Paul
Thu 5th Dec '02, 11:44pm
Hello,
Below you will find a report of a suspected issue with vBulletin. In order to clearly identify and troubleshoot issues which we believe to affect this product, future reports from us will be delivered in this fashion.
Known affected versions: Tested on vB 2.2.9. May affect all versions prior. First reported by "Streicher" on 18 July 2001 using vB 2.0.1 at http://www.vbulletin.com/forum/showthread.php?threadid=23089. No response was provided from Jelsoft at that time.
Synopsis:
When editing templates, there are three entry fields that are displayed: Template name, template set, and template. If an administrator attempts to edit a custom template and changes the template set dropdown value to another set in which the custom template already exists, a duplicate custom template will be created in the selected template set. Desired behavior would be for the existing template in the targeted template set to be updated with the new value.
Severity: Low to Moderate
Mitigating Factors: Two or more template sets must be defined. Forum installations with only one template set are not affected. Only users with access to the Admin CP can exploit this. This only affects custom templates--those who have not created custom templates remain unaffected.
Steps to reproduce:
Change the template set dropdown value to 'New Template Set' and modify the template.
How this affects your end-users:
The effect of the existance of duplicate custom templates with potentially different content has not been determined as of this posting. The template system was not designed to handle duplicate entries and may display unexpected results to end-users. Since custom templates are normally used for various code modifications, the security implications cannot be determined and may vary from application to application. For this reason, we have given this issue a "Moderate" rating.
Recommendations: There is no recommended fix at the time of this posting. One may appear from us in the near future, but only if Jelsoft classifies this as a bug. Otherwise, a hack will be posted at vBulletin.org that produces the desired, and what we believe to be expected, result. Administrators are advised to apply any sanctioned fixes offered by Jelsoft if and when they become available. Always remember to backup your databases and files before making any code modifications. Administrators are advised to ensure limited users have access to the Admin CP and that those with access be notified of potential problems resulting from this issue.
What we're doing: We have released this notification to the vBulletin.com community shortly after the issue was known to us. As this issue is difficult to "exploit" and requires specific permissions, we do not consider it sensitive and have not provided Jelsoft with advanced notification via their support contact. We will work with Jelsoft to provide any additional information requested as it becomes available to us. We will work with users within the context of this thread to provide limited assistance with this issue.Updates: 6 Sept. 2002 - We have been made aware that this problem was first reported to Jelsoft as early as July 2001 affecting vB 2.0.1. No replies were provided to the original author. Added reference to report of this problem made on 18 July 2001 by "Streicher."Regards,
Paul
Below you will find a report of a suspected issue with vBulletin. In order to clearly identify and troubleshoot issues which we believe to affect this product, future reports from us will be delivered in this fashion.
Known affected versions: Tested on vB 2.2.9. May affect all versions prior. First reported by "Streicher" on 18 July 2001 using vB 2.0.1 at http://www.vbulletin.com/forum/showthread.php?threadid=23089. No response was provided from Jelsoft at that time.
Synopsis:
When editing templates, there are three entry fields that are displayed: Template name, template set, and template. If an administrator attempts to edit a custom template and changes the template set dropdown value to another set in which the custom template already exists, a duplicate custom template will be created in the selected template set. Desired behavior would be for the existing template in the targeted template set to be updated with the new value.
Severity: Low to Moderate
Mitigating Factors: Two or more template sets must be defined. Forum installations with only one template set are not affected. Only users with access to the Admin CP can exploit this. This only affects custom templates--those who have not created custom templates remain unaffected.
Steps to reproduce:
Change the template set dropdown value to 'New Template Set' and modify the template.
How this affects your end-users:
The effect of the existance of duplicate custom templates with potentially different content has not been determined as of this posting. The template system was not designed to handle duplicate entries and may display unexpected results to end-users. Since custom templates are normally used for various code modifications, the security implications cannot be determined and may vary from application to application. For this reason, we have given this issue a "Moderate" rating.
Recommendations: There is no recommended fix at the time of this posting. One may appear from us in the near future, but only if Jelsoft classifies this as a bug. Otherwise, a hack will be posted at vBulletin.org that produces the desired, and what we believe to be expected, result. Administrators are advised to apply any sanctioned fixes offered by Jelsoft if and when they become available. Always remember to backup your databases and files before making any code modifications. Administrators are advised to ensure limited users have access to the Admin CP and that those with access be notified of potential problems resulting from this issue.
What we're doing: We have released this notification to the vBulletin.com community shortly after the issue was known to us. As this issue is difficult to "exploit" and requires specific permissions, we do not consider it sensitive and have not provided Jelsoft with advanced notification via their support contact. We will work with Jelsoft to provide any additional information requested as it becomes available to us. We will work with users within the context of this thread to provide limited assistance with this issue.Updates: 6 Sept. 2002 - We have been made aware that this problem was first reported to Jelsoft as early as July 2001 affecting vB 2.0.1. No replies were provided to the original author. Added reference to report of this problem made on 18 July 2001 by "Streicher."Regards,
Paul