Manual Security Patch Instructions for VB 4.x.x

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • BirdOPrey5
    Senior Member
    • Jul 2008
    • 9613
    • 5.6.3

    Manual Security Patch Instructions for VB 4.x.x

    The following are instructions for manually patching all versions of VB 4.x.x for the patch released March 13, 2014.

    Verify you have PHP 5.2.0 or higher before you make these changes. If you don't you will break the site by making these changes.

    The version of PHP on your server is visible in the Admin CP in the table near the top of the page, under thew news.



    If your PHP version is not at least 5.2.0 see the announcement thread for more options.

    Important - Some of the code boxes have a horizontal scroll bar, you will need to scroll to the right to see the entire line of code in these cases.

    In includes/functions.php

    Find the code:

    Code:
             $postvars = construct_post_vars_html();
             if ($vbulletin->GPC['postvars'])
             {
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                $_postvars = array();
                $client_string = verify_client_string($vbulletin->GPC['postvars']);
                if ($client_string)
                {
                    $_postvars = @json_decode($client_string, true);
                }
    In includes/functions_login.php

    Find the code:
    Code:
                 }
                 if ($vbulletin->GPC['postvars'])
                 {
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                    $postvars = array();
                    $client_string = verify_client_string($vbulletin->GPC['postvars']);
                    if ($client_string)
                    {
                        $postvars = @json_decode($client_string, true);
                    }
    Finf the code:
    Code:
                         $postvars['securitytoken'] = $vbulletin->userinfo['securitytoken'];
                     }
     
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    Replace the line:
    Code:
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    With:
    Code:
            $vbulletin->GPC['postvars'] = sign_client_string(json_encode($postvars));
    In includes/functions_misc.php

    Find the code:
    Code:
         }
         else if ($vbulletin->superglobal_size['_POST'] > 0)
         {
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    Replace the line:
    Code:
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    With:
    Code:
            $string = json_encode($_POST);
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n";
    Find the code:
    Code:
        $temp = unserialize($serializedarr);
    Replace with:
    Code:
        $temp = json_decode($serializedarr, true);

    In forumdisplay.php

    Find the code:
    Code:
             {
                 if (($check = verify_client_string($vbulletin->GPC['postvars'])) !== false)
                 {
                    $temp = unserialize($check);
    Replace the line:
    Code:
                    $temp = unserialize($check);
    With:
    Code:
                    $temp = json_decode($check, true);
    In login.php (note- in some versions of 4.x this code does not exist, in that case ignore this step)

    Find the code:
    Code:
         exec_unstrike_user($vbulletin->GPC['vb_login_username']);
     
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
        $_postvars = array();
        $client_string = verify_client_string($vbulletin->GPC['postvars']);
        if ($client_string)
        {
            $_postvars = @json_decode($client_string, true);
        }


    After editing each file upload it back to your server. Keep a backup of the old file just in case. If you ever need a backup of the original file you can re-download your version of VB 4.x from the Member's Area. Only vBulletin 4.2.2 will be officially patched in the Member's Area.

    If you are on Windows use a dedicated code editor like Notepad2 or Notepad++ (both are free) to edit your .php files, do not use Windows Notepad.
    Last edited by BirdOPrey5; Wed 19 Mar '14, 4:45pm. Reason: added missing step in functions_misc.php
  • vbsm
    Member
    • Dec 2011
    • 98

    #2
    includes/functions.php is located in two places. Should both be changed?

    Comment

    • Mark.B
      vBulletin Support
      • Feb 2004
      • 24286
      • 6.0.X

      #3
      There should only be one copy of that file, and that folder. If you have two, you need to review what's on your server - compare the folder structure with that of the download package.
      MARK.B
      vBulletin Support
      ------------
      My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
      My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

      Comment

      • toon79
        Senior Member
        • Jun 2007
        • 241
        • 4.2.X

        #4
        I don't get it, can't we just have patch files to overwrite the old files? The patch files in the member area are not these files are have <?php

        define('FILE_VERSION_VBULLETIN', '4.2.1 Patch Level 1');

        ?>

        Shouldn't there be a patch level 2? Am I missing something?

        Comment

        • Mark.B
          vBulletin Support
          • Feb 2004
          • 24286
          • 6.0.X

          #5
          For vB4: There are patch files for 4.2.2 only.
          If you have an earlier version our recommendation is to upgrade.
          If you do not wish to do so, we have provided manual patching instructions.
          MARK.B
          vBulletin Support
          ------------
          My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
          My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

          Comment

          • toon79
            Senior Member
            • Jun 2007
            • 241
            • 4.2.X

            #6
            I gotcha thanks Mark

            Comment

            • toon79
              Senior Member
              • Jun 2007
              • 241
              • 4.2.X

              #7
              Function misc is wrong. You have included:
              $string = json_encode($_POST); return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n"; But haven't removed it from the take out line, the forum doesn't function by following these instructions. If you do this word for word
              . "\n"; is included twice and breaks the forum.

              Comment

              • BirdOPrey5
                Senior Member
                • Jul 2008
                • 9613
                • 5.6.3

                #8
                Originally posted by toon79
                Function misc is wrong. You have included:
                $string = json_encode($_POST); return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n"; But haven't removed it from the take out line, the forum doesn't function by following these instructions. If you do this word for word
                . "\n"; is included twice and breaks the forum.
                Hello- the "\n" is there but you need to scroll the code box to the right to see it.

                I will update the instructions to remind people they may need to scroll to see the full line of text.

                Comment

                • MK_1
                  New Member
                  • Mar 2009
                  • 28

                  #9
                  I guess this part is missing:
                  In includes/functions_misc.php
                  Code:
                  @@ -773,7 +774,7 @@
                   */
                   function construct_hidden_var_fields($serializedarr)
                   {
                  -    $temp = unserialize($serializedarr);
                  +    $temp = json_decode($serializedarr, true);
                   
                       if (!is_array($temp))
                       {
                  http://www.vbulletin.com/forum/forum...x-of-vbulletin
                  Macht mit beim 2-Wheel-Planet Adventskalender:

                  2WP Adventskalender

                  Comment

                  • Mark.B
                    vBulletin Support
                    • Feb 2004
                    • 24286
                    • 6.0.X

                    #10
                    That's from the diff file...you should follow the instructions in Joe's post.
                    MARK.B
                    vBulletin Support
                    ------------
                    My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                    My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                    Comment

                    • _Avalon_
                      Member
                      • Dec 2012
                      • 88
                      • 4.2.X

                      #11
                      Good day, bit not clear, Is it not enough to rewrite files from Security patch: 4.2.0 Suite PL4?

                      Comment

                      • Mark.B
                        vBulletin Support
                        • Feb 2004
                        • 24286
                        • 6.0.X

                        #12
                        Originally posted by _Avalon_
                        Good day, bit not clear, Is it not enough to rewrite files from Security patch: 4.2.0 Suite PL4?
                        If you are running 4.2.0 you will need to go through the manual instructions.
                        MARK.B
                        vBulletin Support
                        ------------
                        My Unofficial vBulletin 6.0.0 Demo: https://www.talknewsuk.com
                        My Unofficial vBulletin Cloud Demo: https://www.adminammo.com

                        Comment

                        • BirdOPrey5
                          Senior Member
                          • Jul 2008
                          • 9613
                          • 5.6.3

                          #13
                          4.2.0 Patch 4 does NOT contain the fix. The only patch version of 4.x that includes the fix is 4.2.2 Patch 1.

                          Comment

                          • kandhro
                            Member
                            • Nov 2012
                            • 94

                            #14
                            Hello Mark B
                            can u plz let me know where are the manual instructions for vb 4.2.0

                            regards

                            Comment

                            • MK_1
                              New Member
                              • Mar 2009
                              • 28

                              #15
                              Originally posted by Mark.B
                              That's from the diff file...you should follow the instructions in Joe's post.
                              So you tell me that the diff file is not the latest version? Diff file and Joe's post are 90% similar, just this one step.
                              Macht mit beim 2-Wheel-Planet Adventskalender:

                              2WP Adventskalender

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...