Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 07-25-2007, 09:31 PM
talenak talenak is offline
 
Join Date: Feb 2006
Location: Washington
Posts: 94
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default VBPager

Is there any information about the vulnerability? I'd like a little info to figure out what the risk is. My forum is STILL reeling from losing vbplaza and now they are going to friggin riot. lol

I just want to know what I'm getting myself in to if I keep it, or if I need to just hold my breath and jump in the croc pond and uninstall it.
Reply With Quote
  #2  
Old 07-25-2007, 09:54 PM
Kirk Y's Avatar
Kirk Y Kirk Y is offline
 
Join Date: Apr 2005
Location: Tallahassee, Florida
Posts: 2,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

We cannot disclose the nature of its vulnerabilities as this information could be used to exploit boards who have not disabled or uninstalled it.
Reply With Quote
  #3  
Old 07-25-2007, 10:09 PM
budswope budswope is offline
 
Join Date: Feb 2006
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I cannot download the zip for vbpager. I can't seem to find it on my computer either. I have uninstalled the product but I want to be sure I revert all the template edits and delete all the files but I need the zip to do it. How can I get it?
Reply With Quote
  #4  
Old 07-25-2007, 10:40 PM
talenak talenak is offline
 
Join Date: Feb 2006
Location: Washington
Posts: 94
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Right Kirk, I don't want to know HOW to do it. Just what they can do to my forum if they know the exploit.

Like, can they delete posts? Members? Steal cookies? That kind of thing.
Reply With Quote
  #5  
Old 07-25-2007, 10:42 PM
Kirk Y's Avatar
Kirk Y Kirk Y is offline
 
Join Date: Apr 2005
Location: Tallahassee, Florida
Posts: 2,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.
Reply With Quote
  #6  
Old 07-27-2007, 02:23 PM
MorrisMcD's Avatar
MorrisMcD MorrisMcD is offline
 
Join Date: Nov 2003
Location: Cincinnati, Ohio
Posts: 415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Kirk Y View Post
I haven't looked at each and every find for that specific release, but to my knowledge one could conceivably retrieve sensitive information from the database and have it "paged" to them, ironically enough.
Good enough for me to shut it off.. and keeping it a secret is the best idea.. It makes the vulnerability worse if you start publishing what it does
Reply With Quote
  #7  
Old 07-28-2007, 11:25 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Here's the readme, for those who need it:
Quote:
/*================================================= =====================*\
|| ################################################## ################## ||
|| # vB Pager 3.0.4 for vBulletin 3.5.x # ||
|| #-------------------------------------------------------------------------------------------------------------------------# ||
|| # Copyright ?2000–2005 WwW.UAEWEB.COM All Rights Reserved. # ||
|| # This file may not be redistributed in whole or significant part. # ||
|| #----------------------------- VBULLETIN IS NOT FREE SOFTWARE -------------------------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/

vB Pager is a text-based instant messaging system over the community between members.
For more Informations and Updates, visit: https://vborg.vbsupport.ru/showthread.php?t=104609

################################################## ###########################
############################# New Installation ###################################
################################################## ###########################

Step 1. Upload all the files from the "files" directory in this zip into your forum directory.
Step 2. Import product-pager.xml as a new product.
Step 3. Edit templates as instructed below.

################################################## ###########################
############################## TEMPLATE EDITS ###############################
################################################## ###########################

In the template: MEMBERINFO
=============================
FIND
=============================
<if condition="$show['pm']">
<tr>
<td>
$vbphrase[private_message]:<br />
<a href="private.php?$session[sessionurl]do=newpm&amp;u=$userinfo[userid]" rel="nofollow"><phrase 1="$userinfo[username]">$vbphrase[send_private_message_to_x]</phrase></a>
</td>
</tr>
</if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<tr>
<td>
$vbphrase[pager_vbpager]:<br />
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$userinfo[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><phrase 1="$userinfo[username]">$vbphrase[pager_send_pager_message_to_x]</phrase></a>
</td>
</tr>
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 1 ] -->
=============================


In the template: modifyoptions
=============================
FIND
=============================
$customfields[messaging]
=============================
ABOVE ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
<if condition="$show['pager']">
<fieldset class="fieldset">
<legend><label for="cb_pageroption">$vbphrase[pager_vbpager]</label></legend>
<table cellpadding="0" cellspacing="$stylevar[formspacer]" border="0" width="100%">
<tr>
<td>
$vbphrase[pager_features_pager_messaging_system]
</td>
</tr>
<tr>
<td><label for="cb_pageroption"><input type="checkbox" name="pageroption" value="1" id="cb_pageroption" onclick="toggle_disabled(this.checked, 'pageroptiontbody')" $checked[pageroption] />$vbphrase[pager_enable_pager_messaging]</label></td>
</tr>
<tbody id="pageroptiontbody"<if condition="!$bbuserinfo[pageroption]"> disabled="disabled"</if>>
<tr>
<td><br />$vbphrase[pager_features_pager_messaging_from_buddylist]</td>
</tr>
<tr>
<td><label for="cb_pagerbuddyoption"><input type="checkbox" name="pagerbuddyoption" value="1" id="cb_pagerbuddyoption" $checked[pagerbuddyoption] />$vbphrase[pager_enable_pager_messaging_from_buddylist]</label></td>
</tr>
<if condition="$vboptions['vbpager_playsound']">
<tr>
<td><label for="cb_pagersoundoption"><input type="checkbox" name="pagersoundoption" value="1" id="cb_pagersoundoption" $checked[pagersoundoption] />$vbphrase[pager_enable_pager_sound_notification]</label></td>
</tr>
</if>
</tbody>
</table>
</fieldset>
<else />
<input type="hidden" name="pageroption" value="$bbuserinfo[pageroption]" />
<input type="hidden" name="pagerbuddyoption" value="$bbuserinfo[pagerbuddyoption]" />
<input type="hidden" name="pagersoundoption" value="$bbuserinfo[pagersoundoption]" />
</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 2 ] -->
=============================

In the template: navbar
=============================
FIND
=============================
<if condition="$show['pmstats']"><br /><phrase 1="$vbphrase[unread_x_nav_compiled]" 2="$vbphrase[total_x_nav_compiled]" 3="$session[sessionurl_q]">$vbphrase[private_messages_nav]</phrase></if>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
<if condition="$show['pager']"><br /><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?action=pager&do=log&folder=inbox','pager inbox','statusbar=no,menubar=no,toolbar=no,scrollb ars=yes,resizable=yes,width=650,height=500'); return false;">$vbphrase[pager_pager_messages]</a><phrase 1="$bbuserinfo[pagerunread]" 2="$bbuserinfo[pagertotal]">$vbphrase[pager_messages_nav_x_y]</phrase></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 3 ] -->
=============================

FIND
=============================
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('misc.php?$session[sessionurl]do=buddylist&amp;focus=1','buddylist','statusbar=n o,menubar=no,toolbar=no,scrollbars=yes,resizable=y es,width=250,height=300'); return false;">$vbphrase[open_buddy_list]</a></td></tr>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
<tr><td class="vbmenu_option"><a href="#" onclick="window.open('$vboptions[bburl]/pager.php?$session[sessionurl]do=buddylist','pagerbuddylist','statusbar=no,menub ar=no,toolbar=no,scrollbars=yes,resizable=yes,widt h=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;">$vbphrase[pager_open_vbpager]</a></td></tr>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 4 ] -->
=============================

In the template: footer
=============================
FIND
=============================
<script type="text/javascript">
<!--
// Main vBulletin Javascript Initialization
vBulletin_init();
//-->
</script>
=============================
BELOW ADD
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
$pagermessage
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 5 ] -->
=============================

In the template: postbit (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" border="0" /></a> &nbsp;</if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo[userid]">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a> &nbsp;</if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 6 ] -->
=============================

In the template: postbit_legacy (Optional)
=============================
FIND:
=============================
<if condition="$show['reputationlink']"><a href="reputation.php?$session[sessionurl]p=$post[postid]" rel="nofollow"><img class="inlineimg" src="$stylevar[imgdir_button]/reputation.gif" border="0" alt="<phrase 1="$post[username]">$vbphrase[add_to_xs_reputation]</phrase>" /></a></if>
=============================
Add BELOW:
=============================
<!-- [START HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
<if condition="$vboptions['vbpager_active'] AND $bbuserinfo['userid']">
<a href="#" onclick="window.open('pager.php?do=buddylist&amp;p userid=$post[userid]','pagerbuddylist','statusbar=no,menubar=no,toolba r=no,scrollbars=yes,resizable=yes,width=$vboptions[vbpager_width],height=$vboptions[vbpager_height]'); return false;"><img class="inlineimg" src="$stylevar[imgdir_statusicon]/vbpager_icon.gif" alt="<phrase 1="$post[username]">$vbphrase[pager_send_pager_message_to_x]</phrase>" border="0" /></a></if>
<!-- [END HACK='vB Pager' AUTHOR='UAEWEB.COM' VERSION='3.0.3' CHANGEID= 7 ] -->
=============================

################################################## ###########################
############################### EDITS END ###############################
################################################## ###########################

Step 4. From The Admincp, Edit vB Pager Options and Usergroup Permissions.
Step 5: Enjoy your new hack. And if you haven't already, click install at vBulletin.org.

################################################## ###########################
############################### Many thanks to #############################
################################################## ###########################

- nexialys, for his help with the design and style.
- Zero Tolerance and Andreas a.k.a. KirbyDE, for their vB 3.5 tutorials.

################################################## ###########################
################################### THE END #################################
################################################## ###########################
Reply With Quote
  #8  
Old 07-30-2007, 12:04 PM
Swampfox Swampfox is offline
 
Join Date: Aug 2006
Posts: 119
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Not asking for details about the vulnerability, I understand why they shoudnt be disclosed, I just have one basic question

In order to use the exploit, someone would have to have access to the pager system, correct?, Im thinking of limiting access to it to just a specific usergroup on my site, with only people I trust.
Reply With Quote
  #9  
Old 07-30-2007, 12:10 PM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yes, users need to be able to access the pager to actually use the vulnerability.
Reply With Quote
  #10  
Old 07-31-2007, 02:06 AM
talenak talenak is offline
 
Join Date: Feb 2006
Location: Washington
Posts: 94
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

My members have voted unanimously to remove the security risk. So away it goes. Thank you for your answer Kirk!
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:56 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04481 seconds
  • Memory Usage 2,292KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete