The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
|
|||
|
|||
Security flaw with a function
So I was using this function earlier today and noticed something
function pm_api($pmfromuserid, $pmfromusername, $pmtitle, $pmmessage, $username) { global $vbulletin, $botpermissions; $pmdm =& datamanager_init('PM', $vbulletin, ERRTYPE_ARRAY); $pmdm->set('fromuserid', $pmfromuserid); $pmdm->set('fromusername', $pmfromusername); $pmdm->set('title', $pmtitle); $pmdm->set('message', $pmmessage); $pmdm->set_recipients($username, $botpermissions); $pmdm->set('dateline', TIMENOW); $pmdm->save(); unset($pmdm); return $pmdm; } If the $username doesn't exist, it will print out the whole database with all passwords and the password of the database in an error similar to this: Fatal error: The following users were not found: - Unable to proceed with save while $errors array is not empty in class vB_DataManager_PM in [path]/includes/class_dm.php on line 810 #0 vb_error_handler(256, The following users were not found: - *prints database* So anyway I can prevent it from revealing all this info if it can't find the username? |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|