Spam backdoor in blog.php

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Tom1234
    Member
    • Jan 2004
    • 40
    • 3.6.x

    Spam backdoor in blog.php

    We found some spam originating from the server that runs our VB 3.8.
    On inspection, the spam was from a request to blog.php.

    This is the snippet of interest:

    if (!$vbulletin->options['enableemail'])
    {
    standard_error(fetch_error('emaildisabled'));
    }

    This says that there is to be some enableemail configuration that is to be respected by blog.php and if that email configuration is turned off, just print a message stating that the email feature has been disabled.

    But, it doesn't work as such. We have emailing turned off in vb control panel and we confirmed that we could indeed send email via the blog software recreating the spam we originally detected.


    This was the rewrite to fix placed above the snippet above.

    standard_error(fetch_error('emaildisabled'));


    Is this ignoring of enableemail configuration fixed in 4.* ? If not, can it be looked into?

    Thanks,
    Tom/Adam/Jim
  • georgec
    Senior Member
    • Jun 2002
    • 257

    #2
    I'm also trying to track down spam that has purportedly been sent from my vBulletin software; can vBulletin confirm whether the above indeed is a loophole that may enable a spammer to rely spam through vBulletin? I ask this because I've exhausted all other possibilities. Our forum runs vBulletin Blog 2.0.1 Patch Level 1.

    Thanks,
    - JavaScript Kit | CSS Drive | CodingForums.com | CodeTricks.com

    Comment

    • Trevor Hannant
      vBulletin Support
      • Aug 2002
      • 24325
      • 5.7.X

      #3
      Tom, what version of the Blog are you using?

      George, please upgrade your Blog as 2.0.4 is the latest.
      Vote for:

      - Admin Settable Paid Subscription Reminder Timeframe (vB6)
      - Add Admin ability to auto-subscribe users to specific channel(s) (vB6)

      Comment

      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
      Working...