Unsafe code error during upgrade to vb5

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • LBS
    Member
    • Mar 2007
    • 46
    • 5.5.x

    Unsafe code error during upgrade to vb5

    My VB4 install got hacked via the /install/ exploit, after which the hacker installed the c99madshell hack tool and changes some templates.
    I have removed the hackers changes from the database by performing a full mysqldbcompare. Because it's difficult for me to rule out which changes from the 1 month older backup are legitimate changes, I have removed more rows than probably necessary:
    -cleared the datastore table
    -Removed exploit code from the plugin table by drop/copying the backup table.
    -cleared the session table
    -drop/copied the setting table (because the hacker did something in /install which causes different VB versions to be put in this table)
    -cleared strikes table
    -drop/copied the styles table
    -drop/copied the template table from backup (contained hackers code)
    -drop/copied the upgradelog table.

    Then I did an upgrade to VB4.2.1, followed by an upgrade to 5.0.5. The first attempt to upgrade to 5.0.5 resulted in this error:
    Code:
    PHP Warning:  file_put_contents() [<a href='function.file-put-contents'>function.file-put-contents</a>]: Filename cannot be empty in /XXXXXXXXX/core/install/makeconfig.php on line 252, referer: http://XXXXXXXXXXXXXXX/core/install/upgrade.php
    Same as: http://www.vbulletin.com/forum/forum...talling-vb-5-0
    I solved this one by manually editing the config files.

    Then the upgrade to 5.05 started, but at ~98% progress, I got the following error:
    Code:
    <?xml version="1.0" encoding="windows-1252"?>
    <?xml version="1.0" encoding="windows-1252"?>
    <error><![CDATA[The text for the phrase 'faq_text_not_safe' contains potentially unsafe code. Text in curly style php string substitution expressions (like {$vbulletin->somevalue}) is only allowed to contain the characters in a-z, A-Z, 0-9, square brackets ( [] ), and quotes ( "' ). This prevents possible arbitrary code execution when the phrase is processed.]]></error>
    The associated upgrade log is attached.

    How can I solve this upgrade problem?
    Attached Files

Related Topics

Collapse

Working...