The Arcive of Official vBulletin Modifications Site.

beacher · #**391** 11-08-2005, 05:30 AM

Quote:

Originally Posted by MrZeropage

Could not confirm that, please give me the link to your installation to check this out via PM, thx

Mrzero sent you a pm with the links

Sooner95 · #**392** 11-08-2005, 12:17 PM

Quote:

Originally Posted by JTyson

What version php are you using?

PHP5, now that you said that.. these v3 games I used on my old bbs, vb3.0 on php 4x.. so chances are they are useless..

Ahwell, now you all know what will happen when your hosts bump you to PHP5.. hehe

JTyson · #**393** 11-08-2005, 01:21 PM

Nah it doesnt have anything to do with php5 , The zip_open function that gives you the error has to be compiled into the php/apache core, When i wrote the installer i tested it on three machines with different hosting companies and assumed that most hosts did this by default, im currently working on a fix and should hopefully have something in the next couple of days, I'll forward it to MrZero when i have the fix so he can forward it on.

Them being on your old board wont make a difference as a zip file is a zip file regardless of php/vb version

Sooner95 · #**394** 11-08-2005, 01:22 PM

ok cool... I wasnt sure.. i'm not much into the code..

Will await for the next release to test. Thx fellas..

soniceffect · #**395** 11-08-2005, 04:25 PM

answers my question then LOL

hobbes747 · #**396** 11-08-2005, 04:55 PM

Can I volunteer for beta testing, please? We just got hit by someone trying to use the password exploit. :nervous:

Quote:

Originally Posted by dina

I don't see any remarks being made on the recent exploit they have found in the mod (it involves index.php and the ability to extract the password for any member on the board by entering a sql query in the URL ending with user id).
I saw this on a newsgroup today, but haven't seen it here so far.

nitro · #**397** 11-08-2005, 06:20 PM

Quote:

Originally Posted by hobbes747

Can I volunteer for beta testing, please? We just got hit by someone trying to use the password exploit. :nervous:

Theres an update for this http://www.ibproarcade.com/index.php?showtopic=7576

has been there not long after the exploit was posted on securityfocus

If theres a vulnerability in ibProarcade that affects both vB and IBP then you will find a patch posted at ibproarcade.com quite soon after publication of said vulnerability

I still dont know what they can do with a vB hashed pass unless they can also union a url login bypassing the vB scripted hashing

fly · #**398** 11-08-2005, 06:26 PM

Quote:

Originally Posted by nitro

Theres an update for this http://www.ibproarcade.com/index.php?showtopic=7576

has been there not long after the exploit was posted on securityfocus

If theres a vulnerability in ibProarcade that affects both vB and IBP then you will find a patch posted at ibproarcade.com quite soon after publication of said vulnerability

I still dont know what they can do with a vB hashed pass unless they can also union a url login bypassing the vB scripted hashing

I don't even see that in my mod_report.php file...

(but I'm using the vB3.5 version...)

hobbes747 · #**399** 11-08-2005, 06:34 PM

Me neither. I'm using the 3.5x Beta 2 version.

This was the url that they were using. And they tried more than one before I caught it.

Code:

forums/index.php?act=Arcade&module=report&user=-1%20union%20select%20password%20from%20user%20where%20userid=2

nitro · #**400** 11-08-2005, 06:36 PM

It is there in all versions up to and inc the recent RC3

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04855 seconds Memory Usage 2,274KB Queries Executed 12 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_code (5)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (2)pagenav_pagelinkrel (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!