Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: memberlist.php of vBulletin
From: "John Percival" <johnnews () jelsoft com>
Date: Mon, 25 Mar 2002 14:07:24 -0000

Vendor status: notified 3/18/2;  no response

Correction:
Our response was emailed 14 minutes after receiving initial notification:
-------
Thank you for reporting this, I have flagged this for discussion among the
developers.

Please let me know if you require any further assistance.

All the best,
Chris Schreiber
Support Team, vBulletin

http://www.vbulletin.com/
mailto:support () vbulletin com
-------

It was very kind of Plato to be responsible and let the community know what
is happening, but in the interests of the community we would have been a lot
better off letting us provide a fix first. I am quite disappointed in
Plato's actions here, and the only reason that I have not replied sooner is
that I felt  that I would be more reasonable if I waited and cooled off a
little ;-)

As of Saturday, we have finished an initial round of audits for these XSS
issues and we are beginning more thorough checks. I would estimate a fix
will be available some time Monday or Tuesday.

I believe the simplest fix would be to initialized letterbits($letterbits
=
"";) at the top of memberlist.php.

Yes that is correct.
Add $letterbits = ''; right after the inital <?php

Unfortunately a similar bug affects several other files too. We are trying
to identify any remaining problems as quickly as possible.


Regards,

John Percival
Product Manager, vBulletin
Jelsoft Enterprises Ltd.

http://www.vbulletin.com/
mailto:john () vbulletin com

"vBulletin: Community Instantly"
Online support: mailto:support () vbulletin com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault