Hey all,
Thanks to BugAbuse we've been able to identify and fix a potential SQL Injection exploit in the Lite and Pro versions of vBDonate v1.2.2.
You can either re-download v6.0.8 and re-upload /dbtech/vbdonate/actions/dodonate.php file directly within the upload folder, or you can apply manual file edits.
For the manual file edit, open up /dbtech/vbdonate/actions/dodonate.php within your forum directory and find:
Replace with:
Find:
Replace with:
Find both instances of:
Replace both instances with:
Sorry for the inconvenience, and thank you for your continued support
Discuss this news here.
Thanks to BugAbuse we've been able to identify and fix a potential SQL Injection exploit in the Lite and Pro versions of vBDonate v1.2.2.
You can either re-download v6.0.8 and re-upload /dbtech/vbdonate/actions/dodonate.php file directly within the upload folder, or you can apply manual file edits.
For the manual file edit, open up /dbtech/vbdonate/actions/dodonate.php within your forum directory and find:
PHP:
$dbt_vbd_donate_params = explode('|', $db->escape_string($vbulletin->GPC['amount']));Replace with:
PHP:
$dbt_vbd_donate_params = explode('|', $vbulletin->GPC['amount']);Find:
PHP:
$dbt_vbd_donate_amount = $db->escape_string($vbulletin->GPC['amount']);Replace with:
PHP:
$dbt_vbd_donate_amount = $vbulletin->GPC['amount'];Find both instances of:
Code:
" . $db->escape_string($dbt_vbd_donate_amount) . ",Replace both instances with:
Code:
'" . $db->escape_string($dbt_vbd_donate_amount) . "',Sorry for the inconvenience, and thank you for your continued support
Discuss this news here.
