Announcement

Collapse
No announcement yet.

vB 3.0.2 XSS Secuity fix

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vB 3.0.2 XSS Secuity fix

    My owned license expired, I don't plan to renew for awhile. In the past there have been security fixes able to download instead of downloading a whole new version. Will this happen with 3.0.1?

    Also, I have this enabled, does that mean I am not affected? Enable Standard Controls
    Last edited by IDN; Fri 2nd Jul '04, 2:07pm.
    Running vB since 4-14-2002

  • #2
    I remember someone posted the fix you can include in the phpinclude_start template for your styles. But I can't seem to find it right now.

    Comment


    • #3
      Code:
      if (strpos($_SERVER['HTTP_REFERER'], $vboptions['bburl']) != 0 AND !empty($_SERVER['HTTP_REFERER'])) 
      { 
      	  unset($_POST['preview']); 
      } 
      


      There you go.

      Comment


      • #4
        There it is! Thank you.

        Comment


        • #5
          I have this selected in the controls: "Enable Standard Controls" Does this mean I am not affected?
          Running vB since 4-14-2002

          Comment


          • #6
            Turning off the wysiwyg editor makes it not possible to run the exploit yes

            Comment


            • #7
              So if you put the above code in phpinclude_start in say, vBulletin 3.0.0 RC4 everything should be good?

              And we can keep using WYSIWYG?

              Comment


              • #8
                Here is the fix:
                http://www.vbulletin.com/forum/showp...&postcount=132

                However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud customization and demonstration site.
                vBulletin 5 Documentation - Updated every Friday. Report issues here.
                vBulletin 5 API - Full / Mobile
                I am not currently available for vB Messenger Chats.

                Comment


                • #9
                  I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

                  thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

                  thnx
                  To be or not to be... Where the hell is the question????
                  My psychiatrist told me I was crazy and I said I want a second opinion. He said okay, you're ugly too

                  Live vBulletin 4.2.0 Multilingual * Alpha/Beta vB 4 - vB 5 Tier 1A
                  CentOS 6.2 - Apache:2.2.15(Apache2Handler) - PHP:5.3.3 - MySQL:5.1.61
                  Xampp/Win-XP - Apache v2.2.21(Apache2Handler) - PHP:5.3.8 - MySQL:5.5.16

                  Comment


                  • #10
                    The only sites that had problems during the upgrade, were generaly sites that had added hacks that interfeared with the upgrade it self.

                    Comment


                    • #11
                      Originally posted by Merjawy
                      I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

                      thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

                      thnx
                      The phpinclude version is a alternate fix, if you have already used a patch posted on these forums by a vBteam member or developer it should be correct.

                      Comment


                      • #12
                        Forget my phpinclude comment!

                        Comment


                        • #13
                          Originally posted by Wayne Luke
                          Here is the fix:
                          http://www.vbulletin.com/forum/showp...&postcount=132

                          However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.
                          Thanks for your relpy

                          I've replaced the code from that post. So now I should be protected? I don't need to disable the WYSIWYG interface?

                          And yeah, I would upgrade to a newer version, but my owned licence updates have expired and I have no money

                          Comment


                          • #14
                            Hi Zach or Floris,

                            Similar - I'd like to apply ONLY the security fix to my production instance of vBulletin 3.0.1 (so I can still be secure without disabling WYSIWYG cos I love WYSIWYG!)

                            Because...I haven't tested the integrity of my vBulletin backup yet (via a restore to a duplicate instance / environment that I still need to create).

                            Sooooo, from what I read above, I need to do this:

                            ==> Edit the phpinclude_start template to add these lines:

                            Code:
                            if (strpos($_SERVER['HTTP_REFERER'], $vboptions['bburl']) != 0 AND !empty($_SERVER['HTTP_REFERER'])) 
                            { 
                            unset($_POST['preview']); 
                            }
                            Question: Where in the phpinclude_start file should it be added?

                            Stachel

                            Comment


                            • #15
                              Download 3.0.2 and upload functions_editor.php from 3.0.2. There was no other change to that file between 3.0.1 and 3.0.2.
                              Scott MacVicar

                              My Blog | Twitter

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X