new XSS vulnerability [4.0.2 PL 1] we are affected?

Collapse
X
Collapse
 
  • Page of 4
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 template Next
  • Bergler
    Senior Member
    • Dec 2006
    • 560
    #46
    Originally posted by Paul M
    Quick [temp] fix ;

    Search the templates for {vb:raw query} replace with {vb:var query}

    There are about 10 of them.
    So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
    Last edited by Bergler; Tue 23 Mar '10, 2:08pm.

      Comment

      • Paul M
        Former Lead Developer
        vB.Com & vB.Org
        • Sep 2004
        • 9886
        #47
        Originally posted by Trevor Hannant
        As I understand it, forums already running 3.8.5 are already covered against the XSS issue.
        Originally posted by Floris
        a) no patch release for 3.8.4 pl2 -> pl3 has been released
        b) NO mention at all for this fix in 3.8.5 has been posted in the announcement
        The XSS issue does not exist in vb 3.8.x, therefore there is no fix to announce.


        Originally posted by Bergler
        So even after the last update(Todays PL2) this still needs to be done because after upgrading the patch from the patch it went in and searched for {vb:raw query} and its all still there?
        No, you don't need to do anything, the patch simply fixes the problem in a different manner, so the template changes are unnecessary.
        Baby, I was born this way

          Comment

          • Floris
            Senior Member
            • Dec 2001
            • 37767
            #48
            The password weakness one exists in 3.x too. See the announcement thread, they patched 3.x branch too. Someone from staff linked to the announcement, and that's wher ei followed up with.

              Comment

              • Paul M
                Former Lead Developer
                vB.Com & vB.Org
                • Sep 2004
                • 9886
                #49
                Originally posted by Floris
                The password weakness one exists in 3.x too.
                Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.
                Baby, I was born this way

                  Comment

                  • Floris
                    Senior Member
                    • Dec 2001
                    • 37767
                    #50
                    Originally posted by Paul M
                    Indeed, it does (did). I thought you were referring to the XSS. The salt change is included in 3.8.5, but they didnt mention it in the announcement, possibly because Don based his text on the bug list, and I dont think its a logged bug. Just a guess tho.
                    And as a consequence license type 3 license holders with expired licenses who are eligible for free security patches can't patch their insecure forums.

                      Comment

                      Previous 1 2 3 4 template Next
                      widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                      Working...
                      😀
                      😂
                      🥰
                      😘
                      🤢
                      😎
                      😞
                      😡
                      👍
                      👎