Thread: Security hole in attachment downloads for points.
View Single Post
  #19  
Old 06-01-2006, 12:55 PM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Bernd
Ok, thanks for explaining. I'll try that one and post the results.

Code:
				// check if the user has already OK'd the points removal
				if ($vbulletin->options['vbbux_attachconfirmpage'] && ($_GET['download'] != '1'))
is the only place in vbplaza_attachment_start.php where "POST" is located. Doesn't seem like that's causing the issue though. To be certain i have replaced it with "GET", but a link with STC=1 will still download without showing the vbplaza download attachment template or substracting the points.

Could there be a plugin hooked into attachment somewhere that contains POST? Still seems to be there's something wrong in the above mentioned php.
I am in the middle of a major progaming effort myself so I can't take the time to debug this but I am confident that the line of code posted above is NOT the code that is the problem ...

I believe you will find the problem somewhere in the pluggin system or one of the hooks and that the code you will be looking for is more like:

<form action=somescript.php method=get ..........>

That code could be just about anywhere however. As I said, I would look in the plugin and hooks, then I would look at the php files for the script...

The developer should be able to advise in seconds where the code is that does this update however...

Good luck and if I find the time I can try to work on it but right now I have a huge project of my own that is taking all my free time and this "Security Gap" does not affect me and my sites at this time...
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01214 seconds
  • Memory Usage 1,767KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete