10-26-2011 04:40 PM
Actually, FWIW, this addon would still be useful if you wanted to disable the newer security fix by vbulletin but still retain some of the protection.


All times are GMT. The time now is 05:06 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01208 seconds
  • Memory Usage 1,769KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (31)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete