Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.5 > vBulletin 3.5 Add-ons
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
[AJAX] vBShout v2.0 Details »»
[AJAX] vBShout v2.0
Version: 2.0, by Zero Tolerance Zero Tolerance is offline
Developer Last Online: Nov 2023 Show Printable Version Email this Page

Version: 3.5.0 RC2 Rating:
Released: 07-27-2005 Last Update: 04-22-2006 Installs: 1831
Uses Plugins Template Edits
Additional Files  
No support by the author.

[high]Staff Edit/Update[/high]

I have released an updated version of this hack (version 2.0.1), this version fixes some security issues with this hack. All version prior to this one allow users to insert html in their shouts, this can cause problems with them using html that breaks the site layout or malicious javascript. Download the new zip file (vBshout_fixed.zip) and upload the new vbshout.php file to patch/upgrade. If you want to manual instructions they are in the zip file, in the file bugfixes.txt

Second Staff update

I've uploaded a new version of this hack, dubbed '2.0.2'. This one should fix the html injection issues without breaking special characters. To upgrade, download the new zip file and upload the new vbshout.php file.

Please note that this only fixes the html injection issues. I do not use this hack on my own forum (although I've tested this on a client's board) so I will not be fixing the server load issues. I suggest you do not install this hack if you can't deal with the extra server load, as it's rather intensive.

- Brad

[high]End staff edit[/high]

Well, been a while since I've been to vb.org and released anything, thought i'd break the trend and whip up something quick while I have a little spare time.

A shoutbox as you would assume, a very simple one to start off with, but does include AJAX Technology, which pushes the shoutbox 1 step closer to live, messages from other people will appear with no refreshing, and so will yours that you post

A preview is below, i'd estimate a 50 second installation max

Primary Features:
- AJAX Technology (no refreshing)
- Administration control an display element options
- Fast format editor

Change Log::

- v1.1:
WOL (Who's Online) Correction

- v1.2:
New Posting Featurs (Bold/Italic/Underline/Colour/Font)
Admin Controls

- Change location/position of shoutbox
- Change number of shouts displayed
- Switch vbcode/similes on/off
- v1.3
Firefox javascript issue fixed
New Admin Controls

- Command Activation
- Swtch extra format options on/off
- Change position of editor (above/below messages)
New Commands

- /prune (Clears the shoutbox completely)
- /prune [username] (Clears all shouts posted by specified user)
- v1.4
Usergroup HTML Markup For Usernames
Clear Editor Button
Emoticons Pop Up Menu
Time display configurated to vBulletin settings
Username Links To Profile
New Admin Conrols

New vBShout Position (Directly Above Forums)
Banned Users
Banned Usergroups
Banned Permissions
Smilie Pop-Up Box Height
Smilie Pop-Up Box Width
New Commands

"/me" - Action message (all users are able to use this command)
/pruneshout [shout] - Deletes a single shout
- v1.5
Improved Smilies Display
XHTML 1.0 Transitional Valid (couple of errors fixed)
New Admin Options

Shoutbox Height
Smilies To Show
Shout Messages Order
Banned Permissions (fixed)
- v1.6
Bug Fixes:

- Unable to delete shouts that used /me command fixed
- Shouts being displayed from bottom-upwards only showed first 20 shouts
Automatically parses URL's

- v2.0
New Archive

- Displays shouts and pages
- Stats and top 10 shouters
- AJAX Edit/Delete (staff can edit/delete all shouts)
Enjoy,

- Zero Tolerance

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #1592  
Old 04-22-2006, 08:54 PM
Jon_Simmonds Jon_Simmonds is offline
 
Join Date: Nov 2005
Location: UK
Posts: 103
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Does the edit function work after the update? if so i must be pure stupid as i cant figure out how to edit a shout by one of my users - edit found it
Reply With Quote
  #1593  
Old 04-22-2006, 09:39 PM
H@K@N H@K@N is offline
 
Join Date: Dec 2004
Location: Dortmund
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Hi @ll,

have executed the Security fixed, don't know if its linked to my Issue :

A User is using bbcode in the Shout like

[img ] link to an image with a .htaccess protected folder [/IMG ]

So then all Users getting to Popup to Enter Username and Password. This could be also a security Risk .....

How i can handle this, should i disallow bbcode in the Shoutbox ?

th@nks
Reply With Quote
  #1594  
Old 04-22-2006, 09:52 PM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thats not a direct security risk anyone can control, anyone could post a picture to an image thats behind htaccess on anywhere you allow the image bbcode.
Reply With Quote
  #1595  
Old 04-22-2006, 09:56 PM
H@K@N H@K@N is offline
 
Join Date: Dec 2004
Location: Dortmund
Posts: 75
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So then the Smiley Function is not working anymore, because you have to deactivate the vBCode/Smilies Function.

Any possiblity to disallow the external linking in the Shoutbox ?
Reply With Quote
  #1596  
Old 04-22-2006, 10:49 PM
DementedMindz DementedMindz is offline
 
Join Date: Jan 2006
Posts: 1,474
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Zachery
Thats not a direct security risk anyone can control, anyone could post a picture to an image thats behind htaccess on anywhere you allow the image bbcode.
ok maybe they will answer this time...

ok i see brad posted a fix but wasnt this a exploit too in it 'shout' => TYPE_STR, as per this post https://vborg.vbsupport.ru/showp...postcount=1192 or does brads update fix this?
Reply With Quote
  #1597  
Old 04-22-2006, 11:37 PM
thelittleguy thelittleguy is offline
 
Join Date: Dec 2005
Posts: 10
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

i have it loaded on my site all it says is Loading and never does whats the deal?
Reply With Quote
  #1598  
Old 04-23-2006, 01:39 AM
RFViet RFViet is offline
 
Join Date: Jan 2006
Posts: 362
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I got probem after updating the vbshout_fix . I can not type " ... " anymore . The quotation mark doesn't work , please check it out !!!
Reply With Quote
  #1599  
Old 04-23-2006, 02:18 AM
o0Hubba0o's Avatar
o0Hubba0o o0Hubba0o is offline
 
Join Date: Mar 2005
Location: Minnesota
Posts: 263
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by RFViet
I got probem after updating the vbshout_fix . I can not type " ... " anymore . The quotation mark doesn't work , please check it out !!!
Lol you can always tell the people that don't read before they post. They're looking into it, it has to do html not being allowed. Just scan some previous posts, it's all there.
Reply With Quote
  #1600  
Old 04-23-2006, 11:37 AM
RFViet RFViet is offline
 
Join Date: Jan 2006
Posts: 362
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by o0Hubba0o
Lol you can always tell the people that don't read before they post. They're looking into it, it has to do html not being allowed. Just scan some previous posts, it's all there.
It didn't happen with orginal vbshout 2 on my board !!
Reply With Quote
  #1601  
Old 04-23-2006, 01:01 PM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes my update fixes that issue, although it does not restrict input to NOHTML, it simply cleans it when it's called from the database.

Quote:
Brad's update didn't fix the current problems
My update fixed only one problem and that was allowing users to inject html.

Quote:
Why are you using htmlspecialchars() as the 'fix' function? That only causes special chars to get converted... why not use strip_tags() ?
Strip_tags will give you results that are just as bad. For example try posting this in the shoutbox "& <-- no &amp;" this will display "&" because everything after < is stripped.

Update

I've uploaded a new version of this hack, dubbed '2.0.2'. This one should fix the issues without breaking special characters. To upgrade, download the new zip file and upload the new vbshout.php file.

Please note that this only fixes the html injection issues. I do not use this hack on my own forum (although I've tested this on a client's board) so I will not be fixing the server load issues. I suggest you do not install this hack if you can't deal with the extra server load, as it's rather intensive.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:58 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05647 seconds
  • Memory Usage 2,323KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (6)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete