The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
User Title Exploit
Most of us who know php know how to exploit the usertitle, well the code to allow html even if specified not to.
Im just wondering if theres ANYTHING i can do to stop it being exploited. I was talking over a mate how to do it and its got passed on :ermm: it wont get passed on anymore coz. i know he'll keep it to himself. Just what do i do if it does. LOL |
#2
|
|||
|
|||
Just don't allow anybody to use custom titles.
|
#3
|
|||
|
|||
fairy snuff. But for a few reasons on my boards i prefer them to. Anyway to stop it.
|
#4
|
|||
|
|||
To my knowledge, stock vB doesn't allow it. Make sure you don't have any hacks that break user titles.
|
#5
|
|||
|
|||
stock vB?
|
#6
|
|||
|
|||
Unhacked vB.
|
#7
|
|||
|
|||
is it ok to email u the code....? i mean as i dont want to release it.
|
#8
|
||||
|
||||
Wow... Never knew vBulletin had a small exploit there. Apparently it does work with a stock vBulletin as well. It wasn't hard to fix though. If you just look in your member.php file for addslashes($customtext) and replace that with addslashes(htmlspecialchars($customtext)) it should fix the problem.
|
#9
|
|||
|
|||
On my board there was no problem and to my knowledge still isn't one. One member used a status of <?= mod ?> (or thereabouts) which would normally be parsed as HTML to most browsers (it would appear as nothing). However you saw the actual text instead.
|
#10
|
||||
|
||||
Yea, it doesn't seem to work for PHP code. It does for HTML though which could still be abused.
|
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|