My owned license expired, I don't plan to renew for awhile. In the past there have been security fixes able to download instead of downloading a whole new version. Will this happen with 3.0.1?

Also, I have this enabled, does that mean I am not affected? Enable Standard Controls

I remember someone posted the fix you can include in the phpinclude_start template for your styles. But I can't seem to find it right now.

if (strpos($_SERVER['HTTP_REFERER'], $vboptions['bburl']) != 0 AND !empty($_SERVER['HTTP_REFERER']))
{
unset($_POST['preview']);
}


There you go.

There it is! :) Thank you.

I have this selected in the controls: "Enable Standard Controls" Does this mean I am not affected?

Turning off the wysiwyg editor makes it not possible to run the exploit yes

So if you put the above code in phpinclude_start in say, vBulletin 3.0.0 RC4 everything should be good?

And we can keep using WYSIWYG?

Here is the fix:
http://www.vbulletin.com/forum/showpost.php?p=696147&postcount=132

However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.

I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

thnx

The only sites that had problems during the upgrade, were generaly sites that had added hacks that interfeared with the upgrade it self.

I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

thnx
The phpinclude version is a alternate fix, if you have already used a patch posted on these forums by a vBteam member or developer it should be correct.

Forget my phpinclude comment! :)

Here is the fix:
http://www.vbulletin.com/forum/showpost.php?p=696147&postcount=132

However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.Thanks for your relpy :)

I've replaced the code from that post. So now I should be protected? I don't need to disable the WYSIWYG interface?

And yeah, I would upgrade to a newer version, but my owned licence updates have expired and I have no money :(

Hi Zach or Floris,

Similar - I'd like to apply ONLY the security fix to my production instance of vBulletin 3.0.1 (so I can still be secure without disabling WYSIWYG cos I love WYSIWYG!)

Because...I haven't tested the integrity of my vBulletin backup yet (via a restore to a duplicate instance / environment that I still need to create).

Sooooo, from what I read above, I need to do this:

==> Edit the phpinclude_start template to add these lines:

if (strpos($_SERVER['HTTP_REFERER'], $vboptions['bburl']) != 0 AND !empty($_SERVER['HTTP_REFERER']))
{
unset($_POST['preview']);
}


Question: Where in the phpinclude_start file should it be added?

Stachel

Download 3.0.2 and upload functions_editor.php from 3.0.2. There was no other change to that file between 3.0.1 and 3.0.2.

Thanks a lot Scott!

Stachel

Its within the includes folder just in case you didn't know.

Aha.. thnx Brad.loo




Forget my phpinclude comment! :)
now now Floris :) :)