Announcement

Collapse
No announcement yet.

YUI flash uploader exploit and the vb recommended fix

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • camoit
    replied
    I just upgraded to V4.1.12 from 4.1.11. And the up grad killed the uploader.. This is why I'm always reluctant to upgrade unless you have a stock board with no mods or personalization.
    The file upload fix worked.

    That's all I need to say. He did it. I recommend the fix to all VB users..

    Leave a comment:


  • craigvm
    commented on 's reply
    seems support just aint available for us on vb4 now i have another problem on another thread thats been left by support since 23 of october last year now with no fix so it does seen ipb or xenforo is the only way forward and the 170 i spent for vb4 just 18 months is worth nothing

  • craigvm
    replied
    Originally posted by Joe D. View Post
    You're not going to get back the ability to CTRL+Click and upload 5 files at the same time with the AJAX uploader. You can upload 5 files but each one must be chosen individually. Sorry for the confusion.
    we may as well move to a free software then , my other forum is on mybb and i`ve got every feature on there that vb4 has now vb4 has just been made more basic with the image uploads

    Leave a comment:


  • joeychgo
    replied
    Originally posted by Wayne Luke View Post
    You should release this on www.vbulletin.org. Customers are free to use it at their own risk.
    If its a good fix it should be incorporated into vb 4.22pl1

    Leave a comment:


  • CrossoverX
    replied
    Does the YUI flash uploader affect the Avatar Upload?

    Leave a comment:


  • alexm
    replied
    Originally posted by Wayne Luke View Post
    You should release this on www.vbulletin.org. Customers are free to use it at their own risk.
    Done.

    http://www.vbulletin.org/forum/showthread.php?t=307008

    Leave a comment:


  • Wayne Luke
    replied
    You should release this on www.vbulletin.org. Customers are free to use it at their own risk.

    Leave a comment:


  • alexm
    replied
    Could it be a browser/caching issue relating to changing between ajax and flash settings?

    Leave a comment:


  • mediasnog
    replied
    Originally posted by alexm View Post

    The only way I can duplicate this is if you use the 'Insert Image' button in the advanced editor. The image is attached and inserted but the attachment isn't listed below the 'Manage Attachments' button until it is refreshed (e.g. by doing a preview).

    This appears to happen regardless of whether you use flash or ajax to upload the files so I'm assuming it has always been this way?
    Alex, it's odd. The only place I have a problem is on my development server. It seems to work fine on live sites.

    I'll have to research this a little more.

    Leave a comment:


  • alexm
    replied
    Originally posted by mediasnog View Post
    The only problem I've found is with my installation of IE-10 is it works fine with quick reply, but in advanced reply or new thread files get uploaded, but the files don't populate in the 'Attachments' box for 'manage attachments'. You have to exit the upload screen and refresh the editor page. If you do that the files are there.
    The only way I can duplicate this is if you use the 'Insert Image' button in the advanced editor. The image is attached and inserted but the attachment isn't listed below the 'Manage Attachments' button until it is refreshed (e.g. by doing a preview).

    This appears to happen regardless of whether you use flash or ajax to upload the files so I'm assuming it has always been this way?

    Leave a comment:


  • DirtRider
    replied
    VB made such a huge issue out of how this could not be fixed and here we have alexm giving us a fix. Thank alexm we can still use this until our migration to Xenforo is compleated.

    Now the next question is what will be the next issue that comes up in VB that they cannot fixed
    Last edited by DirtRider; Mon 13th Jan '14, 6:06am.

    Leave a comment:


  • mediasnog
    replied
    The only problem I've found is with my installation of IE-10 is it works fine with quick reply, but in advanced reply or new thread files get uploaded, but the files don't populate in the 'Attachments' box for 'manage attachments'. You have to exit the upload screen and refresh the editor page. If you do that the files are there.
    Last edited by mediasnog; Mon 13th Jan '14, 5:36am.

    Leave a comment:


  • Trevor Matthews
    replied
    Hi Alex

    Well my members and I really want to thank you.
    I now have the forum back to where it was before this nonsense happened.

    What a shame this was not sorted by vBulletin.

    regards
    Trevor

    Leave a comment:


  • alexm
    replied
    Hi Dmitri,

    Unless anyone else can find any further problems which need fixing I'm not intending to develop it further. The .zip file posted earlier contains a working uploader.swf with the allowedDomain exploit fixed plus another potential exploit also fixed so those who want to stick with the flash uploader are now able to return the functionality back to exactly what it was before all this started, which was the main goal of this exercise.

    Alex

    Leave a comment:


  • Dmitri
    replied
    Originally posted by alexm View Post
    Following some extremely helpful suggestions from FranzBanz I've updated the above .zip file with v2 of the patched flash uploader

    1) finding another exploit (using another parameter). Exploit fixed by setting the parameter (not used by vBulletin) to null.
    2) '-' added to allowed characters in allowedDomain
    Alex, thanks for your efforts! I would love to return back flash uploader, so please keep us up to date with your development work

    Leave a comment:

Related Topics

Collapse

Working...
X