Announcement

Collapse
No announcement yet.

Spam backdoor in blog.php

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trevor Hannant
    replied
    Tom, what version of the Blog are you using?

    George, please upgrade your Blog as 2.0.4 is the latest.

    Leave a comment:


  • georgec
    replied
    I'm also trying to track down spam that has purportedly been sent from my vBulletin software; can vBulletin confirm whether the above indeed is a loophole that may enable a spammer to rely spam through vBulletin? I ask this because I've exhausted all other possibilities. Our forum runs vBulletin Blog 2.0.1 Patch Level 1.

    Thanks,

    Leave a comment:


  • Tom1234
    started a topic Spam backdoor in blog.php

    Spam backdoor in blog.php

    We found some spam originating from the server that runs our VB 3.8.
    On inspection, the spam was from a request to blog.php.

    This is the snippet of interest:

    if (!$vbulletin->options['enableemail'])
    {
    standard_error(fetch_error('emaildisabled'));
    }

    This says that there is to be some enableemail configuration that is to be respected by blog.php and if that email configuration is turned off, just print a message stating that the email feature has been disabled.

    But, it doesn't work as such. We have emailing turned off in vb control panel and we confirmed that we could indeed send email via the blog software recreating the spam we originally detected.


    This was the rewrite to fix placed above the snippet above.

    standard_error(fetch_error('emaildisabled'));


    Is this ignoring of enableemail configuration fixed in 4.* ? If not, can it be looked into?

    Thanks,
    Tom/Adam/Jim
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X