السلام عليكم و رحمة الله تعالى و بركاته
اليوم صدر ترقيع لثغرة جديدة في نسخة vBulletin الموضحة في العنوان ،
للمرخصين يمكنكم ترقيع الثغرة عن طريق الـMember Area ، بالنسبة للمنتديات الغير مرخصة فالتتبع شرحي التالي
اولاً ، قم بفتح ملف Class_Core.php
استبدل التالي
كود الـ PHP:
// #############################################################################
/**
* Unicode-safe version of htmlspecialchars()
*
* @param string Text to be made html-safe
*
* @return string
*/
function htmlspecialchars_uni($text, $entities = true)
{
if ($entities)
{
$text = preg_replace_callback(
'/&((#([0-9]+)|[a-z]+);)?/si',
'htmlspecialchars_uni_callback',
$text
);
}
else
{
$text = preg_replace(
// translates all non-unicode entities
'/&(?!(#[0-9]+|[a-z]+);)/si',
'&',
$text
);
}
return str_replace(
// replace special html characters
array('<', '>', '"'),
array('<', '>', '"'),
$text
);
}
بالتالي
كود الـ PHP:
// #############################################################################
/**
* Unicode-safe version of htmlspecialchars()
*
* @param string Text to be made html-safe
*
* @return string
*/
function htmlspecialchars_uni($text, $entities = true)
{
return str_replace(
// replace special html characters
array('<', '>', '"'),
array('<', '>', '"'),
preg_replace(
// translates all non-unicode entities
'/&(?!' . ($entities ? '#[0-9]+|shy' : '(#[0-9]+|[a-z]+)') . ';)/si',
'&',
$text
)
);
}
ثانياً ، افتح ملف functions.php و استبدل التالي
كود الـ PHP:
if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
{
exec_header_redirect($vbulletin->url);
}
$title = $vbulletin->options['bbtitle'];
$pagetitle = $title;
$errormessage = $message;
$url = unhtmlspecialchars($vbulletin->url);
$url = str_replace(chr(0), '', $url);
$url = create_full_url($url);
$url = str_replace($str_find, $str_replace, $url);
$js_url = addslashes_js($url, '"'); // " has been replaced by "
$url = preg_replace(
array('/�*59;?/', '/�*3B;?/i', '#;#'),
'%3B',
$url
);
$url = preg_replace('#&%3B#i', '&', $url);
define('NOPMPOPUP', 1); // No footer here
require_once(DIR . '/includes/functions_misc.php');
$postvars = construct_hidden_var_fields(verify_client_string($vbulletin->GPC['postvars']));
$formfile =& $url;
($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;
eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
exit;
}
بالتالي
كود الـ PHP:
if ($vbulletin->url)
{
$foundurl = false;
if ($urlinfo = @parse_url($vbulletin->url))
{
if (!$urlinfo['scheme'])
{ // url is made full in exec_header_redirect which stops a url from being redirected to, say "www.php.net" (no http://)
$foundurl = true;
}
else
{
$whitelist = array();
if ($vbulletin->options['redirect_whitelist'])
{
$whitelist = explode("\n", trim($vbulletin->options['redirect_whitelist']));
}
// Add $bburl to the whitelist
$bburlinfo = @parse_url($vbulletin->options['bburl']);
$bburl = "{$bburlinfo['scheme']}://{$bburlinfo['host']}";
array_unshift($whitelist, $bburl);
// if the "realurl" of this request does not equal $bburl, add it as well..
$realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
if (strtolower($bburl) != strtolower($realurl))
{
array_unshift($whitelist, $realurl);
}
$vburl = strtolower($vbulletin->url);
foreach ($whitelist AS $url)
{
$url = trim($url);
if ($vburl == strtolower($url) OR strpos($vburl, strtolower($url) . '/', 0) === 0)
{
$foundurl = true;
break;
}
}
}
}
if (!$foundurl)
{
eval(standard_error(fetch_error('invalid_redirect_url_x', $vbulletin->url)));
}
}
if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
{
exec_header_redirect($vbulletin->url);
}
$title = $vbulletin->options['bbtitle'];
$pagetitle = $title;
$errormessage = $message;
$url = unhtmlspecialchars($vbulletin->url);
$url = str_replace(chr(0), '', $url);
$url = create_full_url($url);
$url = str_replace($str_find, $str_replace, $url);
$js_url = addslashes_js($url, '"'); // " has been replaced by "
$url = preg_replace(
array('/�*59;?/', '/�*3B;?/i', '#;#'),
'%3B',
$url
);
$url = preg_replace('#&%3B#i', '&', $url);
define('NOPMPOPUP', 1); // No footer here
require_once(DIR . '/includes/functions_misc.php');
$postvars = construct_hidden_var_fields(verify_client_string($vbulletin->GPC['postvars']));
$formfile =& $url;
($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;
eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
exit;
المصدر
المفضلات