No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts


    vBulletin desperately needs and Http_Referrer clause.

    Cross site scripting could cause for somet terrible things.

    Things it can do:
    Post new threads under other peoples names
    Change avatars
    Change Usertitles
    Make new posts
    Edit posts
    Delete post

    And if performed on someone with proper permissions:
    Permanantly Delete Posts/Threads
    Edit Posts/Threads
    Ban/Unban Users
    people can get modded/supermodded/adminned
    forums deleted
    posts pruned

    Anything that vBulletin can do, can be duplicated using the proper scripting.

  • #2
    You are currently showing up as unlicensed. To be able to receive support here at, we ask you to please click HERE and enter your email address, to show us that you are licensed.

    You will need to use your customer number and password (which will be in the email you got when you paid for your license) to access that page. Please note that your email is case sensitive.

    Thank you.


    • #3
      Using HTTP_REFERER would lock out people with proxies / internet filtering software that remove the REFERER. Besides, before an action is actually being taken, the username and password is being checked to ensure the person has proper access.


      • #4
        Its sorted in the next release and there is an entry in the bug tracker and various topics posted about no need for yet another.
        Scott MacVicar

        My Blog | Twitter


        • #5
          You don't need a password. It exploits the fact that a user is logged in when the script is run.


          • #6
            That is because the password is stored as a cookie on the user's hard drive when they are logged in. vBulletin automatically retrieves it when you send data to a vBulletin page.

            Try it and see... delete the bbuserid and the bbpassword cookies for the site in question and it won't work if their permissions are set correctly.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud demonstration site.
            vBulletin 5 API


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.