Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #391  
Old 11-08-2005, 05:30 AM
beacher beacher is offline
 
Join Date: Jul 2005
Location: Rome (Italy)
Posts: 33
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by MrZeropage
Could not confirm that, please give me the link to your installation to check this out via PM, thx
Mrzero sent you a pm with the links
Reply With Quote
  #392  
Old 11-08-2005, 12:17 PM
Sooner95 Sooner95 is offline
 
Join Date: Apr 2003
Location: I don't know
Posts: 535
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by JTyson
What version php are you using?

PHP5, now that you said that.. these v3 games I used on my old bbs, vb3.0 on php 4x.. so chances are they are useless..

Ahwell, now you all know what will happen when your hosts bump you to PHP5.. hehe
Reply With Quote
  #393  
Old 11-08-2005, 01:21 PM
JTyson JTyson is offline
 
Join Date: Apr 2005
Location: This Thread
Posts: 140
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nah it doesnt have anything to do with php5 , The zip_open function that gives you the error has to be compiled into the php/apache core, When i wrote the installer i tested it on three machines with different hosting companies and assumed that most hosts did this by default, im currently working on a fix and should hopefully have something in the next couple of days, I'll forward it to MrZero when i have the fix so he can forward it on.

Them being on your old board wont make a difference as a zip file is a zip file regardless of php/vb version
Reply With Quote
  #394  
Old 11-08-2005, 01:22 PM
Sooner95 Sooner95 is offline
 
Join Date: Apr 2003
Location: I don't know
Posts: 535
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

ok cool... I wasnt sure.. i'm not much into the code..

Will await for the next release to test. Thx fellas..
Reply With Quote
  #395  
Old 11-08-2005, 04:25 PM
soniceffect's Avatar
soniceffect soniceffect is offline
 
Join Date: Feb 2005
Location: UK
Posts: 453
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

answers my question then LOL
Reply With Quote
  #396  
Old 11-08-2005, 04:55 PM
hobbes747 hobbes747 is offline
 
Join Date: Jul 2005
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Can I volunteer for beta testing, please? We just got hit by someone trying to use the password exploit. :nervous:

Quote:
Originally Posted by dina
I don't see any remarks being made on the recent exploit they have found in the mod (it involves index.php and the ability to extract the password for any member on the board by entering a sql query in the URL ending with user id).
I saw this on a newsgroup today, but haven't seen it here so far.
Reply With Quote
  #397  
Old 11-08-2005, 06:20 PM
nitro nitro is offline
 
Join Date: Nov 2001
Posts: 302
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by hobbes747
Can I volunteer for beta testing, please? We just got hit by someone trying to use the password exploit. :nervous:
Theres an update for this http://www.ibproarcade.com/index.php?showtopic=7576

has been there not long after the exploit was posted on securityfocus

If theres a vulnerability in ibProarcade that affects both vB and IBP then you will find a patch posted at ibproarcade.com quite soon after publication of said vulnerability

I still dont know what they can do with a vB hashed pass unless they can also union a url login bypassing the vB scripted hashing
Reply With Quote
  #398  
Old 11-08-2005, 06:26 PM
fly fly is offline
 
Join Date: Oct 2003
Posts: 1,215
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nitro
Theres an update for this http://www.ibproarcade.com/index.php?showtopic=7576

has been there not long after the exploit was posted on securityfocus

If theres a vulnerability in ibProarcade that affects both vB and IBP then you will find a patch posted at ibproarcade.com quite soon after publication of said vulnerability

I still dont know what they can do with a vB hashed pass unless they can also union a url login bypassing the vB scripted hashing
I don't even see that in my mod_report.php file...

(but I'm using the vB3.5 version...)
Reply With Quote
  #399  
Old 11-08-2005, 06:34 PM
hobbes747 hobbes747 is offline
 
Join Date: Jul 2005
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Me neither. I'm using the 3.5x Beta 2 version.

This was the url that they were using. And they tried more than one before I caught it.

Code:
forums/index.php?act=Arcade&module=report&user=-1%20union%20select%20password%20from%20user%20where%20userid=2
Reply With Quote
  #400  
Old 11-08-2005, 06:36 PM
nitro nitro is offline
 
Join Date: Nov 2001
Posts: 302
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

It is there in all versions up to and inc the recent RC3
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:16 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.14661 seconds
  • Memory Usage 2,275KB
  • Queries Executed 12 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (2)pagenav_pagelinkrel
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete