Announcement

Collapse
No announcement yet.

new XSS vulnerability [4.0.2 PL 1] we are affected?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Originally posted by Paul M View Post
    Quick [temp] fix ;

    Search the templates for {vb:raw query} replace with {vb:var query}

    There are about 10 of them.
    So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
    Last edited by Bergler; Tue 23 Mar '10, 1:08pm.

    Comment


    • #47
      Originally posted by Trevor Hannant View Post
      As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
      Originally posted by Floris View Post
      a) no patch release for 3.8.4 pl2 -> pl3 has been released
      b) NO mention at all for this fix in 3.8.5 has been posted in the announcement
      The XSS issue does not exist in vb 3.8.x, therefore there is no fix to announce.


      Originally posted by Bergler View Post
      So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
      No, you don't need to do anything, the patch simply fixes the problem in a different manner, so the template changes are unnecessary.
      Baby, I was born this way

      Comment


      • #48
        The password weakness one exists in 3.x too. See the announcement thread, they patched 3.x branch too. Someone from staff linked to the announcement, and that's wher ei followed up with.

        Comment


        • #49
          Originally posted by Floris View Post
          The password weakness one exists in 3.x too.
          Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.
          Baby, I was born this way

          Comment


          • #50
            Originally posted by Paul M View Post
            Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.
            And as a consequence license type 3 license holders with expired licenses who are eligible for free security patches can't patch their insecure forums.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X