Announcement

Collapse
No announcement yet.

Exploit?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exploit?

    Is this a PHP or vB problem? If vB, is this addressed in 2.2.4?


    vBulletin's memberlist.php Allows Username and Password Stealing
    Mar, 23 2002 - 18:16
    contributed by: hx
    Summary
    vBulletin is a commonly used web forum system written in PHP. One of its key features is use of templates, which allow the board administrator to dynamically modify the look of the board. A security vulnerability in the program allows attackers to insert malicious HTML and JavaScript into the memberlist.php results, this would allow an attacker to steal the username and password of users clicking on the malicious URL.


    Details

    Details removed so the less scrupulous don't take it upon themselves to test this

  • #2
    http://vbulletin.com/forum/showthrea...threadid=42423

    Comment


    • #3
      Either way since the password is a hash code internally, I doubt you could steal a password in 2.2.4.
      --filburt1, vBulletin.org/vBulletinTemplates.com moderator
      Web Design Forums.net: vB Board of the Month
      vBulletin Mail System (vBMS): webmail for your forum users

      Comment


      • #4
        So, just to get this straight.... all I have to do is add $letterbits = ''; below <?php ??

        If that's all, why all this talk about an entire new version??
        Last edited by Dotagious; Thu 28th Mar '02, 2:35pm.

        Comment


        • #5
          Because some people don't want to hack the code themselves.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API - Full / Mobile
          Vote for your favorite feature requests and the bugs you want to see fixed.

          Comment


          • #6
            That's crazy. It would take as much time to upgrade than to just modify the code as stated above. Crazy.

            Comment


            • #7
              Not crazy at all for wanting an upgrade

              There are some folks like myself who don't have the foggiest notion of where to begin "hacking" the code themselves. And getting explicit instructions with enough detail to complete the task is more rare than hens teeth. It only takes one "you've got to be kidding" or "this is a trick question, right?" or "that's crazy" before many go back into permanent lurker mode.

              Further. There are more than will admit in public who pay someone else to do all of their loading, coding, transferring and updating choosing to spend more time on the hobby or avocation for which they obtained vBulletin in the first place.

              Lee Rodgers

              Comment

              Loading...
              Working...
              X