PDA

View Full Version : Potential SQL Injection


WB
April 6th, 2010, 09:42 AM
FYI, to the developers:

PhotoPost vBGallery Two SQL Injection Vulnerabilities - Advisories - Community (http://secunia.com/advisories/39152/)

Chuck S
April 6th, 2010, 12:42 PM
Thanks will pass this along

Michael P
April 6th, 2010, 02:02 PM
I'm not sure this is valid; at least from what we can see.

Honestly, I've had dozens of reports on there that were simply not true.

Kirby
April 7th, 2010, 03:04 AM
It is true.

Here is the original exploit:
SecurityFocus (http://www.securityfocus.com/archive/1/510362/30/90/)

Everyone can just test it out.

Michael P
April 7th, 2010, 08:25 PM
Attached is a new profile_start.php script for versions 2.0-2.4.X.

Download, rename the file to profile_start.php and replace your file:

forums / includes / vbgallery / profile_start.php

I will also update the build with an updated file.

For version 2.5, you will need to go to Plugin & Products -> Plug-in Manager -> UserCP -> profile_start and replace with the content from profile_start_plugin.txt

Ian Cunningham
April 15th, 2010, 03:07 AM
I've got an active license and I can't even download it...

Rideharder
April 23rd, 2010, 01:59 PM
Unfortunately I got attacked by this anyways I moved hosts servers because I really didn't understand what was going on...
I won't get into the fine details what I would like to do if I caught the individual that did that to me.

But anyways I had my webpage migrated over to another host company and bought a renewal license of photo post I just installed it and now when I go to ...gallery/search.php?do=getdaily it's a blank page and I believe I'm setting the permissions correctly..

Chuck S
April 23rd, 2010, 02:06 PM
Is this a real post or a spam post sorry have to ask as your post is xxx link but I see your a verified customer.

Rideharder
April 23rd, 2010, 02:54 PM
Yes I'm a paying customer, Would you like to correct URL?

And yes I was one of the ones that was hacked due to SQL injection..
Calling on Vbulletin community need help (http://www.vbulletin.com/forum/showthread.php?348531-Calling-on-Vbulletin-community-need-help&p=1961531#post1961531)

I should of received a coupon code for the renewal license..lol

Rideharder
April 23rd, 2010, 03:31 PM
I got it working..

what do I put for misc.php?do=buddylist&focus=1
for Global PhotoPost vBGallery Settings...

Chuck S
April 23rd, 2010, 04:36 PM
Okay well you used a url that went to a porn site which is why I had to ask. ;)

You might not want to place dummy urls called xxx.net

Ramses
April 23rd, 2010, 04:50 PM
Thanks for the quick fix.

Chuck S
April 23rd, 2010, 07:05 PM
let us know if you need anything else ;)

Rideharder
April 26th, 2010, 02:27 AM
what do I put for misc.php?do=buddylist&focus=1
for Global PhotoPost vBGallery Settings... B=0

It still is popping up blank..............

Rideharder
April 26th, 2010, 02:27 AM
Okay well you used a url that went to a porn site which is why I had to ask. ;)

You might not want to place dummy urls called xxx.net


My bad..:eek:

Rideharder
April 26th, 2010, 02:28 AM
Thanks for the quick fix.


Thanks for the quick fix ;)

Rideharder
April 26th, 2010, 02:30 AM
And I have a question for the bulk upload... how do I highlight all the pictures at once or am I misunderstanding how to do it...B=0

I hardly used Photopost in the past but now since I have unlimited bandwidth, I figured I would use it now to its fullest.


Hopefully this time you can stay off the xxx site and answer my question..lol

Chuck S
April 26th, 2010, 06:37 AM
I beleive version 2.5 has the flash uploader included you want to use that version and turn on the flash upload so you can highlight multiple photos to upload.

Rideharder
April 29th, 2010, 07:42 PM
I beleive version 2.5 has the flash uploader included you want to use that version and turn on the flash upload so you can highlight multiple photos to upload.

Worked. Thanks..

Chuck S
April 30th, 2010, 06:34 AM
No problem.