Thread: uCash & uShop old support and thank you thread
View Single Post
  #1175  
Old 06-26-2004, 09:41 PM
Link14716's Avatar
Link14716 Link14716 is offline
 
Join Date: Jun 2002
Location: Georgia, USA
Posts: 2,519
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by rabbitdog
I don't think this has been addressed, because I still see the unfixed code in the zip file available for download, so I'd like to point out the fact that there is a critical bug in the uShop change username action.

This affects all current installations of the uStore with this item available for purchase.

The issue is as follows:

The "sanity" check which queries the database to see if a user already exists before accepting a changed username will never find any matches. This is because of the usage of an empty (incorrect) variable in the query.

The result is that any user can change his or her username to that of an existing user.

Note that this does NOT change permissions, so a user changing his name to that of a mod or an admin will not inherit access to those functions.

Here is the fix:

1. Open action.changeusername.php, which is stored in the /uttstore/ directory
2. Change line 5 from:

PHP Code:
$changed $DB_site->query_first("SELECT userid, username FROM ".TABLE_PREFIX."user WHERE username='".addslashes($data)."'"); 
to:

PHP Code:
$changed $DB_site->query_first("SELECT userid, username FROM ".TABLE_PREFIX."user WHERE username='".addslashes($username)."'"); 
Nice catch. $data is used in several functions, but it looks like it shouldn't there.

Fixed for 0.95.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06176 seconds
  • Memory Usage 1,780KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete