PDA

View Full Version : Bummer: PhotoPlog's first vulnerability (fix inside)


Morgan
11-07-2010, 12:15 AM
Special thanks to Harry S. for reporting the XSS vulnerability, which becomes exploitable if you allow custom user titles. All versions of PhotoPlog are affected. PhotoPlog Lite on vbulletin.org (http://www.vbulletin.org/forum/showthread.php?t=101368) has already been patched. PhotoPlog Pro (for vB3 and vB4) on this site (http://www.photoplog.com/download/index.php) has already been patched.

To apply the patch, download the ZIP package (here for Pro (http://www.photoplog.com/download/index.php) (for vB3 and vB4) or at vbulletin.org for Lite (http://www.vbulletin.org/forum/showthread.php?t=101368)) and FTP the /photoplog/index.php file into your main gallery directory, overwriting the index.php file that is there.

If you cannot download the Pro version, here is how to manually apply the patch. In the PhotoPlog Pro index.php file make the following three changes.


Find:
Content visible to registered users only.
Replace with:
Content visible to registered users only.

Find:
Content visible to registered users only.
After add:
Content visible to registered users only.

Find:
Content visible to registered users only.
After add:
Content visible to registered users only.


Note that any user with "Yes, admin set (HTML allowed)" for Custom User Title will still show parsed HTML, as that setting does allow for HTML.

If you download PhotoPlog from here (http://www.photoplog.com/download/index.php) or vbulletin.org (http://www.vbulletin.org/forum/showthread.php?t=101368) after the date of this post, you will already have the patched version. All versions of PhotoPlog downloaded before the date of this post, will need to be patched as outlined above. Sorry for the troubles, and thanks again to Harry S. for submitting the report.