No announcement yet.

new XSS vulnerability [4.0.2 PL 1] we are affected?

  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    I am having the same problem but with 3.7.3 PL1
    Sorry to post here but does someone know if a patch was released? How to remove this freaking hack?


    • #32
      Translations provided by Google.

      Wayne Luke
      The Rabid Badger - a vBulletin Cloud demonstration site.
      vBulletin 5 API


      • #33
        Do we have to do an entire upload/upgrade or is there a patch to replace the affected files?


        • #34
          As per the announcement that Wayne posted a link to, there is a patch. Patches may be found at

          Please don't PM or VM me for support - I only help out in the threads.
          vBulletin Manual & vBulletin 4.0 Code Documentation (API)
          Want help modifying your vbulletin forum? Head on over to
          If I post CSS and you don't know where it goes, throw it into the additional.css template.

          W3Schools <- awesome site for html/css help


          • #35
            where is the 3.8.5 patch? i was one of the first people to report this exploit and have the first version of 3.8.5 which has already been changed once , and now again? how do i upgrade to the same version? i need a patch please


            • #36
              Originally posted by Lynne View Post
              As per the announcement that Wayne posted a link to, there is a patch. Patches may be found at
              Thanks Lynne. The patch wasn't linked in his post.


              • #37
                Anyone else getting a
                PHP Code:
                error when trying the upgrade_402_salt.php on line 25?

                The patch files assume you have a full /forumdir/install directory.For those of you who remove /forumdir/install after each upgrade, DL the full install and place relevant files in the install folder. The required files aren't included with the patch.
                Last edited by Harv; Mon 22 Mar '10, 4:28pm.


                • #38
                  'What doesn't kill you only makes you stronger"

                  The more bugs you find now can lead to a more stable product later on.


                  • #39
                    Then not even Kryptonite will be able to stop vb4!
                    Plan, Do, Check, Act!


                    • #40
                      Do 3.8.5 users have to redownload 3.8.5 or did the 3.8.5 announcement happen to not mention anything about this security issue?

                      If so, that must suck for those board owners who had 3.8.4.pl2 and didn't see a reason to upgrade, then get hacked, just to find out that it could have been prevented.

                      More clarity please, appreciated.


                      • #41
                        As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
                        Vote for:

                        - *Admin Settable Paid Subscription Reminder Timeframe*
                        *PM - Add ability to reply to originator only*
                        - Add Admin ability to auto-subscribe users to specific channel(s)
                        - "Quick Route" Interface...


                        • #42
                          Originally posted by Trevor Hannant View Post
                          As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
                          I've looked into this, and that seems to be the case indeed. I find it quite strange that

                          a) no patch release for 3.8.4 pl2 -> pl3 has been released
                          b) NO mention at all for this fix in 3.8.5 has been posted in the announcement

                          Users who don't upgrade maintenance releases since they're not serious upgrades or security related, and have been hacked since the announcement (if any) must be feeling quite unhappy, knowing they would have upgraded if they knew the maintenance release actually included a serious security issue.


                          • #43
                            I have 2 more questions, one for v3 and one for v4.

                            I noticed version 3 has a define change from 3 to 30, but I didn't see this in version 4. Won't that screw up the passwords of users who sign up after it's patched, or who change their password?
                            And for version 3, if the announcement mentions that it's decrypting the pass hash, they therefor have the short (3) salt, but they have it. So changing the salt to a longer (30) one .. how does that solve it? Doesn't this only mean you delay the length in time it takes to rainbow it?

                            I am not a developer, so I can be completely wrong. Hoping to hear from you guys soon. But to avoid issues with define set to 3 on 4.0.2 pl2 of friends their forums, i am telling them not to upgrade.


                            • #44
                              Originally posted by Paul M View Post
                              Quick [temp] fix ;

                              Search the templates for {vb:raw query} replace with {vb:var query}

                              There are about 10 of them.
                              thanks for the fix Paul
                              -- Web Developer for hire
                              ---Online Marketing Tools and Articles


                              • #45

                                The answered the first question. Thanks for the update.


                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.