Warning to vBulletin/vBSpell Users

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

brendandonhu

Thread Starter
Joined
Jul 8, 2002
Messages
14,681
Yesterday I found a bug in TSG's spell checker that would allow an attacker to gain access to accounts/IP addresses when someone quotes and hits Spell Check on a post that had malicious code in it. As I don't have vBulletin myself I have no idea if it affects all installations or just TSG's and I have no way of testing.

TechGuy solved the problem by editing vbspell.php and adding
PHP:
$mystr = strip_tags($mystr);
After
PHP:
$mystr = str_replace('\\', '\\\\', $_REQUEST['spellstring']);
$mystr = stripslashes($mystr);
This was on vBpell v.0.9.7. I'd rather not post the exploit in the open forums but I can PM it to anyone that needs to test their site.
-Brendan
 

TechGuy

Mike
Administrator
Joined
Feb 12, 1999
Messages
15,044
Thanks very much for sending me this as a Private Message and helping me to solve it before posting it publicly. :) Happy Holidays!
 

brendandonhu

Thread Starter
Joined
Jul 8, 2002
Messages
14,681
I've tried to contact the author of the software but I don't have access to PMs at vbulletin.org
His username there is tamarian, do you have access there?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top