Announcement

Collapse
No announcement yet.

YUI Security Issue

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • YUI Security Issue

    Saw this security alert: http://www.vbulletin.com/forum/forum...n-uploader-swf

    Could someone explain what exactly that file does in vB4 and how its removal will affect the user experience on my site? If YUI 2 is end-of-life, why aren't we using YUI 3?
    Thanks.

  • #2
    YUI 3 is not a drop in replacement for YUI 2. Its about the same amount of work/effort to move to jquery, as it is YUI3. So that is why its not replaced, the removal will only allow users to use the ajax uploader instead of the flash uploader. The system will auto fallback if the flash uploader does not respond correctly.

    Comment


    • #3
      There was no attached file btw.
      BrainTalk is a support group for friends, family, caregivers, and patients with neurological disorders and other health related diagnosis.

      BrainTalk Communities Inc
      sigpic

      Comment


      • #4
        There was a bit of human error in the email, check the announcement forum.

        Comment


        • #5
          They refuse to fix a broken product go figure.

          Comment


          • #6
            We've provided a fix for the issue without sacrificing overall functionality in vBulletin. We can't fix third-party integrated code. Lack of updates to code is why we've moved away from YUI.
            Translations provided by Google.

            Wayne Luke
            The Rabid Badger - a vBulletin Cloud customization and demonstration site.
            vBulletin 5 Documentation - Updated every Friday. Report issues here.
            vBulletin 5 API - Full / Mobile
            I am not currently available for vB Messenger Chats.

            Comment


            • #7
              I'm still not seeing a file in the announcement to replace the clientscript\yui\uploader\assets\uploader.swf file. Can I just edit it in place, delete everything in it and save it? Thanks.
              Pelican Exterior Cleaning, Inc.

              Comment


              • #8
                Where is the attachment .swf file? It's not in the email VB sent, it's not in the post on the announcements forum, it's nowhere. Not the best way to handle a security risk.

                Comment


                • #9
                  It's attached to the announcement post, but it is literally just a blank file with the same name as the original.
                  MARK.B | vBULLETIN SUPPORT

                  TalkNewsUK - My vBulletin 5.5.2 Demo
                  AdminAmmo - My Cloud Demo

                  Comment


                  • #10
                    Originally posted by Zachery View Post
                    YUI 3 is not a drop in replacement for YUI 2. Its about the same amount of work/effort to move to jquery, as it is YUI3. So that is why its not replaced, the removal will only allow users to use the ajax uploader instead of the flash uploader. The system will auto fallback if the flash uploader does not respond correctly.
                    Can we expect any such update using jquery, then?

                    Is there any way to edit/improve the look of the ajax uploader. The "Upload File(s)" button needs 1) look like a button and 2) to be spaced down from the "Choose File" button. I'd also like to be able to add some text that would explain how to use it.

                    Comment


                    • bchertov
                      bchertov commented
                      Editing a comment
                      I agree completely! By any chance have you made your suggested changes yet? If not, I plan to hire someone for this.

                  • #11
                    Originally posted by dougdirac View Post
                    Can we expect any such update using jquery, then?

                    Is there any way to edit/improve the look of the ajax uploader. The "Upload File(s)" button needs 1) look like a button and 2) to be spaced down from the "Choose File" button. I'd also like to be able to add some text that would explain how to use it.
                    It is unlikely this will happen anytime soon, if at all.
                    MARK.B | vBULLETIN SUPPORT

                    TalkNewsUK - My vBulletin 5.5.2 Demo
                    AdminAmmo - My Cloud Demo

                    Comment


                    • #12
                      So is there a template or a file I can edit to improve the look and clarity of the ajax uploader. I don't want a bunch of confused users.

                      Comment


                      • #13
                        So what are the implications of this potential exploit? Do I need to start combing my tree for unauthorized file uploads? What damage could have been done?

                        Comment


                        • #14
                          So I can just delete uploader.swf, and not deal with replacing it?

                          Comment


                          • #15
                            Originally posted by vbsm View Post
                            So I can just delete uploader.swf, and not deal with replacing it?
                            I think if you simply delete the file, it will break things. I.e., the uploader won't work at all. You need to replace it with a blank file.

                            By the way, this particular exploit was made public on November 11, 2013 -- nearly two months ago. Why are we just hearing about it?
                            http://yuilibrary.com/support/20131111-vulnerability/

                            Comment

                            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                            Working...
                            X