PhotoPlog

PhotoPlog (http://www.photoplog.com/forum/index.php)
-   Announcements (http://www.photoplog.com/forum/forumdisplay.php?f=2)
-   -   Bummer: PhotoPlog's first vulnerability (fix inside) (http://www.photoplog.com/forum/showthread.php?t=3676)

Morgan 11-07-2010 01:15 AM

Bummer: PhotoPlog's first vulnerability (fix inside)
 
Special thanks to Harry S. for reporting the XSS vulnerability, which becomes exploitable if you allow custom user titles. All versions of PhotoPlog are affected. PhotoPlog Lite on vbulletin.org has already been patched. PhotoPlog Pro (for vB3 and vB4) on this site has already been patched.

To apply the patch, download the ZIP package (here for Pro (for vB3 and vB4) or at vbulletin.org for Lite) and FTP the /photoplog/index.php file into your main gallery directory, overwriting the index.php file that is there.

If you cannot download the Pro version, here is how to manually apply the patch. In the PhotoPlog Pro index.php file make the following three changes.
  1. Find:
    Code:

                                            user.usertitle, user.joindate, user.posts,
    Replace with:
    Code:

                                            user.usertitle, user.customtitle, user.joindate, user.posts,
  2. Find:
    Code:

                                                            'photoplog_rate_usertitle' => $photoplog_vbuser_info['usertitle'],
    After add:
    Code:

                                                            'photoplog_rate_customtitle' => $photoplog_vbuser_info['customtitle'],
  3. Find:
    Code:

                                                    $photoplog_rate_usertitle = $photoplog_rates_array[$photoplog_rate_userid]['photoplog_rate_usertitle'];
    After add:
    Code:

                                                    if ($photoplog_rates_array[$photoplog_rate_userid]['photoplog_rate_customtitle'] == 2)
                                                    {
                                                            $photoplog_rate_usertitle = htmlspecialchars_uni($photoplog_rate_usertitle);
                                                    }


Note that any user with "Yes, admin set (HTML allowed)" for Custom User Title will still show parsed HTML, as that setting does allow for HTML.

If you download PhotoPlog from here or vbulletin.org after the date of this post, you will already have the patched version. All versions of PhotoPlog downloaded before the date of this post, will need to be patched as outlined above. Sorry for the troubles, and thanks again to Harry S. for submitting the report.


All times are GMT. The time now is 10:03 AM.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.