Announcement

Collapse
No announcement yet.

new XSS vulnerability [4.0.2 PL 1] we are affected?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Floris
    replied
    Originally posted by Paul M View Post
    Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.
    And as a consequence license type 3 license holders with expired licenses who are eligible for free security patches can't patch their insecure forums.

    Leave a comment:


  • Paul M
    replied
    Originally posted by Floris View Post
    The password weakness one exists in 3.x too.
    Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.

    Leave a comment:


  • Floris
    replied
    The password weakness one exists in 3.x too. See the announcement thread, they patched 3.x branch too. Someone from staff linked to the announcement, and that's wher ei followed up with.

    Leave a comment:


  • Paul M
    replied
    Originally posted by Trevor Hannant View Post
    As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
    Originally posted by Floris View Post
    a) no patch release for 3.8.4 pl2 -> pl3 has been released
    b) NO mention at all for this fix in 3.8.5 has been posted in the announcement
    The XSS issue does not exist in vb 3.8.x, therefore there is no fix to announce.


    Originally posted by Bergler View Post
    So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
    No, you don't need to do anything, the patch simply fixes the problem in a different manner, so the template changes are unnecessary.

    Leave a comment:


  • Bergler
    replied
    Originally posted by Paul M View Post
    Quick [temp] fix ;

    Search the templates for {vb:raw query} replace with {vb:var query}

    There are about 10 of them.
    So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
    Last edited by Bergler; Tue 23 Mar '10, 1:08pm.

    Leave a comment:


  • Floris
    replied
    http://www.vbulletin.com/forum/showt...77#post1950777

    The answered the first question. Thanks for the update.

    Leave a comment:


  • Loco.M
    replied
    Originally posted by Paul M View Post
    Quick [temp] fix ;

    Search the templates for {vb:raw query} replace with {vb:var query}

    There are about 10 of them.
    thanks for the fix Paul

    Leave a comment:


  • Floris
    replied
    I have 2 more questions, one for v3 and one for v4.

    I noticed version 3 has a define change from 3 to 30, but I didn't see this in version 4. Won't that screw up the passwords of users who sign up after it's patched, or who change their password?
    And for version 3, if the announcement mentions that it's decrypting the pass hash, they therefor have the short (3) salt, but they have it. So changing the salt to a longer (30) one .. how does that solve it? Doesn't this only mean you delay the length in time it takes to rainbow it?

    I am not a developer, so I can be completely wrong. Hoping to hear from you guys soon. But to avoid issues with define set to 3 on 4.0.2 pl2 of friends their forums, i am telling them not to upgrade.

    Leave a comment:


  • Floris
    replied
    Originally posted by Trevor Hannant View Post
    As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
    I've looked into this, and that seems to be the case indeed. I find it quite strange that

    a) no patch release for 3.8.4 pl2 -> pl3 has been released
    b) NO mention at all for this fix in 3.8.5 has been posted in the announcement

    Users who don't upgrade maintenance releases since they're not serious upgrades or security related, and have been hacked since the announcement (if any) must be feeling quite unhappy, knowing they would have upgraded if they knew the maintenance release actually included a serious security issue.

    Leave a comment:


  • Trevor Hannant
    replied
    As I understand it, forums already running 3.8.5 are already covered against the XSS issue.

    Leave a comment:


  • Floris
    replied
    Do 3.8.5 users have to redownload 3.8.5 or did the 3.8.5 announcement happen to not mention anything about this security issue?

    If so, that must suck for those board owners who had 3.8.4.pl2 and didn't see a reason to upgrade, then get hacked, just to find out that it could have been prevented.

    More clarity please, appreciated.

    Leave a comment:


  • Reeve of Shinra
    replied
    Then not even Kryptonite will be able to stop vb4!

    Leave a comment:


  • Brandon_R
    replied
    'What doesn't kill you only makes you stronger"

    The more bugs you find now can lead to a more stable product later on.

    Leave a comment:


  • Harv
    replied
    Anyone else getting a
    PHP Code:
    require_once('./upgradecore.php'); 
    error when trying the upgrade_402_salt.php on line 25?

    Edit:
    The patch files assume you have a full /forumdir/install directory.For those of you who remove /forumdir/install after each upgrade, DL the full install and place relevant files in the install folder. The required files aren't included with the patch.
    Last edited by Harv; Mon 22 Mar '10, 4:28pm.

    Leave a comment:


  • Harv
    replied
    Originally posted by Lynne View Post
    As per the announcement that Wayne posted a link to, there is a patch. Patches may be found at http://members.vbulletin.com/patches.php
    Thanks Lynne. The patch wasn't linked in his post.

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X