PhotoPlog

Go Back   PhotoPlog > PhotoPlog.com > Announcements
Screens Demo Purchase Download Register

Closed Thread
 
Thread Tools
  #1  
Old 11-07-2010, 12:15 AM
Morgan's Avatar
Morgan Morgan is offline
Head Plog
Admin
 
Join Date: Dec 2005
Posts: 5,324
Gallery: 10
Comments: 25
Default Bummer: PhotoPlog's first vulnerability (fix inside)

Special thanks to Harry S. for reporting the XSS vulnerability, which becomes exploitable if you allow custom user titles. All versions of PhotoPlog are affected. PhotoPlog Lite on vbulletin.org has already been patched. PhotoPlog Pro (for vB3 and vB4) on this site has already been patched.

To apply the patch, download the ZIP package (here for Pro (for vB3 and vB4) or at vbulletin.org for Lite) and FTP the /photoplog/index.php file into your main gallery directory, overwriting the index.php file that is there.

If you cannot download the Pro version, here is how to manually apply the patch. In the PhotoPlog Pro index.php file make the following three changes.
  1. Find:
    Code:
    Content visible to registered users only.
    Replace with:
    Code:
    Content visible to registered users only.
  2. Find:
    Code:
    Content visible to registered users only.
    After add:
    Code:
    Content visible to registered users only.
  3. Find:
    Code:
    Content visible to registered users only.
    After add:
    Code:
    Content visible to registered users only.

Note that any user with "Yes, admin set (HTML allowed)" for Custom User Title will still show parsed HTML, as that setting does allow for HTML.

If you download PhotoPlog from here or vbulletin.org after the date of this post, you will already have the patched version. All versions of PhotoPlog downloaded before the date of this post, will need to be patched as outlined above. Sorry for the troubles, and thanks again to Harry S. for submitting the report.
__________________
Please use the forums for support, feature requests, and similar such things. Support does not include custom code, custom template edits, or third-party modifications. PMs and emails to me should be for private information only, such as login information. If you PM or email me a support question, chances are good that I'll ignore it. Thanks.
While the work or play is on, it is a lot of fun if while you are doing one you don't constantly feel that you ought to be doing the other. -- Franklin Pierce Adams
Closed Thread

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:22 PM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.