Daren

Here is more detail on that PrintPage.php bug that I promised. Note that the clanfusion.net links should not longer reveal the private messages since we patched the hole on that forum, but it should give you an example to go by if you want to try it on your forum or another.

Two YaBBSE bugs so far (if you've been following my thread on the FU board...)

 

Bug 1: Path disclosure. Not a very big deal in and of itself.

 

Example: http://www.clanfusion.net/yabbse/Printpage.php?board=3;threadid=326sadfasdf

 

"Gibberish" in the query string will spit out an error page with the full path to Printpage.php.

 

 

Bug 2: ANY visitor (even "Guest") can read private messages. Trivial to exploit. Trivial to harvest an entire mesasge board with a little coding skill.

 

I picked this particular thread due to a "feature/bug" in the YaBBSE stats. From the YaBBSE "Home," near the bottom of the screen, click the link that reads [More Stats]. By default, this can reveal private board names and private thread names if they make it into the Top 10 list. I hacked that on my message boards to require an is_admin() check before allowing it to execute.

 

*LOG OUT* of the Fusion YABBSE, and enter this URL:

 

http://www.clanfusion.net/yabbse/Printpage.php?threadid=366

 

The "authentic" URL for a legitimate member trying to do this is:

 

http://www.clanfusion.net/yabbse/Printpage.php?board=5;threadid=366

 

The "board=x;" is not necessary. You can use any board number or just eliminate that part of the URL entirely. To harvest an entire message board, all you need to do is write a little program that will fetch threads in sequential order, which is trivial to do.

 

Fix: Apparently upgrade Printpage.php to 1.4.1. For the time being, I have replaced the entire contents of the file, on all my message boards, with this:

 

<?php
echo "Function Temporarily Disabled";
?>

 

 

Dennis,

Only 3 mins left on this library PC... No email for me this week so far. :(

One urgent thing.... make a backup of PrintPage.php and remove all the text in that file save the <? PHP > tags and maybe an echo line in the middle. Huge security hole that exposes all private forum msgs. I'll give you more detail about it when I get back if you don't already know about it.

I'll catch up with you Monday if not before!

Daren

Blijkbaar is het nog even:

Daren's Dutch to English translation: Black bear is in Hog Heaven. ;D

Actually, is "blijkbaar" dutch? Looks more like Norweigan.

Sorry, Dennis... I could not easily resolve the problem.

The code that is supposed to be there for converting the codes to html link is simply NOT THERE. It is like the mod is not properly installed. However, parts of it are obviously installed (smilies to the left of the message window and the admin features).

Since the mod is partially installed already, I did not feel comfortable reinstalling it on top of what is there. I would recommend you do this. Try uninstalling it first though. After you do this, I can take another look at it. I do not think that the database table for the smilies will be deleted, so you won't have to redo the work you have done in getting the smilies into the database.

Can't you just tell the user how to pull up the list of smilies so they know how they're supposed to look?

j/k!

taking a look at the prob....

I was wondering where to come to post a test message. I didn't test posting the smilies since I didn't want to post on the regular forums.

:)

:engeltje: