##############################################
#
# HTML in sigs by ELY M.
#
# with control panel hack
#
# this hack will allow toggle on and off for HTML in signatures.
#
#
############################################
#
#WARNING: turning on HTML in signaure will bring very big SECURITY risk.
#
# anything is possible if you allow HTML in signature.
#
# an user can do anything in his signature including running dangerous flash movie
#
# an user can try to upload a virus from his sig to your computer.
#
# think about if you want to have user to have whole website in their signatures ?
#
#Im not responsible for what happened after you installed my hack.
#
#if anything happened. just go in your CP and turn OFF HTML in sig and ban the user.
#
############################################
#
#
#
Open cp_lib.cgi
find
$vars_display{AllowSignatureImage} = "no";
add after this
$vars_display{allowhtmlinsigs} = "no";
###
find
print FILE qq!AllowSignatureImage => "$in{AllowSignatureImage}",\n!;
add after this
print FILE qq!allowhtmlinsigs => "$in{allowhtmlinsigs}",\n!;
#####
open cp_vars_display.pl (template file)
find this
&RadioField ("Allow Images in Signatures?", "AllowSignatureImage", "yes", "You may allow your users to put UBB code images in their signature. This is not advised unless you are sure users will not abuse the right.", "$vars_display{AllowSignatureImage}", "YES|Allow images in signatures.%%no|Do not allow images in signatures.");
add after this
&RadioField ("Allow HTML in Signatures?", "allowhtmlinsigs", "yes", "You may allow your users to use HTML in their signature. This is not advised unless you are sure users will not abuse the right. SECURITY RISK: Your users can abuse this easily and put some exploits in their signatures.", "$vars_display{allowhtmlinsigs}", "yes|Allow HTML in signatures.%%no|Do not allow HTML in signatures.");
####
open ubb_profile.cgi
find this code
# clean up, validate, & ensure that this profile can be updated
foreach $key (keys %in) {
# rem HTML and unclosed tags
$in{$key} =~ s/(__)(\w+)(__)/_ $2 _ /g; #rem IIS exploit
unless ( ($key eq 'password') ) {
$in{$key} =~ s/<.*?>//sg;
$in{$key} =~ s//>/g;
unless ($key eq 'signature') {
$in{$key} =~ s/\s+/ /sg;
$in{$key} =~ s/"/"\;/sg;
}
}
} # foreach key
REPLACE with this
# clean up, validate, & ensure that this profile can be updated
foreach $key (keys %in) {
# rem HTML and unclosed tags
$in{$key} =~ s/(__)(\w+)(__)/_ $2 _ /g; #rem IIS exploit
if ($vars_display{allowhtmlinsigs} eq 'no'){
unless ( ($key eq 'password') ) {
$in{$key} =~ s/<.*?>//sg;
$in{$key} =~ s//>/g;
}
unless ($key eq 'signature') {
$in{$key} =~ s/\s+/ /sg;
$in{$key} =~ s/"/"\;/sg;
}
}
} # foreach key
find this code
$sig =~ s/(![]()
)//isg;
replace with this
if ($vars_display{allowhtmlinsigs} eq 'no'){
$sig =~ s/(![]()
)//isg;
}
######
open
ubb_registration.cgi
find this
foreach $key (keys %in) {
# rem HTML and unclosed tags
$in{$key} =~ s/(__)(\w+)(__)/_ $2 _ /g; #rem IIS exploit
unless (($key eq 'username') || ($key eq 'password') || ($key eq 'password_confirm')) {
$in{$key} =~ s/<.*?>//sg;
$in{$key} =~ s//>/g;
unless ($key eq 'signature') {
$in{$key} =~ s/\s+/ /sg;
$in{$key} =~ s/"/"\;/sg;
}
}
}
REPLACE with this
foreach $key (keys %in) {
# rem HTML and unclosed tags
$in{$key} =~ s/(__)(\w+)(__)/_ $2 _ /g; #rem IIS exploit
if ($vars_display{allowhtmlinsigs} eq 'no'){
unless (($key eq 'username') || ($key eq 'password') || ($key eq 'password_confirm')) {
$in{$key} =~ s/<.*?>//sg;
$in{$key} =~ s//>/g;
}
unless ($key eq 'signature') {
$in{$key} =~ s/\s+/ /sg;
$in{$key} =~ s/"/"\;/sg;
}
}
}
###
find this code
$sig =~ s/(![]()
)//isg;
replace with this
if ($vars_display{allowhtmlinsigs} eq 'no'){
$sig =~ s/(![]()
)//isg;
}
########################
#
#Make sure you go in your Control Panel to enable or disable the HTML in signatures.
#
#########DONE###########
BE careful !!!!
watch out for any users who try to upload a virus in his signature to your computer.
#
#######################