Announcement

Collapse
No announcement yet.

Manual Security Patch Instructions for VB 3.x

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Joe D.
    replied
    Hello- That would not be supported. A patch version does not display to your users anyway, it never has- the patch version is only reflected in your Admin CP.

    Leave a comment:


  • MichaelApproved
    replied
    I manually edited the VB files and would like to change my version number to reflect the update. How could I do that?

    Leave a comment:


  • Joe D.
    replied
    Originally posted by TObject View Post
    Thank you very much.

    To triple check:

    After performing the steps described in the post number one in this thread, the patching is done. There is no need to upload any additional patch files. These steps are INSTEAD of the patches posted in the following thread NOT IN ADDITION TO.

    http://www.vbulletin.com/forum/forum...=1394820919495
    Am I correct?
    Thanks again
    Absolutely correct. Either / Or, not both.

    Leave a comment:


  • TObject
    replied
    Thank you very much.

    To triple check:

    After performing the steps described in the post number one in this thread, the patching is done. There is no need to upload any additional patch files. These steps are INSTEAD of the patches posted in the following thread NOT IN ADDITION TO.

    http://www.vbulletin.com/forum/forum...=1394820919495
    Am I correct?
    Thanks again

    Leave a comment:


  • Joe D.
    replied
    Originally posted by kooley2 View Post
    Hi there Vb,

    If I'm now running (vBulletin 4.2.1) do I have to download BOTH the patches below or just the latest patch? Many thx !

    Security patch: 4.2.2 Suite PL1
    Security patch: 4.2.1 Suite PL1

    This thread is for vBulletin 3.x, please post in the VB 4.x thread if you have questions about VB 4.x- do not reply here. But the quick answer is there is only ONE patch you should download VB 4.2.2 Patch 1. There is no patch for VB 4.2.1 for this issue, you will need to make the manual changes in the 4.x version of this topic or (preferably) upgrade to 4.2.2.
    Last edited by Joe D.; Fri 14th Mar '14, 9:12am.

    Leave a comment:


  • Joe D.
    replied
    Originally posted by edivad82 View Post
    in 3.6.x functions_misc.php code is little bit different, there is no 'sign_client_string' function, so the correct line to search is
    Code:
    return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(serialize($_POST)) . '" />' . "\n";
    correct?
    and obviously, the correct replace line is
    Code:
    $string = json_encode($_POST);
    return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni($string) . '" />' . "\n";
    correct ? (again)

    thanks

    Davide
    Yes that is correct. (again)

    Leave a comment:


  • kooley2
    replied
    Hi there Vb,

    If I'm now running (vBulletin 4.2.1) do I have to download BOTH the patches below or just the latest patch? Many thx !

    Security patch: 4.2.2 Suite PL1
    Security patch: 4.2.1 Suite PL1

    Leave a comment:


  • edivad82
    replied
    in 3.6.x functions_misc.php code is little bit different, there is no 'sign_client_string' function, so the correct line to search is
    Code:
    return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(serialize($_POST)) . '" />' . "\n";
    correct?
    and obviously, the correct replace line is
    Code:
    $string = json_encode($_POST);
    return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni($string) . '" />' . "\n";
    correct ? (again)

    thanks

    Davide

    Leave a comment:


  • Joe D.
    commented on 's reply
    If VB 3.8.7 PL4 is available in your Member's Area you just download an upgrade as normal. If VB 3.8.7 is not available in your Member's Area you must buy an upgrade to VB5 Connect which will also give access to VB 3.8.7.

  • nkrowe
    commented on 's reply
    OK good I'm done with that. Can you point me in the direction I need to take to get my 3.8.2 updated to 3.8.7 patch 4?

  • Mark.B
    replied
    Originally posted by nkrowe View Post
    OK I have version 3.8.2 so I applied the changes in #1 above.

    NOW WHAT????

    If I look back at the page that brought me here, I see:
    Patch for vBulletin 5.0.5 PL1
    Patch for vBulletin 4.2.2 PL1
    Patch for vBulletin 3.8.7 PL3
    Patch for vBulletin 3.8.7 MAPI

    Linked below are patch files so that you can manually update versions of vBulletin 3 and vBulletin 4 without a direct patch.
    VBIII-12935.zip (07KB, 1view)
    VB*V-15935.zip (11KB, 1 view)

    DO I JUST APPLY THE VBIII-12935.ZIP FILE AND I"M DONE OR WHAT?


    If you've applied the changes in post #1, that's all you need to do.

    Leave a comment:


  • Joe D.
    replied
    Originally posted by Sir_Yaro View Post
    Hi.
    I'm running vB 3.6.5 forums.
    I've change code in functions_misc.php but forumdisplay.php code is bit different than expeced.
    Function "unserialize" is using a different parameter:

    Code:
    [email protected] /www/ $ grep unserialize forumdisplay.php
    $temp = unserialize($vbulletin->GPC['postvars']);
    [email protected] /www/ $
    lines 158-171 of forumdisplay.php
    Code:
    // Allow POST based redirection...
    if ($vbulletin->GPC['postvars'] != '')
    {
    $temp = unserialize($vbulletin->GPC['postvars']);
    if ($temp['do'] != 'doenterpwd')
    { // ...but prevent an infinite loop
    require_once(DIR . '/includes/functions_misc.php');
    $vbulletin->GPC['postvars'] = construct_hidden_var_fields($vbulletin->GPC['postvars']);
    }
    else
    {
    $vbulletin->GPC['postvars'] = '';
    }
    }

    Can I replace it to
    Code:
    $temp = json_decode($vbulletin->GPC['postvars'], true);
    safely ?
    Yes, that is what you should do. Sorry about that.

    Leave a comment:


  • nkrowe
    replied
    OK I have version 3.8.2 so I applied the changes in #1 above.

    NOW WHAT????

    If I look back at the page that brought me here, I see:
    Patch for vBulletin 5.0.5 PL1
    Patch for vBulletin 4.2.2 PL1
    Patch for vBulletin 3.8.7 PL3
    Patch for vBulletin 3.8.7 MAPI

    Linked below are patch files so that you can manually update versions of vBulletin 3 and vBulletin 4 without a direct patch.
    VBIII-12935.zip (07KB, 1view)
    VB*V-15935.zip (11KB, 1 view)

    DO I JUST APPLY THE VBIII-12935.ZIP FILE AND I"M DONE OR WHAT?



    Leave a comment:


  • Mark.B
    replied
    Thanks

    Leave a comment:


  • edge999
    replied
    Alright! I manually made the changes and all seems okay.

    Thanks much for your reply.

    Leave a comment:

Related Topics

Collapse

Working...
X