[wilburshere]

disabled here now *bugger* Iliked this mod

[Artificial_Alex]

Originally Posted by Greek Wizard

If we disable just the donate function, will this allow the rest of the hack to be active and safe?

Yes. But I'd still advise you to wait for staff to fix the bug or something.

[Deimos]

Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?

[fly]

Originally Posted by Deimos

Oh er....just noticed CMX's last activity time

"Last Activity: 14. Jul 2006 01:10"

Maybe time to move onto another store program, if there is one?

nope

[MThornback]

Nothing worth the effort...besides most hacks that tie into VBPlaza would also have a bunch of dead code in them.....*sigh*

[BrandiDup]

Thanks to the vbulletin team for keeping us safe and up to date. It's very much appreciated.

This hack was a huge, huge part of our site so I sincerely hope it won't be abandoned I'd be more than willing to donate some $$ to help get things patched up.

[Acers]

Based on my understanding of the code, (and please note i can be wrong) i reckon that anything that sends out pm's with user input data will create a problem. The issue is that a user can for example in donation enter a custom message that is sent in the pm after passing through the php strip_tags function. Now that function can be exploited . You can do your own research on google.
Please note that i am venturing a guess here and not saying anything with surety. If this is indeed the reason a replacement with htmlentities might do the trick. (or with vb's own function)

EDIT: Ok i have reproduced the problem on my test site so please note that this is a sure bug.

[thepub]

As many awesome coders we have on this board and somebody can't replicate another store/points hack?

[NFLfbJunkie]

Acres, with your knowledge of the problem, is their a fix? If so, how does one get the fix approved and implemented in to the already existing code, posted on the board for users to add to their code? Just hoping this fabulous MOD can be saved.

[Acers]

here is a temporary fix, i have tested this locally only for the donate function and its working as far as this exploit goes, and since the same logic can be taken for other places where its used we can replace there

go to your vbplaza folder, find occurrences of the following:
includes/function_vbplaza.php
find around line 152(depending on the version you have)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

go to
vbplaza/action.admindonate.php (line 133)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

goto
vbplaza/action.changeotherusertitle.php (line 136)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

goto
vbplaza/action.changeusertitle.php (line 87)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

goto
vbplaza/action.donate.php (line 164)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

goto
vbplaza/action.gift.php (line 209)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

goto
vbplaza/action.ribbons.php (line 218)

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

make that

Block Disabled:      (Update License Status)
Suspended or Unlicensed Members Cannot View Code.

the above fixes one part of the exploit. Ofcourse there might be other issues involved also, i am still looking around and maybe others are also.

Please note that there might be other code areas that can be exploited also which i don't know yet. Don't think you are safe just by doing the above. The full exploit and what caused it has not been released so all this is guesswork to find the vulnerable part.(btw if this was not one part of exploit, even then it should be in part of the fix as the original code above can be exploited.I just looked at the code and saw this cos the original poster had mentioned something to do with pm text. Wait for an official fix or atleast don't blame me

[UncoderMom]

ACERS you rock!

Is vb.org attempting a patch?

[CMX_CMGSCCC]

Originally Posted by Artificial_Alex

Yes, I reported it.


I would say how its being exploited, but I don't think I can post it publicly.

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

[BrandiDup]

Originally Posted by CMX_CMGSCCC

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

Awesome!!

[Universal]

Originally Posted by CMX_CMGSCCC

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

You might want to PM the vbulletin.org admin if you have not been in contact already as I believe there are other exploits found other than this one or other coders may want to post about other exploits.

Sorry to hear about your board but nice find Artificial Alex, especially with other exploits found. Just deleting the code for or turning off Donation or even using a coding fix for this one main exploit might not be all that is needed. A great add on for a forum and exploits are fixable, patience is a virtue.

[thepub]

Originally Posted by CMX_CMGSCCC

Tell me how it's being exploited and then I can release a fix for it.

I mean, I'm the creator of the addon. (PM me the details.)

-CMX

Oh man where have you been? We are dying for the new version of this and well, we missed you too.