Announcement

Collapse
No announcement yet.

YUI flash uploader exploit and the vb recommended fix

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • alexm
    replied
    Following some extremely helpful suggestions from FranzBanz I've updated the above .zip file with v2 of the patched flash uploader

    1) finding another exploit (using another parameter). Exploit fixed by setting the parameter (not used by vBulletin) to null.
    2) '-' added to allowed characters in allowedDomain
    Last edited by alexm; Sat 11 Jan '14, 1:00pm.

    Leave a comment:


  • alexm
    replied
    Following my last post I think I've managed to fix the flash file... The problem was with the decompiled source. I managed to find the original Actionscript source code for YUI 2.9.0 here:

    https://github.com/yui/yui2/tree/master/src/uploader/as

    I used that to replace some of the decompiled source from uploader.swf and then recompiled with a REGEX to sanitise allowedDomain. The result is a working uploader.swf that passes the exploit proof of concept

    PHP Code:
    uploader.swf?allowedDomain=\%22}%29%29%29}catch%28e%29{alert%28document.domain%29;}// 

    If there are any proper Flash developers out there who can double check my code I will be happy to share the source!

    DISCLAIMER: I am not a flash developer, I am just another vBulletin customer trying to keep his members happy! This file is provided free of charge for the benefit of the vBulletin community. You use it at your own risk! Please test before using on a live site!!


    I have moved the .zip file to vbulletin.org as it's easier to maintain in just one place!

    DOWNLOAD HERE
    Last edited by alexm; Fri 14 Feb '14, 10:46am.

    Leave a comment:


  • djbaxter
    replied
    See the fix suggested here - it works: http://www.vbulletin.com/forum/forum...41#post4015641

    Leave a comment:


  • voclain
    replied
    So…you are saying that on 4.2.2 just get over it…we cannot have multiple files uploaded at the same time….but on version 5 we can???? REALLY????

    Kirk

    Leave a comment:


  • voclain
    replied
    TEST

    Leave a comment:


  • DirtRider
    replied
    Originally posted by magmf View Post
    That is why people continue to move to xenforo and ipb lack of support... this sucks...
    Well I have just started this process now as you say no customers support these days, take it or leave it type attitude. I will rather just leave it now while I still have a bit of a forum to convert as who know what will be next.

    Leave a comment:


  • Infopro
    replied
    Originally posted by alexm View Post
    Is there anyone here who is decent with Flash?

    I've been having a go at fixing this but I've never worked with Flash before and I'm stuck. I have got as far as decompiling uploader.swf, locating the offending piece of code, writing a REGEX to sanitise the allowedDomains parameter, recompiling and confirming the exploit itself is fixed.

    The problem?

    The actual uploading function is broken!

    It goes through all the motions selecting the files properly and then fails at the last hurdle when you press the Upload button... basically nothing happens. If there is a Flash guru on here I will be happy to share the Flash source code of my attempt so far on the understanding that if we get it working the fix will be made available to all.

    Alex
    Not sure how helpful this is to you:
    /http://www.garage4hackers.com/showthread.php?t=5167

    Leave a comment:


  • Kaith Rustaz
    replied
    Originally posted by Joe D. View Post
    You're not going to get back the ability to CTRL+Click and upload 5 files at the same time with the AJAX uploader. You can upload 5 files but each one must be chosen individually. Sorry for the confusion.
    You're kidding, right? "Find Bug, remove functionality" as a support method was what soured me on Intuit's software.

    Leave a comment:


  • DirtRider
    replied
    Either that or push us into VB5 but you right they seem to feel nothing for us customers by the looks of it. VB5 is just not an option. The question now is what will the next issue be that they just disregard in this manner.

    Leave a comment:


  • Art Andrews
    replied
    Originally posted by Joe D. View Post
    You're not going to get back the ability to CTRL+Click and upload 5 files at the same time with the AJAX uploader. You can upload 5 files but each one must be chosen individually. Sorry for the confusion.
    That is a pretty shocking statement as it simply reads as IB not caring that you suddenly have 100s if not 1000s of customers who have lost a pretty significant piece of basic functionality and are fine with relegating them back to the stone age of uploading a single file at a time. Is this REALLY where IB is at? Are they purposefully trying to push customers to other products?

    Leave a comment:


  • charlesr
    replied
    Sorry, I can't help Alex, but [encourage]please keep at it![/encourage] I've subbed to this thread, so if you solve it, please post again

    Leave a comment:


  • alexm
    replied
    Is there anyone here who is decent with Flash?

    I've been having a go at fixing this but I've never worked with Flash before and I'm stuck. I have got as far as decompiling uploader.swf, locating the offending piece of code, writing a REGEX to sanitise the allowedDomains parameter, recompiling and confirming the exploit itself is fixed.

    The problem?

    The actual uploading function is broken!

    It goes through all the motions selecting the files properly and then fails at the last hurdle when you press the Upload button... basically nothing happens. If there is a Flash guru on here I will be happy to share the Flash source code of my attempt so far on the understanding that if we get it working the fix will be made available to all.

    Alex

    Leave a comment:


  • BirdOPrey5
    replied
    You're not going to get back the ability to CTRL+Click and upload 5 files at the same time with the AJAX uploader. You can upload 5 files but each one must be chosen individually. Sorry for the confusion.

    Leave a comment:


  • joeychgo
    replied

    Originally posted by mediasnog View Post
    For those that don't have the ability to upload multiple files at once do this...

    Go to ACP->Settings->Options and select Message Attachment Options. Set 'Attachments Per Post' to what you want the max to be AND set 'Attachment Upload Inputs' to the number of input boxes you want.

    That will give the ability to upload multiple files similar to vB 3.


    No - doesn't work. I have it set to 0 and 5. I also tried setting it to 5 and 5. No change.

    Leave a comment:


  • yogesh
    replied
    See http://www.vbulletin.com/forum/forum...-asset-manager

    Leave a comment:

Related Topics

Collapse

Working...
X