vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   Side-effects of Custom Who's Online (https://vborg.vbsupport.ru/showthread.php?t=167399)

Gratisites 01-09-2008 11:41 PM
Side-effects of Custom Who's Online
 
Hello,
I paid a freelance programmer to find this solution for me, but since I'm not familiar with vBulletin code I'm a little worried to put his hack live because of potential side effects.

The point of the hack was to get who's online to track what people do on non-vB custom scripts. I'm using 3.6.8 Patch 2... here's what I've done:

includes/functions.php

Line 5,201, commented out the exit; on the print_output function

Added this at the top of my custom script, let's call it TEST_SCRIPT.php (my forums are in /forums/ and my script is in a level back so I needed to go this route)
PHP Code:
$curdir getcwd ();
chdir('./forums');
require_once('./global.php');
chdir ($curdir); 
Added this to the bottom of my custom script
PHP Code:
print_output('<!--log-->'false);
mysql_query("update session set location='TEST_SCRIPT.php' where userid = '".$vbulletin->userinfo[userid]."' and host='".getenv(REMOTE_ADDR)."'");
echo(mysql_error()); 
Then we added the references to that file in includes/functions_online.php and we were done. Who's online was now working 100% and tracking what guests / members were doing.

The part that has me paranoid is commenting out that "exit;". I'm sure it was there for a reason, have I opened up a pandoras box of problems or will I be fine? What are some side effects of not exiting that function right there?

Thank you in advance for your support.

sarahk 01-10-2008 04:27 PM
I've re-read your post a few times and I'm not quite sure I follow it all.

However i'm concerned that your coder needed to change the directory to get his code to work ... so I'd wonder about the quality of the rest. Smacks of the newbie coding I did 8 years ago ;)

He also hasn't used internal vB database handling which is simpler but doesn't utilise some of the safeguards vB has provided.

Can "getenv(REMOTE_ADDR)" be hacked? Can it be used for an injection? You might want to check that too.


All times are GMT. The time now is 12:01 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.00929 seconds
  • Memory Usage 1,716KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (2)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete