Yahoo YUI Security Exploit 'Patch' Not Working

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Bacon Butty
    Senior Member
    • Jun 2005
    • 162

    [Forum] Yahoo YUI Security Exploit 'Patch' Not Working

    Hi,

    I'm having a bit of a nightmare with the Yahoo YUI Security Exploit issue.

    I reported the problems I was having with search engine traffic being maliciously directed elsewhere and was relieved to see a fix published here;



    I haven't got the time to fight the inevitable vBulletin issues in upgrading, so I opted for the simple patch;

    To manually fix versions prior to vBulletin 4.1.3 and 3.8.7
    Edit one line in class_core.php file located in /includes/class_core.php ; find the following line “define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle” ; replace this line with “define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle”
    In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.
    Unfortunately, this simple 'fix' is causes mayhem. Users have reported issues in mass when I perform that edit... screenshotting the likes of the below;



    Avatars dont display, and the it causes the dreaded “black diamond question mark” symbol for any 'special character' - such as a question mark.

    Any ideas? Any help would be appreciated.

    My forum is 4.1.2
  • Paul M
    Former Lead Developer
    vB.Com & vB.Org
    • Sep 2004
    • 9886

    #2
    Have they tried a hard refresh (CTRL+F5) or clear their browser cache ?
    Baby, I was born this way

    Comment

    • Bacon Butty
      Senior Member
      • Jun 2005
      • 162

      #3
      Originally posted by Paul M
      Have they tried a hard refresh (CTRL+F5) or clear their browser cache ?
      Thanks for trying to help.

      Yes - myself included, with all IE, Chrome and Firefox.

      Comment

      • IBxAnders
        Senior Member
        • Aug 2001
        • 1172
        • 4.0.x

        #4
        You probably just edited the CLASS_CORE file but did not set the YUI to be pulled from a remote location; please check this in your AdminCP.
        anders | vbulletin team | check out the new vbulletin facebook app
        Proudly vBulletin'ing since 2001
        Please be my friend!
        http://www.twitter.com/inetskunkworks
        vBulletin Performance Articles:
        Click here to read

        Comment

        • Bacon Butty
          Senior Member
          • Jun 2005
          • 162

          #5
          Originally posted by IBxAnders
          You probably just edited the CLASS_CORE file but did not set the YUI to be pulled from a remote location; please check this in your AdminCP.
          Thanks for offering assistance but I can assure you, 'Use Remote YUI' in 'Server Settings and Optimization Options' has been set at Google, and later Yahoo.
          Last edited by Bacon Butty; Wed 1 Jun '11, 1:19pm.

          Comment

          • Lynne
            Former vBulletin Support
            • Oct 2004
            • 26255

            #6
            What site are you having problems with? I look at one of them and it shows this in the page source:

            Code:
            <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/yui/2.8.2/build/yuiloader-dom-event/yuiloader-dom-event.js?v=412"></script>
            <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/yui/2.8.2/build/connection/connection-min.js?v=412"></script>
            It is not pulling the 2.9.0 build.

            However, I also notice this at the top of the page:
            Code:
            
            That means you most likely didn't use a plain text editor when editing the file. That will cause issues.

            Please don't PM or VM me for support - I only help out in the threads.
            vBulletin Manual & vBulletin 4.0 Code Documentation (API)
            Want help modifying your vbulletin forum? Head on over to vbulletin.org
            If I post CSS and you don't know where it goes, throw it into the additional.css template.

            W3Schools &lt;- awesome site for html/css help

            Comment

            • Bacon Butty
              Senior Member
              • Jun 2005
              • 162

              #7
              Originally posted by Lynne
              What site are you having problems with? I look at one of them and it shows this in the page source:

              Code:
              <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/yui/2.8.2/build/yuiloader-dom-event/yuiloader-dom-event.js?v=412"></script>
              <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/yui/2.8.2/build/connection/connection-min.js?v=412"></script>
              It is not pulling the 2.9.0 build.
              Thanks Lynne.

              I just changed from 2.9.0 to 2.8.2 - on a suggestion I read in here to see if it made any difference.

              Originally posted by Lynne
              Originally posted by Lynne
              However, I also notice this at the top of the page:
              Code:
              
              That means you most likely didn't use a plain text editor when editing the file. That will cause issues.
              Odd. I can't see that? All my edits are in notepad? - Could you kindly screenshot?

              Comment

              • Zachery
                Former vBulletin Support
                • Jul 2002
                • 59097

                #8
                You have a UTF8 bom marker in one or more of your files, likely your config.php file.

                Comment

                • Lynne
                  Former vBulletin Support
                  • Oct 2004
                  • 26255

                  #9
                  Originally posted by Bacon Butty
                  Thanks Lynne.

                  I just changed from 2.9.0 to 2.8.2 - on a suggestion I read in here to see if it made any difference.



                  Odd. I can't see that? All my edits are in notepad? - Could you kindly screenshot?
                  You can see it right at the top if you view your page source. It flashed quickly for me when I went to your site which is how I knew to look for it.

                  Please don't PM or VM me for support - I only help out in the threads.
                  vBulletin Manual & vBulletin 4.0 Code Documentation (API)
                  Want help modifying your vbulletin forum? Head on over to vbulletin.org
                  If I post CSS and you don't know where it goes, throw it into the additional.css template.

                  W3Schools &lt;- awesome site for html/css help

                  Comment

                  • RitaW
                    New Member
                    • Aug 2009
                    • 5

                    #10
                    Got the same problem here


                     is appearing at the top of the page.

                    What do I need to do to fix this?

                    Edit: got it working.
                    Last edited by RitaW; Thu 2 Jun '11, 1:20am.

                    Comment

                    • Bacon Butty
                      Senior Member
                      • Jun 2005
                      • 162

                      #11
                      Thanks again guys. Very kind for support - sorry for the delay in response, forums went down for maintenance last night.

                      Originally posted by Zachery
                      You have a UTF8 bom marker in one or more of your files, likely your config.php file.
                      Do you mean this in config.php?

                      // $config['Mysqli']['charset'] = 'utf8';
                      I've not edited this file? Is this now conflicting with the YUI change?

                      Originally posted by Lynne
                      You can see it right at the top if you view your page source. It flashed quickly for me when I went to your site which is how I knew to look for it.
                      Thanks Lynne but I really can't see it - I must be losing the plot.

                      I made the very simple file edit in notepad as so;



                      And I can't see this code on the website itself;



                      Or the source code;




                      Originally posted by RitaW
                      Got the same problem here


                       is appearing at the top of the page.

                      What do I need to do to fix this?

                      Edit: got it working.
                      C'mon Rita! That's just teasing....

                      Comment

                      • Bacon Butty
                        Senior Member
                        • Jun 2005
                        • 162

                        #12
                        Update.

                        One of the members has published a picture of aforementioned code.



                        So fixing this should resolve the issue?

                        How do I fix something I can't see :/

                        Any ideas?

                        Comment

                        • Zachery
                          Former vBulletin Support
                          • Jul 2002
                          • 59097

                          #13
                          Its got to be in one of your files, likely the config.php file.

                          Comment

                          • ascott
                            Member
                            • May 2009
                            • 67
                            • 4.2.X

                            #14
                            I uploaded my config.php file again and that has removed it, all my thumbnails and avatars are back how they should be.
                            Canon Fodder Forums






                            Comment

                            • Bacon Butty
                              Senior Member
                              • Jun 2005
                              • 162

                              #15
                              Thanks all. Resolved. Was never config as that file was never amended.

                              Download PHP Editor and that detected the odd code that a save with notepad seemed to insert.

                              With the 'Patch' though (and YUI amend in admincp), a search for my forum in Google is still directing elsewhere.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...