Go Back   vb.org Archive > vBulletin Modifications > Archive > vB.org Archives > Premium Archives > vbBux / vbPlaza
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
vbBux / vbPlaza v1.5.8 has been released! Details »»
vbBux / vbPlaza v1.5.8 has been released!
Version: , by CMX_CMGSCCC CMX_CMGSCCC is offline
Developer Last Online: Sep 2014 Show Printable Version Email this Page

Version: Unknown Rating:
Released: 07-13-2006 Last Update: Never Installs: 0
 
No support by the author.

A quick release to address a critical bug.

Get it at --> https://vborg.vbsupport.ru/showthread.php?t=106953

A NOTE: This will be one of the last releases of vbBux / vbPlaza in its V1.x format.

But do not fear, vbBux / vbPlaza V2.0 is in the pipeline and will be bigger and better than before

U ask how can it be bigger and better? Stay tuned!!!

-CMX

Show Your Support

  • This modification may not be copied, reproduced or published elsewhere without author's permission.

Comments
  #62  
Old 02-06-2007, 08:11 AM
wilburshere wilburshere is offline
 
Join Date: May 2005
Location: Sydney
Posts: 60
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

disabled here now *bugger* Iliked this mod
Reply With Quote
  #63  
Old 02-06-2007, 08:41 AM
Artificial_Alex Artificial_Alex is offline
 
Join Date: Nov 2006
Posts: 123
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Greek Wizard View Post
If we disable just the donate function, will this allow the rest of the hack to be active and safe?
Yes. But I'd still advise you to wait for staff to fix the bug or something.
Reply With Quote
  #64  
Old 02-06-2007, 09:51 AM
Deimos Deimos is offline
 
Join Date: Oct 2002
Posts: 529
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?
Reply With Quote
  #65  
Old 02-06-2007, 11:19 AM
fly fly is offline
 
Join Date: Oct 2003
Posts: 1,215
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Deimos View Post
Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?
nope
Reply With Quote
  #66  
Old 02-06-2007, 11:31 AM
MThornback MThornback is offline
 
Join Date: Apr 2005
Location: Canada
Posts: 388
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Nothing worth the effort...besides most hacks that tie into VBPlaza would also have a bunch of dead code in them.....*sigh*
Reply With Quote
  #67  
Old 02-06-2007, 12:31 PM
BrandiDup's Avatar
BrandiDup BrandiDup is offline
 
Join Date: Jun 2005
Location: San Diego, CA
Posts: 213
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks to the vbulletin team for keeping us safe and up to date. It's very much appreciated.

This hack was a huge, huge part of our site so I sincerely hope it won't be abandoned I'd be more than willing to donate some $$ to help get things patched up.
Reply With Quote
  #68  
Old 02-06-2007, 12:53 PM
Acers's Avatar
Acers Acers is offline
 
Join Date: Feb 2005
Posts: 180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Based on my understanding of the code, (and please note i can be wrong) i reckon that anything that sends out pm's with user input data will create a problem. The issue is that a user can for example in donation enter a custom message that is sent in the pm after passing through the php strip_tags function. Now that function can be exploited . You can do your own research on google.
Please note that i am venturing a guess here and not saying anything with surety. If this is indeed the reason a replacement with htmlentities might do the trick. (or with vb's own function)

EDIT: Ok i have reproduced the problem on my test site so please note that this is a sure bug.
Reply With Quote
  #69  
Old 02-06-2007, 01:25 PM
thepub thepub is offline
 
Join Date: Aug 2006
Posts: 226
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

As many awesome coders we have on this board and somebody can't replicate another store/points hack?
Reply With Quote
  #70  
Old 02-06-2007, 01:28 PM
NFLfbJunkie NFLfbJunkie is offline
 
Join Date: Sep 2006
Posts: 327
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Acres, with your knowledge of the problem, is their a fix? If so, how does one get the fix approved and implemented in to the already existing code, posted on the board for users to add to their code? Just hoping this fabulous MOD can be saved.
Reply With Quote
  #71  
Old 02-06-2007, 01:29 PM
Acers's Avatar
Acers Acers is offline
 
Join Date: Feb 2005
Posts: 180
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

PHP Code:
$message strip_tags($message); 
make that
PHP Code:
$message htmlspecialchars($message); 
go to
vbplaza/action.admindonate.php (line 133)
PHP Code:
$action['reason'] = strip_tags($action['reason']); 
make that
PHP Code:
$action['reason'] = htmlspecialchars($action['reason']); 

goto
vbplaza/action.changeotherusertitle.php (line 136)
PHP Code:
$newusertitle_stripped strip_tags($newusertitle); 
make that
PHP Code:
$newusertitle_stripped htmlspecialchars($newusertitle); 

goto
vbplaza/action.changeusertitle.php (line 87)
PHP Code:
$newusertitle_stripped strip_tags($newusertitle); 
make that
PHP Code:
$newusertitle_stripped htmlspecialchars($newusertitle); 

goto
vbplaza/action.donate.php (line 164)
PHP Code:
$action['reason'] = strip_tags($action['reason']); 
make that
PHP Code:
$action['reason'] = htmlspecialchars($action['reason']); 



goto
vbplaza/action.gift.php (line 209)
PHP Code:
$action['giftmessage'] = strip_tags($action['giftmessage']); 
make that
PHP Code:
$action['giftmessage'] = htmlspecialchars($action['giftmessage']); 

goto
vbplaza/action.ribbons.php (line 218)
PHP Code:
$action['ribbonmessage'] = strip_tags($action['ribbonmessage']); 
make that
PHP Code:
$action['ribbonmessage'] = htmlspecialchars($action['ribbonmessage']); 


the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:56 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04827 seconds
  • Memory Usage 2,333KB
  • Queries Executed 25 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (14)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_post
  • (1)navbar
  • (6)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (1)pagenav_pagelinkrel
  • (11)post_thanks_box
  • (11)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (11)post_thanks_postbit_info
  • (10)postbit
  • (11)postbit_onlinestatus
  • (11)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete