Home page logo

bugtraq logo Bugtraq mailing list archives

Re: memberlist.php of vBulletin
From: "John Percival" <johnnews () jelsoft com>
Date: Mon, 25 Mar 2002 14:07:24 -0000

Vendor status: notified 3/18/2;  no response

Our response was emailed 14 minutes after receiving initial notification:
Thank you for reporting this, I have flagged this for discussion among the

Please let me know if you require any further assistance.

All the best,
Chris Schreiber
Support Team, vBulletin

mailto:support () vbulletin com

It was very kind of Plato to be responsible and let the community know what
is happening, but in the interests of the community we would have been a lot
better off letting us provide a fix first. I am quite disappointed in
Plato's actions here, and the only reason that I have not replied sooner is
that I felt  that I would be more reasonable if I waited and cooled off a
little ;-)

As of Saturday, we have finished an initial round of audits for these XSS
issues and we are beginning more thorough checks. I would estimate a fix
will be available some time Monday or Tuesday.

I believe the simplest fix would be to initialized letterbits($letterbits
"";) at the top of memberlist.php.

Yes that is correct.
Add $letterbits = ''; right after the inital <?php

Unfortunately a similar bug affects several other files too. We are trying
to identify any remaining problems as quickly as possible.


John Percival
Product Manager, vBulletin
Jelsoft Enterprises Ltd.

mailto:john () vbulletin com

"vBulletin: Community Instantly"
Online support: mailto:support () vbulletin com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]