Announcement

Collapse
No announcement yet.

3.8.5 Fixes Security Issue with 3.8.4 PL2 - but unreported?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 3.8.5 Fixes Security Issue with 3.8.4 PL2 - but unreported?

    Hello,

    Could I please get a bit of clarification on the 3.8.5 release?
    There seems to be a 3.x password weakness security issue that has been addressed in the 3.7 / 4.0 announcement from today, but it only quickly mentions that 3.8.5 doesn't have this issue.

    However, the 3.8.5 announcement lists 4 template changes and some bug fixes, but it doesn't seem to list any bug fix about this password security thing.
    It's specifically mentioned to be a maintenance release, and usually a security patch causes a PL release, or specifically mentioned in the full upgrade.

    Does that mean it was unannounced in the 3.8.5 announcement? But actually fixed? But was decided to not mention it (which I find strange, since it is Security! related)
    Or does this mean 3.8.5 users have to re-download and run upgrade.php again to fix this?

    Are the plugins involved identified? Could we be informed which ones so we can disable those on the forums?

    And for those who are under the 3.x license type and who's license has expired and do not have access to a free security patch; you can find an unofficial one here.
    Last edited by Floris; Tue 23 Mar '10, 5:33am.

  • #2
    The 3.8.5 release includes it, just doesnt mention it.
    Baby, I was born this way

    Comment


    • #3
      Correct, I am seeing it in the upgrade_385.php file:

      PHP Code:
          $upgrade->run_query(
              
      sprintf($upgradecore_phrases['altering_x_table'], 'user'11),
              
      "ALTER TABLE " TABLE_PREFIX "user MODIFY salt CHAR(30) NOT NULL DEFAULT ''"
          
      ); 
      Just ran the upgrade, changed my password, and it is the new salt, so it works correctly.
      Michael Biddle - Follow me on Twitter!

      Comment


      • #4
        Will running that query in the vBulletin Admin CP fix the password security problem in my 3.8.3 or 3.8.4 PL2 versions?

        Jim
        If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
        www.TheFloorPro.com

        Comment


        • #5
          Originally posted by eJM View Post
          Will running that query in the vBulletin Admin CP fix the password security problem in my 3.8.3 or 3.8.4 PL2 versions?

          Jim
          No, it's one of two steps. You will need to patch class_dm_user.php too, see my previous post, it has a link to unofficial patch.

          Comment


          • #6
            I have seen your patch, Floris. Thanks for the clarification on this. Your patch doesn't run a query. Wouldn't a query run via AdminCP be simpler? Is the above query (the code between the parenthesis or including the parenthesis) what needs to be run? I use a prefix of tfp for my database tables. Does that change the query?

            Jim
            If my post was helpful to you, please take the time to register at my forum and ask a question you've always wanted to know about floors.
            www.TheFloorPro.com

            Comment


            • #7
              They do, open the table, edit the value from 3 to 30, and that's the alter query from upgrade.

              Comment


              • #8
                Any modifications should be released over at www.vbulletin.org and linked/discussed there.
                Vote for:

                - *Admin Settable Paid Subscription Reminder Timeframe*
                -
                *PM - Add ability to reply to originator only*
                - Add Admin ability to auto-subscribe users to specific channel(s)
                - "Quick Route" Interface...

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...
                X