new XSS vulnerability [4.0.2 PL 1] we are affected?

**john_stm** · Mon 22 Mar '10, 9:50am

I am having the same problem but with 3.7.3 PL1
Sorry to post here but does someone know if a patch was released? How to remove this freaking hack?

**Wayne Luke** · Mon 22 Mar '10, 11:09am

Security Fix Releases 3.7.7 and 4.0.2 PL 2 - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?346486-Security-Fix-Releases-3.7.7-and-4.0.2-PL-2&p=1950226#post1950226

**Harv** · Mon 22 Mar '10, 4:13pm

Do we have to do an entire upload/upgrade or is there a patch to replace the affected files?

**Lynne** · Mon 22 Mar '10, 4:21pm

As per the announcement that Wayne posted a link to, there is a patch. Patches may be found at http://members.vbulletin.com/patches.php

**DieselMinded** · Mon 22 Mar '10, 4:22pm

where is the 3.8.5 patch? i was one of the first people to report this exploit and have the first version of 3.8.5 which has already been changed once , and now again? how do i upgrade to the same version? i need a patch please

**Harv** · Mon 22 Mar '10, 4:23pm

Originally posted by Lynne

As per the announcement that Wayne posted a link to, there is a patch. Patches may be found at http://members.vbulletin.com/patches.php

Thanks Lynne. The patch wasn't linked in his post.

**Harv** · Mon 22 Mar '10, 4:42pm

Anyone else getting a

PHP Code:


require_once('./upgradecore.php');

error when trying the upgrade_402_salt.php on line 25?

Edit: The patch files assume you have a full /forumdir/install directory.For those of you who remove /forumdir/install after each upgrade, DL the full install and place relevant files in the install folder. The required files aren't included with the patch.

**Brandon_R** · Mon 22 Mar '10, 5:45pm

'What doesn't kill you only makes you stronger"

The more bugs you find now can lead to a more stable product later on.

**Reeve of Shinra** · Mon 22 Mar '10, 8:55pm

Then not even Kryptonite will be able to stop vb4!

**Floris** · Mon 22 Mar '10, 10:11pm

Do 3.8.5 users have to redownload 3.8.5 or did the 3.8.5 announcement happen to not mention anything about this security issue?

If so, that must suck for those board owners who had 3.8.4.pl2 and didn't see a reason to upgrade, then get hacked, just to find out that it could have been prevented.

More clarity please, appreciated.

**Trevor Hannant** · Tue 23 Mar '10, 4:53am

As I understand it, forums already running 3.8.5 are already covered against the XSS issue.

**Floris** · Tue 23 Mar '10, 5:28am

Originally posted by Trevor Hannant

As I understand it, forums already running 3.8.5 are already covered against the XSS issue.

I've looked into this, and that seems to be the case indeed. I find it quite strange that

a) no patch release for 3.8.4 pl2 -> pl3 has been released
b) NO mention at all for this fix in 3.8.5 has been posted in the announcement

Users who don't upgrade maintenance releases since they're not serious upgrades or security related, and have been hacked since the announcement (if any) must be feeling quite unhappy, knowing they would have upgraded if they knew the maintenance release actually included a serious security issue.

**Floris** · Tue 23 Mar '10, 7:01am

I have 2 more questions, one for v3 and one for v4.

I noticed version 3 has a define change from 3 to 30, but I didn't see this in version 4. Won't that screw up the passwords of users who sign up after it's patched, or who change their password?
And for version 3, if the announcement mentions that it's decrypting the pass hash, they therefor have the short (3) salt, but they have it. So changing the salt to a longer (30) one .. how does that solve it? Doesn't this only mean you delay the length in time it takes to rainbow it?

I am not a developer, so I can be completely wrong. Hoping to hear from you guys soon. But to avoid issues with define set to 3 on 4.0.2 pl2 of friends their forums, i am telling them not to upgrade.

**Loco.M** · Tue 23 Mar '10, 7:44am

Originally posted by Paul M

Quick [temp] fix ;

Search the templates for {vb:raw query} replace with {vb:var query}

There are about 10 of them.

thanks for the fix Paul

**Floris** · Tue 23 Mar '10, 8:45am

Security Fix Releases 3.7.7 and 4.0.2 PL 2 - vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?346486-Security-Fix-Releases-3.7.7-and-4.0.2-PL-2&p=1950777#post1950777

The answered the first question.

Thanks for the update.

vBulletin 4 End of Life

new XSS vulnerability [4.0.2 PL 1] we are affected?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment