The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
Comments |
#82
|
|||
|
|||
I changed the script a little:
Code:
if ($what=="download") { if (is_array($privatemessage)) { // header("Content-disposition: filename=messages.txt"); // header("Content-type: application/octet-stream"); // header("Pragma: no-cache"); // header("Expires: 0"); while(list($key,$val)=each($privatemessage)) { $downloads=$DB_site->query_first("SELECT touserid,fromuserid,dateline,title,message FROM privatemessage WHERE privatemessageid='$key' AND userid=$bbuserinfo[userid]"); $tousername=$DB_site->query_first("SELECT username FROM user WHERE userid='$downloads[touserid]'"); $fromusername=$DB_site->query_first("SELECT username FROM user WHERE userid='$downloads[fromuserid]'"); $msgdt = vbdate($dateformat,$downloads[dateline]); $msgtm = vbdate($timeformat,$downloads[dateline]); $wordwrap = wordwrap($downloads[message],75,"\r\n"); $dump .= "\r\nDate/Time Sent: $msgdt, $msgtm\r\n"; $dump .= "from: $fromusername[username]\r\n"; $dump .= "To: $tousername[username]\r\n"; $dump .= "Subject: $downloads[title]\r\n\r\n"; $dump .= "$wordwrap\r\n"; $dump .= "\r\n==========================================================================\r\n"; } //end while mail("$bbuserinfo[email]","Download Private Messages","$dump","From: Title of your board <no_reply_emailaddress>"); eval("standarderror(\"".gettemplate("pm_download_complete")."\");"); exit; } else { eval("standarderror(\"".gettemplate("error_pmnoselected")."\");"); exit; } } |
#83
|
|||
|
|||
@ bart, search the bug...
every user can see and download all pns... |
#84
|
|||
|
|||
Guess you're right, Lou. Thanks for your warning (though less for making it a puzzle).
Does this solve it? Code:
if ($what=="download") { if (is_array($privatemessage)) { $pms = implode(",",array_keys($privatemessage)); $downloads=$DB_site->query("SELECT touserid,fromuserid,dateline,title,message FROM privatemessage WHERE privatemessageid IN ($pms) AND userid=$bbuserinfo[userid]"); while ($pm = mysql_fetch_array($downloads)) { $tousername=$DB_site->query_first("SELECT username FROM user WHERE userid='$pm[touserid]'"); $fromusername=$DB_site->query_first("SELECT username FROM user WHERE userid='$pm[fromuserid]'"); $msgdt = vbdate($dateformat,$downloads[dateline]); $msgtm = vbdate($timeformat,$downloads[dateline]); $wordwrap = wordwrap($pm[message],75,"\r\n"); $dump .= "\r\nDate/Time Sent: $msgdt, $msgtm\r\n"; $dump .= "From: $fromusername[username]\r\n"; $dump .= "To: $tousername[username]\r\n"; $dump .= "Subject: $pm[title]\r\n\r\n"; $dump .= "$wordwrap\r\n"; $dump .= "\r\n==========================================================================\r\n"; } //end while mail("$bbuserinfo[email]","Download Private Messages","$dump","From: BOARD-TITLE <EMAILADDRESS>"); eval("standarderror(\"".gettemplate("pm_download_complete")."\");"); exit; } else { eval("standarderror(\"".gettemplate("error_pmnoselected")."\");"); exit; } } |
#85
|
|||
|
|||
looks bad... one of my moderators tell u what's wrong. btw he release a secure template version (save pms as a html file) in a few days.
lou |
#86
|
|||
|
|||
Hi,
sorry forposting so late... didn't have much time The most importent rule in web-programming is "never trust user input". But this rule is ignored here, so injection of SQL statements is possible... [detailed description removed] I have postet a very simmilar hack with enhanced functionality (templates...), which should be safe (uses verifyid() ) here: https://vborg.vbsupport.ru/showthrea...threadid=37172 |
#87
|
|||
|
|||
Oops.
Thanks for your reply Cano. I'll switch to your version soon as I have the time. I couldn't do what you suggest is possible, but the thought of it maybe being possible is more then enough. Maybe you should remove your post to not give someone a bad idea. |
#88
|
||||
|
||||
Thanks zarkov, that fixed it. :-)
|
#89
|
||||
|
||||
Thanks for the great hack, bira! I am in the process of getting the board ready to go up and this will be a great addition and surprise for everyone. Keep up the great work!
|
#90
|
|||
|
|||
I got a error. Does anyone know how to fix this? I have Ver. 2.2.6.
PHP Code:
|
#91
|
||||
|
||||
Show us the code a few lines up and a few lines after the error and we'll see if we can spot the problem.
Quote:
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|