vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)
-   -   User Title Exploit (https://vborg.vbsupport.ru/showthread.php?t=53034)

pie 05-16-2003 11:32 PM
User Title Exploit
 
Most of us who know php know how to exploit the usertitle, well the code to allow html even if specified not to.

Im just wondering if theres ANYTHING i can do to stop it being exploited. I was talking over a mate how to do it and its got passed on :ermm: it wont get passed on anymore coz. i know he'll keep it to himself. Just what do i do if it does. LOL

filburt1 05-16-2003 11:33 PM
Just don't allow anybody to use custom titles.

pie 05-16-2003 11:38 PM
fairy snuff. But for a few reasons on my boards i prefer them to. Anyway to stop it.

filburt1 05-16-2003 11:40 PM
To my knowledge, stock vB doesn't allow it. Make sure you don't have any hacks that break user titles. :)

pie 05-16-2003 11:45 PM
stock vB?

filburt1 05-16-2003 11:56 PM
Unhacked vB.

pie 05-16-2003 11:58 PM
is it ok to email u the code....? i mean as i dont want to release it.

Tigga 05-17-2003 02:20 PM
Wow... Never knew vBulletin had a small exploit there. Apparently it does work with a stock vBulletin as well. It wasn't hard to fix though. If you just look in your member.php file for addslashes($customtext) and replace that with addslashes(htmlspecialchars($customtext)) it should fix the problem. :)

filburt1 05-17-2003 03:16 PM
On my board there was no problem and to my knowledge still isn't one. One member used a status of <?= mod ?> (or thereabouts) which would normally be parsed as HTML to most browsers (it would appear as nothing). However you saw the actual text instead.

Tigga 05-17-2003 08:07 PM
Yea, it doesn't seem to work for PHP code. It does for HTML though which could still be abused.


All times are GMT. The time now is 09:05 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01386 seconds
  • Memory Usage 1,724KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete