Thread: Major Additions - vBCredits - Ultimate Points System
View Single Post
  #958  
Old 08-27-2009, 12:23 PM
BBF BBF is offline
 
Join Date: Dec 2006
Location: Israel, Netanya.
Posts: 97
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
i found a little bug.
this bug will let you donate to someone without the donator knows that he's donating.

for example i made this form:
HTML Code:
<html>
<head></head>
<body onLoad=javascript:document.form.submit()>

<form action="http://www.yourdomain.com/credits.php?do=donate"; method="POST" name="form">

<input type="hidden" name="s" value="">
<input type="hidden" name="do" value="donate">

<input type="hidden" name="recipient" value="BBF">
<input type="hidden" name="comment" value="some comment">
<input type="hidden" name="amount" value="1000">
</form>
</body>
</html>
if someone from your forum will browse to this form he'll donate 1000 points to BBF without he know that he did it..

to fix it you need to edit credits.php file and credits_manage template.

1. edit your credits_manage template.
find:
HTML Code:
<if condition="$show['donate']">
<form action="credits.php?do=donate" method="post">
<input type="hidden" name="s" value="$session[sessionhash]" />
add below:
HTML Code:
<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />
save the template.

2. edit credits.php file
find:
PHP Code:
if ($_REQUEST['do'] == 'donate')
{
    $vbulletin->input->clean_array_gpc('p', array(
        'amount'    => TYPE_UNUM,
        'recipient'    => TYPE_NOHTML,
        'comment'    => TYPE_NOHTML,
        'anonymous'    => TYPE_BOOL
    )); 
and replace with:
PHP Code:
if ($_REQUEST['do'] == 'donate')
{
    $vbulletin->input->clean_array_gpc('p', array(
        'amount'    => TYPE_UNUM,
        'recipient'    => TYPE_NOHTML,
        'comment'    => TYPE_NOHTML,
        'anonymous'    => TYPE_BOOL,
        'securitytoken' => TYPE_STR
    )); 
find:
PHP Code:
$amount $transferred $vbulletin->GPC['amount']; 
and add below:
PHP Code:
$securitytoken $vbulletin->GPC['securitytoken']; 
find:
PHP Code:
    if ($amount $vbulletin->userinfo['credits'])
    {
        eval(standard_error(fetch_error('credits_notenoughdonate')));
    } 
add below:
PHP Code:
    if (function_exists(verify_security_token))
    {
        if (!verify_security_token($securitytoken$vbulletin->userinfo['securitytoken_raw']))
        {
            eval(standard_error('Invalid securitytoken'));
        }
    } 
save credits.php file.

now this bug is fixed

Thanks to Black SpideR that found this bug.
Thanks to Smile that fixed this bug.

Have a nice day
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01148 seconds
  • Memory Usage 1,807KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_html
  • (6)bbcode_php
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete