Go Back   vb.org Archive > vBulletin 5 Connect Discussion > vB5 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-04-2014, 09:19 PM
Gokkesokken Gokkesokken is offline
 
Join Date: Jul 2014
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Possible bug/security issue

found this in core/includes/functions_login.php
Code:
if ($postvars['securitytoken'] = 'guest')
				{
					$vbulletin->userinfo['securitytoken_raw'] = sha1($vbulletin->userinfo['userid'] . sha1($vbulletin->userinfo['secret']) . sha1(vB_Request_Web::$COOKIE_SALT));
					$vbulletin->userinfo['securitytoken'] = TIMENOW . '-' . sha1(TIMENOW . $vbulletin->userinfo['securitytoken_raw']);
					$postvars['securitytoken'] = $vbulletin->userinfo['securitytoken'];
					$vbulletin->GPC['postvars'] = sign_client_string(json_encode($postvars));
				}
I am no php expert but i don't think '=' is a comparison operator, at least not according to php.net: http://php.net/manual/en/language.op...comparison.php
Reply With Quote
Благодарность от:
ozzy47
  #2  
Old 08-04-2014, 09:23 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No it is not a comparison operator, it is a string operator, http://php.net/manual/en/language.operators.string.php

Not a bug or security issue.
Reply With Quote
  #3  
Old 08-04-2014, 09:30 PM
Gokkesokken Gokkesokken is offline
 
Join Date: Jul 2014
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by ozzy47 View Post
No it is not a comparison operator, it is a string operator, http://php.net/manual/en/language.operators.string.php

Not a bug or security issue.
I understand that this operator assigns $postvars['securitytoken'] with 'guest', but is this intended? And if it is, what does the if do there? please forgive my curiosity.
Reply With Quote
  #4  
Old 08-04-2014, 09:42 PM
ozzy47's Avatar
ozzy47 ozzy47 is offline
 
Join Date: Jul 2009
Location: USA
Posts: 10,929
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

No it does not assign, $postvars['securitytoken'] with 'guest'

What it is is part of the login redirect, saying if the user logging in is a guest, to do this.
Reply With Quote
  #5  
Old 08-05-2014, 01:20 AM
Dave Dave is offline
 
Join Date: May 2010
Posts: 2,583
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think he means that

if($postvars['securitytoken'] = 'guest')

Will assign guest to the $postvars['securitytoken'] variable.
However, it should be this:

if($postvars['securitytoken'] == 'guest')

I don't know the rest of the code so this might be intended by whoever wrote the script.
Reply With Quote
  #6  
Old 08-05-2014, 01:48 AM
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Location: Ontario, Canada
Posts: 11,440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I believe he is correct, it looks like a typo from the vb4 version of the same code.
Reply With Quote
  #7  
Old 08-05-2014, 02:36 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This was fixed in vBulletin v4.1.11.
Reply With Quote
  #8  
Old 08-05-2014, 03:16 AM
Gokkesokken Gokkesokken is offline
 
Join Date: Jul 2014
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tbworld View Post
This was fixed in vBulletin v4.1.11.
Thanks for letting me know but this is from vb5.


/*================================================= =====================*\
|| ################################################## ################## ||
|| # vBulletin 5.1.2 Patch Level 3 - Licence Number ##########
|| # ---------------------------------------------------------------- # ||
|| # Copyright ?2000-2014 vBulletin Solutions Inc. All Rights Reserved. ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/


I could upload the file as proof, if it doesn't get me into trouble for copyright violations.
Reply With Quote
Благодарность от:
tbworld
  #9  
Old 08-05-2014, 03:19 AM
tbworld tbworld is offline
 
Join Date: Oct 2008
Posts: 2,126
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Gokkesokken View Post
Thanks for letting me know but this is from vb5.
You know I thought I checked the forum category, right before I posted. Oh well, I am loosing it. I guess vb goofed then, and good fine.
VB5 was ported from VB4 before they fixed it in VB4, so it makes sense. Make sure you post it to JIRA, or if you do not want to bother let me know and I will handle it.
Reply With Quote
Благодарность от:
Gokkesokken
  #10  
Old 08-05-2014, 03:39 AM
Gokkesokken Gokkesokken is offline
 
Join Date: Jul 2014
Posts: 4
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by tbworld View Post
You know I thought I checked the forum category, right before I posted. Oh well, I am loosing it. I guess vb goofed then, and good fine.
VB5 was ported from VB4 before they fixed it in VB4, so it makes sense. Make sure you post it to JIRA, or if you do not want to bother let me know and I will handle it.

Thanks for letting me know, I think your explanation is very plausible and also the most likely given the circumstances. The reason I posted this here first was because I didn't want to submit an inaccurate bug report.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:06 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04493 seconds
  • Memory Usage 2,264KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (3)post_thanks_box_bit
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (3)post_thanks_postbit
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete