Vulnerabilità BBcode

[AleSSaNDRo]

Invitiamo tutti i WebMaster a riparare il vostro forum facendo le seguenti modifiche:

Cerca

Codice: Seleziona tutto

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']); 
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\5', $bbcode_tpl['url4']);

sostituisci con:

Codice: Seleziona tutto

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']); 
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url4']);

Cerca:

Codice: Seleziona tutto

// matches a [url]xxxx://www.phpbb.com[/url] code.. 
   $patterns[] = "#\[url\]([\w]+?://.*?[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url1']; 

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url\]((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url2']; 

   // [url=xxxx://www.phpbb.com]phpBB[/url] code.. 
   $patterns[] = "#\[url=([\w]+?://.*?[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url3']; 

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url=((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url4'];

Sostitusci con:

Codice: Seleziona tutto

// matches a [url]xxxx://www.phpbb.com[/url] code.. 
   $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url1']; 

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url2']; 

   // [url=xxxx://www.phpbb.com]phpBB[/url] code.. 
   $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url3']; 

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url4']; 

Cerca:

Codice: Seleziona tutto

// matches an "xxxx://yyyy" URL at the start of a line, or after a space. 
   // xxxx can only be alpha characters. 
   // yyyy is anything up to the first space, newline, comma, double quote or < 
   $ret = preg_replace("#(^|[\n ])([\w]+?://.*?[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret); 

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing 
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-" 
   // zzzz is optional.. will contain everything up to the first space, newline, 
   // comma, double quote or <. 
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[\w\-]+\.[\w\-.\~]+(?:/[^ \"\t\n\r<]*)?)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret); 

Sostituisci con:

Codice: Seleziona tutto

//matches an "xxxx://yyyy" URL at the start of a line, or after a space. 
   // xxxx can only be alpha characters. 
   // yyyy is anything up to the first space, newline, comma, double quote or < 
   $ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret); 

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing 
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-" 
   // zzzz is optional.. will contain everything up to the first space, newline, 
   // comma, double quote or <. 
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);

[Giada]

Ho visto che ci sono pochi webmaster qui!

[Angel.OfFire]

io sono web master di un forum,ma non è come questo
io l'ho preso da un altro sito

[Essaid]

cioè?

[Angel.OfFire]

nn posso inserire il link qui....
ricorda una cosa importante essaid: No