Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 01-09-2008, 11:41 PM
Gratisites Gratisites is offline
 
Join Date: Jan 2007
Posts: 8
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Side-effects of Custom Who's Online

Hello,
I paid a freelance programmer to find this solution for me, but since I'm not familiar with vBulletin code I'm a little worried to put his hack live because of potential side effects.

The point of the hack was to get who's online to track what people do on non-vB custom scripts. I'm using 3.6.8 Patch 2... here's what I've done:

includes/functions.php

Line 5,201, commented out the exit; on the print_output function

Added this at the top of my custom script, let's call it TEST_SCRIPT.php (my forums are in /forums/ and my script is in a level back so I needed to go this route)
PHP Code:
$curdir getcwd ();
chdir('./forums');
require_once(
'./global.php');
chdir ($curdir); 
Added this to the bottom of my custom script
PHP Code:
print_output('<!--log-->'false);
mysql_query("update session set location='TEST_SCRIPT.php' where userid = '".$vbulletin->userinfo[userid]."' and host='".getenv(REMOTE_ADDR)."'");
echo(
mysql_error()); 
Then we added the references to that file in includes/functions_online.php and we were done. Who's online was now working 100% and tracking what guests / members were doing.

The part that has me paranoid is commenting out that "exit;". I'm sure it was there for a reason, have I opened up a pandoras box of problems or will I be fine? What are some side effects of not exiting that function right there?

Thank you in advance for your support.
Reply With Quote
  #2  
Old 01-10-2008, 04:27 PM
sarahk's Avatar
sarahk sarahk is offline
 
Join Date: Jun 2004
Location: Auckland, New Zealand
Posts: 64
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I've re-read your post a few times and I'm not quite sure I follow it all.

However i'm concerned that your coder needed to change the directory to get his code to work ... so I'd wonder about the quality of the rest. Smacks of the newbie coding I did 8 years ago

He also hasn't used internal vB database handling which is simpler but doesn't utilise some of the safeguards vB has provided.

Can "getenv(REMOTE_ADDR)" be hacked? Can it be used for an injection? You might want to check that too.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:37 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.06660 seconds
  • Memory Usage 2,176KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (2)post_thanks_box
  • (2)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (2)post_thanks_postbit_info
  • (2)postbit
  • (2)postbit_onlinestatus
  • (2)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete