Special thanks to Harry S. for reporting the XSS vulnerability, which becomes exploitable if you allow custom user titles. All versions of PhotoPlog are affected. PhotoPlog
Lite on vbulletin.org has already been patched. PhotoPlog
Pro (for vB3 and vB4) on this site has already been patched.
To apply the patch, download the ZIP package (
here for Pro (for vB3 and vB4) or at
vbulletin.org for Lite) and FTP the /photoplog/index.php file into your main gallery directory, overwriting the index.php file that is there.
If you cannot download the Pro version, here is how to manually apply the patch. In the PhotoPlog Pro index.php file make the following three changes.
- Find:
Code:
Content visible to registered users only.
Replace with:
Code:
Content visible to registered users only.
- Find:
Code:
Content visible to registered users only.
After add:
Code:
Content visible to registered users only.
- Find:
Code:
Content visible to registered users only.
After add:
Code:
Content visible to registered users only.
Note that any user with "Yes, admin set (HTML allowed)" for Custom User Title will still show parsed HTML, as that setting
does allow for HTML.
If you download PhotoPlog from
here or
vbulletin.org after the date of this post, you will already have the patched version. All versions of PhotoPlog downloaded before the date of this post, will need to be patched as outlined above. Sorry for the troubles, and thanks again to Harry S. for submitting the report.