Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > vBulletin 3.5 > vBulletin 3.5 Add-ons

Reply
 
Thread Tools
Banner Rotator (Definitive Mod) Details »»
Banner Rotator (Definitive Mod)
Version: 0.90, by andrefedalto andrefedalto is offline
Developer Last Online: Feb 2016 Show Printable Version Email this Page

Version: 3.5.2 Rating:
Released: 12-20-2005 Last Update: 12-22-2005 Installs: 85
DB Changes Uses Plugins Template Edits
Additional Files  
No support by the author.

Hi you there. I was looking for a really nice Banner Rotator Mod, but i couldn't find one that had what i need. So i decided to code one. Finished it right now and i'll share with you.

So, what does this hack do?
- This mod allows you to add lots of forum banners.
- The banners will be automatically randomized everytime you reload your forums.

How can i work with it?
- It's all controlable through AdminCP.
- NOT NEEDED ftp access to upload banners.
- You CAN upload banners (jpg, gif & png) through AdminCP.
- You can set a description for individual banners.
- You can edit the description easily and individually.
- You can delete the banners through AdminCP (this function delete the banner from the ftp)
- You can activate/deactivate you banners.
- Deactivated banners remains in the ftp, but will not be shown on forum home.

How can i install? (Time to install: 1 minute if you are fast enough )
- Upload all the files contained in the "upload" folder inside the zip to your forum root directory and CHMOD 77 the folder "/image/banners"
- Install product-brotator.
- Go to your AdminCP > Style Manager > YOUR SKIN > Edit HEADER template and find:
Code:
<img src="$stylevar[titleimage]" border="0" alt="$vboptions[bbtitle]" />
Replace with:
Code:
<center>$banner</center>

You can change banner width and height editing the plugin called "Banner Rotator Generator" and changing the values:
Code:
width=879 height=160
for your own values.

I really hope you enjoy this hack and, please, if you find any kind of bug, report it to me as soon as possible.
And if you have any suggestions, post here.

Thanks you all!

Supporters / CoAuthors

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #62  
Old 01-27-2006, 08:29 AM
Turbosport Turbosport is offline
 
Join Date: May 2005
Posts: 20
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:
	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");
I have called the VB function to make the variables SQL safe.
Reply With Quote
  #63  
Old 01-27-2006, 12:01 PM
andrefedalto andrefedalto is offline
 
Join Date: Dec 2005
Location: Brazil
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by redspider
can this work with flash banners?
yes, you must edit brotator.php in /admincp/ and look for GIF and follow the sequence and add SWF
then edit the plugin and make it show swf, i'm not used to swf, but i'm pretty sure it doesnt shows up with <img> code
Reply With Quote
  #64  
Old 01-27-2006, 12:02 PM
andrefedalto andrefedalto is offline
 
Join Date: Dec 2005
Location: Brazil
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by inspiration100
installed this and works a treat, but when a banner is clicked it puts my board url before the url of the banners site url....e.g http://www.site1.com/http://www.site2.com.

Any help appreciated.
i think you are filling the add-banner form site like this: "www.site.com" instead of "http://www.site.com"

try using http:// before to see if works fine
Reply With Quote
  #65  
Old 01-27-2006, 12:03 PM
andrefedalto andrefedalto is offline
 
Join Date: Dec 2005
Location: Brazil
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by DarKNull
PHP Code:
<!-- logo -->
<
a name="top"></a>
<
div id="vbwrapper">
<
div id="logostrip"><center><div style="background: url($stylevar[imgdir_misc]/desihotty3eb.gif) no-repeat;width:100%;height: 158px"></div></div>
<
div id="submenu"><a href="search.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_search.gif" alt="desi" /></a><a href="memberlist.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_members.gif" alt="desi" /></a><a href="calendar.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_calendar.gif" alt="desi" /></a><a href="faq.php?$session[sessionurl]"><img src="$stylevar[imgdir_misc]/submenu_faq.gif" alt="desi" /></a></div></center>
<
div id="vbwrapper2">
<
div id="vbwrapper3">
<
div id="bordertop"><div id="bordertopleft"><img src="$stylevar[imgdir_misc]/border_top_l.gif" alt="desi" /></div><div id="bordertopright"><img src="$stylevar[imgdir_misc]/border_top_r.gif" alt="desi" /></div></div>
<
div id="vbwrapper4">
$spacer_open
<!-- content table -->

$_phpinclude_output 
I have installed this hack but now how do i replace the $banner code please help
what is the filename of your current banner?
Reply With Quote
  #66  
Old 01-27-2006, 12:04 PM
andrefedalto andrefedalto is offline
 
Join Date: Dec 2005
Location: Brazil
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Turbosport
There is a security hole in this guys:

You can inject SQL as the $_POST variables here and further down in the script.

Code:
	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$_POST[balt]', '$_POST[bact]')");
I have called the VB function to make the variables SQL safe.
this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?
Reply With Quote
  #67  
Old 01-27-2006, 12:57 PM
inspiration100 inspiration100 is offline
 
Join Date: Apr 2005
Posts: 132
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

andrefedalto, du'h silly me thnx man
Reply With Quote
  #68  
Old 01-27-2006, 02:16 PM
Turbosport Turbosport is offline
 
Join Date: May 2005
Posts: 20
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by andrefedalto
this part of the script is only accessible by the forum administrators, so why would an admin inject sql codes?
As a fellow coder I am not knocking the hack, in fact I really like it and it was exactly what I was looking for!

But its important that we as a community look out for and fix any security flaw we find, no matter how insignificant.

My admins are fully trusted, I run hourly snapshots of my database, so I like you probably have nothing to worry about, however there are others out there who are less fortunate. Maybe they have opened it up to thier Moderators and on a busy site this could end up being a few people.

The other worry is that someone will come along and reuse the code somewhere less secure not fully understanding the security issues.


An Admin on my site caused an SQL error by placing an apostrophy in the description field i.e. Dave's picture.

On examination it was a classic SQL injection hole.

I did a quick fix to stop this happening, but I intend to rewrite it to use one of the core VB functions for coverting strings to SQL safe, that way when VB find any other injection type issues and fix them the fix will be reflected in this hack.

Anyway if your interested here is my quick fix:

Code:
	$factv = addslashes(htmlspecialchars($_POST["bact"], ENT_QUOTES));
	$fdesc = addslashes(htmlspecialchars($_POST["balt"], ENT_QUOTES));
then the query:

Code:
	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
I changed the other query further down using the same method.



I also added a little check before the query, for the odd occasion that theres an error in uploading the file:

Code:
	move_uploaded_file($ftemp, $dir.$fname);


if (file_exists($_SERVER['DOCUMENT_ROOT']."C:/SITES/TSWEB/BBS/images/banners/"."$fname")){

	$db->query_write("INSERT INTO " . TABLE_PREFIX . "brotator (id, name, alt, active) VALUES ('', '$fname', '$fdesc', '$factv')");
	print_cp_message($vbphrase['brotator_add_success'], "banner_rotator.php?do=add", "1");
}
else {	print_stop_message('brotator_uploaderror');}
endif;
Reply With Quote
  #69  
Old 01-27-2006, 04:02 PM
andrefedalto andrefedalto is offline
 
Join Date: Dec 2005
Location: Brazil
Posts: 81
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

thanks turbo, i'll update the hack asap and i'll also add the check if file uploaded, just have to put the absolute path string, otherwise everyone would change it...
Reply With Quote
  #70  
Old 03-06-2006, 04:36 AM
92GreenGT 92GreenGT is offline
 
Join Date: Jan 2005
Location: Big Stone Gap, VA
Posts: 92
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Warning: move_uploaded_file(): open_basedir restriction in effect. File(/home/ftfhostc/fullthrottleforums.com/images/banners/Banner3.jpg) is not within the allowed path(s): (/dh/web/phpmyadmin:/tmp:/usr/local/tmp:/dh/solidclient:/usr/local/lib/php:/home/ftfhostc:/home/.beaver/ftfhostc) in /admincp/banner_rotator.php on line 56

Ok, I get the error also. I went and changed the two files and took the /forum off all the places it was in the original files. Why wont this work? If you go to http://www.fullthrottleforums.com/im...rs/Banner2.jpg it works, so how would I need to modify the two files for it to show the correct path? Thanks
Reply With Quote
  #71  
Old 03-06-2006, 04:41 AM
JsnakeJ JsnakeJ is offline
 
Join Date: Mar 2005
Location: Pennsylvania
Posts: 231
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Try chmodding the banners directory to 0777
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:00 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05134 seconds
  • Memory Usage 2,328KB
  • Queries Executed 26 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (8)bbcode_code
  • (1)bbcode_php
  • (5)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete