Go Back   vb.org Archive > Community Discussions > Forum and Server Management
Reload this Page eval() language construct
FAQ Members List Calendar Search Today's Posts Mark Forums Read
  #1  
Old 12-04-2013, 05:34 AM
Marv Marv is offline
 
Join Date: Jun 2002
Location: Germany
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default eval() language construct
Does anybody know wether vb or vbSEO is utilizing the eval() language construct or not? I would like to disable that, cause the majority of hacking attacks seems to be done through eval() execution of base64 encoded shell commands.

As far as I checked the files and templates it seems the coders have tried to wrap an equal function to get eval-able results. So far it?s looking good..but there is this little residiual risk - and I just don?t want to break the live site and become beaten up
Reply With Quote
  #2  
Old 12-04-2013, 05:37 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
'Eval' is used extensively throughout vBulletin.
Reply With Quote
  #3  
Old 12-04-2013, 05:58 AM
Marv Marv is offline
 
Join Date: Jun 2002
Location: Germany
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Damn it,
I run the search in the archives for eval() instead of eval. I?m such a nut..

Note to myself: check, think, check again, ask a buddy face to face and drink your first coffee before you start making a fool out of yourself...
Reply With Quote
Благодарность от:
tbworld
  #4  
Old 12-04-2013, 06:21 AM
AusPhotography's Avatar
AusPhotography AusPhotography is offline
 
Join Date: Nov 2007
Location: Hobart & Adelaide .au
Posts: 521
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Eval is ok when used properly, but it can suffer the same problem as an SQL injection.
We don't ban SQL, we just use it properly
Reply With Quote
  #5  
Old 12-04-2013, 06:33 AM
Marv Marv is offline
 
Join Date: Jun 2002
Location: Germany
Posts: 372
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I wasn´t referring to a potential security hole in vb or addons. I guess with all the coders here a security issue wouldn´t stay undetected very long. We are running some other non-vb related things on the server and at least one was known for a security risk regarding eval`d code. The hole should have been patched in the latest version as the programmers say, but...ya never know.
Reply With Quote
  #6  
Old 04-08-2014, 11:37 AM
demdev demdev is offline
 
Join Date: Oct 2013
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Hey Marv...you're hip to the eval switch right? Most scanners wont find the rogue if it has gets switched to a lave......
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 04:20 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04130 seconds
  • Memory Usage 2,200KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (6)post_thanks_box
  • (1)post_thanks_box_bit
  • (6)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (6)post_thanks_postbit_info
  • (6)postbit
  • (6)postbit_onlinestatus
  • (6)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete