Announcement

Collapse
No announcement yet.

new XSS vulnerability [4.0.2 PL 1] we are affected?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Forum] new XSS vulnerability [4.0.2 PL 1] we are affected?

    Hi there,
    I heard that some one discovered a new way to hack 4.0.2 PL 1 by XSS and they discovered it yesterday and still vb.com didn't tell us what we have to do?

    is this right they can hack our forum by XSS? and we are affected and ready to get hacked?
    Last edited by Zachery; Sun 21 Mar '10, 11:00am.

  • #2


    yes, all 4.0.2 pl1 are affected.

    Comment


    • #3
      *sighs*

      Here we go again.

      *Waits for Patch Level Two*

      Comment


      • #4
        Originally posted by icarusforde View Post
        *sighs*

        Here we go again.

        *Waits for Patch Level Two*
        There should be only a few lines of code to edit, why is it taking so long ?

        Comment


        • #5
          Because it's not just a few lines of code to edit.

          Comment


          • #6
            Originally posted by icarusforde View Post
            Because it's not just a few lines of code to edit.
            Okay, I thought it must be quite easy

            Comment


            • #7
              Not really. It's easier for hackers to get in than to keep hackers out... That being said, it should be harder for them to get in when it comes down to it in the first place.

              Comment


              • #8
                Quick [temp] fix ;

                Search the templates for {vb:raw query} replace with {vb:var query}

                There are about 10 of them.
                Baby, I was born this way

                Comment


                • #9
                  Back up your databases and current files and folders. If you get smacked you can over write the affected files with your backups. It's a good idea to do that anyway.
                  Hopefully they get a patch out soon.
                  ...

                  Comment


                  • #10
                    Originally posted by Paul M View Post
                    Quick [temp] fix ;

                    Search the templates for {vb:raw query} replace with {vb:var query}

                    There are about 10 of them.
                    Thanks Paul

                    Comment


                    • #11
                      Hi,
                      could something equal has any effect on vB 3.8.x or is that special in vB4.

                      Greetings
                      Christian
                      My Sites in German: Brasilien with Brasilien Forum

                      Comment


                      • #12
                        Originally posted by CThiessen View Post
                        Hi,
                        could something equal has any effect on vB 3.8.x or is that special in vB4.

                        Greetings
                        Christian
                        Special for vB4.

                        Comment


                        • #13
                          Originally posted by Paul M View Post
                          Quick [temp] fix ;

                          Search the templates for {vb:raw query} replace with {vb:var query}

                          There are about 10 of them.
                          Thanks

                          Comment


                          • #14
                            date [2010-03-19]
                            why it take them so long to react? 2 days and still not fixed

                            previous xss was fixed after more then 1 week (first report 2010-02-15, second report 2010-02-20, fixed on 2010-02-23)
                            http://www.vbulletin.com/forum/images/editor/smilie.gif

                            Comment


                            • #15
                              Originally posted by lim (x³-7x²) = ∞ View Post
                              why it take them so long to react? 2 days and still not fixed
                              Maybe because:
                              Originally posted by icarusforde View Post
                              Because it's not just a few lines of code to edit.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X