The Arcive of vBulletin Modifications Site. |
|
|
#1
12-04-2013, 04:34 AM
|
|||
|
|||
eval() language construct
Does anybody know wether vb or vbSEO is utilizing the eval() language construct or not? I would like to disable that, cause the majority of hacking attacks seems to be done through eval() execution of base64 encoded shell commands.
As far as I checked the files and templates it seems the coders have tried to wrap an equal function to get eval-able results. So far it?s looking good..but there is this little residiual risk - and I just don?t want to break the live site and become beaten up 
|
|
#3
12-04-2013, 04:58 AM
|
|||
|
|||
|
Damn it,
 I run the search in the archives for eval() instead of eval. I?m such a nut.. Note to myself: check, think, check again, ask a buddy face to face and drink your first coffee before you start making a fool out of yourself...
|
| Благодарность от: | ||
| tbworld | ||
|
#4
12-04-2013, 05:21 AM
|
||||
|
||||
|
Eval is ok when used properly, but it can suffer the same problem as an SQL injection.
We don't ban SQL, we just use it properly
|
|
#5
12-04-2013, 05:33 AM
|
|||
|
|||
|
I wasn´t referring to a potential security hole in vb or addons. I guess with all the coders here a security issue wouldn´t stay undetected very long. We are running some other non-vb related things on the server and at least one was known for a security risk regarding eval`d code. The hole should have been patched in the latest version as the programmers say, but...ya never know.
|
 |
«
Previous Thread
|
Next Thread
»
Linear Mode
|
|
All times are GMT. The time now is 04:33 AM.