Announcement

Collapse
No announcement yet.

Manual Security Patch Instructions for VB 4.x.x

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Mark.B
    replied
    For vB4: There are patch files for 4.2.2 only.
    If you have an earlier version our recommendation is to upgrade.
    If you do not wish to do so, we have provided manual patching instructions.

    Leave a comment:


  • toon79
    replied
    I don't get it, can't we just have patch files to overwrite the old files? The patch files in the member area are not these files are have <?php

    define('FILE_VERSION_VBULLETIN', '4.2.1 Patch Level 1');

    ?>

    Shouldn't there be a patch level 2? Am I missing something?

    Leave a comment:


  • Mark.B
    replied
    There should only be one copy of that file, and that folder. If you have two, you need to review what's on your server - compare the folder structure with that of the download package.

    Leave a comment:


  • vbsm
    replied
    includes/functions.php is located in two places. Should both be changed?

    Leave a comment:


  • BirdOPrey5
    started a topic Manual Security Patch Instructions for VB 4.x.x

    Manual Security Patch Instructions for VB 4.x.x

    The following are instructions for manually patching all versions of VB 4.x.x for the patch released March 13, 2014.

    Verify you have PHP 5.2.0 or higher before you make these changes. If you don't you will break the site by making these changes.

    The version of PHP on your server is visible in the Admin CP in the table near the top of the page, under thew news.



    If your PHP version is not at least 5.2.0 see the announcement thread for more options.

    Important - Some of the code boxes have a horizontal scroll bar, you will need to scroll to the right to see the entire line of code in these cases.

    In includes/functions.php

    Find the code:

    Code:
             $postvars = construct_post_vars_html();
             if ($vbulletin->GPC['postvars'])
             {
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                $_postvars = array();
                $client_string = verify_client_string($vbulletin->GPC['postvars']);
                if ($client_string)
                {
                    $_postvars = @json_decode($client_string, true);
                }
    In includes/functions_login.php

    Find the code:
    Code:
                 }
                 if ($vbulletin->GPC['postvars'])
                 {
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                    $postvars = array();
                    $client_string = verify_client_string($vbulletin->GPC['postvars']);
                    if ($client_string)
                    {
                        $postvars = @json_decode($client_string, true);
                    }
    Finf the code:
    Code:
                         $postvars['securitytoken'] = $vbulletin->userinfo['securitytoken'];
                     }
     
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    Replace the line:
    Code:
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    With:
    Code:
            $vbulletin->GPC['postvars'] = sign_client_string(json_encode($postvars));
    In includes/functions_misc.php

    Find the code:
    Code:
         }
         else if ($vbulletin->superglobal_size['_POST'] > 0)
         {
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    Replace the line:
    Code:
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    With:
    Code:
            $string = json_encode($_POST);
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n";
    Find the code:
    Code:
        $temp = unserialize($serializedarr);
    Replace with:
    Code:
        $temp = json_decode($serializedarr, true);

    In forumdisplay.php

    Find the code:
    Code:
             {
                 if (($check = verify_client_string($vbulletin->GPC['postvars'])) !== false)
                 {
                    $temp = unserialize($check);
    Replace the line:
    Code:
                    $temp = unserialize($check);
    With:
    Code:
                    $temp = json_decode($check, true);
    In login.php (note- in some versions of 4.x this code does not exist, in that case ignore this step)

    Find the code:
    Code:
         exec_unstrike_user($vbulletin->GPC['vb_login_username']);
     
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
        $_postvars = array();
        $client_string = verify_client_string($vbulletin->GPC['postvars']);
        if ($client_string)
        {
            $_postvars = @json_decode($client_string, true);
        }


    After editing each file upload it back to your server. Keep a backup of the old file just in case. If you ever need a backup of the original file you can re-download your version of VB 4.x from the Member's Area. Only vBulletin 4.2.2 will be officially patched in the Member's Area.

    If you are on Windows use a dedicated code editor like Notepad2 or Notepad++ (both are free) to edit your .php files, do not use Windows Notepad.
    Last edited by BirdOPrey5; Wed 19 Mar '14, 4:45pm. Reason: added missing step in functions_misc.php
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X