vb.org Archive - View Single Post - Public Display of Affection (reputation display)

Jamsoft · #31 02-15-2005, 05:44 PM

Hey guys,

I installed this on our forums, and wouldnt you know that our users found a vulnerability almost right away.

Seems that if the users put any HTML or JAVA code inside the comments, it actually renders when the page loads. For example:

Quote:

Rich agrees: Sounds good <script>alert('hi');</script>

Makes a java window pop open and say hi...

Im sure I dont have to tell you what a malicious hacker can do with something like this.

So, I'd propose this fix to the existing code. Inside the functions_showthread.php, find this code:

Code:

			// START PUBLIC DISPLAY OF AFFECTION hack			
			if ($forum['showaffection'])
			{
				$post['affection']="";
				$repcount=0;
				if ($reps = $DB_site->query("SELECT reputation.reputation,reputation.whoadded,reputation.reason,user.username 
											FROM " . TABLE_PREFIX . "reputation 
											LEFT JOIN " . TABLE_PREFIX . "user ON reputation.whoadded=user.userid 
											WHERE reputation.reputation!=0 AND postid='".$post['postid']."'"))
				{
					while ($rep = $DB_site->fetch_array($reps))
					{
						eval('$post[\'affectionbits\'] .= "' . fetch_template('postbit_affectionbit') . '";');
						$repcount++;
					}
					if ($repcount)
					{
						//echo "2";
						eval('$post[\'affection\'] .= "' . fetch_template('postbit_affection') . '";');
					} 
					else
					{	
						//echo "3";
						$post['affection']="";
					}
				}
			}
			// END PUBLIC DISPLAY OF AFFECTION hack

BEFORE the line:

Code:

eval('$post[\'affectionbits\'] .= "' . fetch_template('postbit_affectionbit') . '";');

Add this code:

Code:

// Fix for HTML entities
$rep[reason] = htmlentities($rep[reason]);

That will protect us from this issue.

Other than that, this is a great hack. Im using it on 3.0.6 on 5 forums...

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01271 seconds Memory Usage 1,765KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (3)bbcode_code (1)bbcode_quote (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: