|
|
Thread Tools |
#1
|
||||
|
||||
Bummer: PhotoPlog's first vulnerability (fix inside)
Special thanks to Harry S. for reporting the XSS vulnerability, which becomes exploitable if you allow custom user titles. All versions of PhotoPlog are affected. PhotoPlog Lite on vbulletin.org has already been patched. PhotoPlog Pro (for vB3 and vB4) on this site has already been patched.
To apply the patch, download the ZIP package (here for Pro (for vB3 and vB4) or at vbulletin.org for Lite) and FTP the /photoplog/index.php file into your main gallery directory, overwriting the index.php file that is there. If you cannot download the Pro version, here is how to manually apply the patch. In the PhotoPlog Pro index.php file make the following three changes.
Note that any user with "Yes, admin set (HTML allowed)" for Custom User Title will still show parsed HTML, as that setting does allow for HTML. If you download PhotoPlog from here or vbulletin.org after the date of this post, you will already have the patched version. All versions of PhotoPlog downloaded before the date of this post, will need to be patched as outlined above. Sorry for the troubles, and thanks again to Harry S. for submitting the report.
__________________
Please use the forums for support, feature requests, and similar such things. Support does not include custom code, custom template edits, or third-party modifications. PMs and emails to me should be for private information only, such as login information. If you PM or email me a support question, chances are good that I'll ignore it. Thanks. While the work or play is on, it is a lot of fun if while you are doing one you don't constantly feel that you ought to be doing the other. -- Franklin Pierce Adams |
|
|