Announcement

Collapse
No announcement yet.

Manual Security Patch Instructions for VB 4.x.x

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Manual Security Patch Instructions for VB 4.x.x

    The following are instructions for manually patching all versions of VB 4.x.x for the patch released March 13, 2014.

    Verify you have PHP 5.2.0 or higher before you make these changes. If you don't you will break the site by making these changes.

    The version of PHP on your server is visible in the Admin CP in the table near the top of the page, under thew news.



    If your PHP version is not at least 5.2.0 see the announcement thread for more options.

    Important - Some of the code boxes have a horizontal scroll bar, you will need to scroll to the right to see the entire line of code in these cases.

    In includes/functions.php

    Find the code:

    Code:
             $postvars = construct_post_vars_html();
             if ($vbulletin->GPC['postvars'])
             {
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                $_postvars = array();
                $client_string = verify_client_string($vbulletin->GPC['postvars']);
                if ($client_string)
                {
                    $_postvars = @json_decode($client_string, true);
                }
    In includes/functions_login.php

    Find the code:
    Code:
                 }
                 if ($vbulletin->GPC['postvars'])
                 {
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
                    $postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
                    $postvars = array();
                    $client_string = verify_client_string($vbulletin->GPC['postvars']);
                    if ($client_string)
                    {
                        $postvars = @json_decode($client_string, true);
                    }
    Finf the code:
    Code:
                         $postvars['securitytoken'] = $vbulletin->userinfo['securitytoken'];
                     }
     
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    Replace the line:
    Code:
                    $vbulletin->GPC['postvars'] = sign_client_string(serialize($postvars));
    With:
    Code:
            $vbulletin->GPC['postvars'] = sign_client_string(json_encode($postvars));
    In includes/functions_misc.php

    Find the code:
    Code:
         }
         else if ($vbulletin->superglobal_size['_POST'] > 0)
         {
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    Replace the line:
    Code:
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
    With:
    Code:
            $string = json_encode($_POST);
            return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n";
    Find the code:
    Code:
        $temp = unserialize($serializedarr);
    Replace with:
    Code:
        $temp = json_decode($serializedarr, true);

    In forumdisplay.php

    Find the code:
    Code:
             {
                 if (($check = verify_client_string($vbulletin->GPC['postvars'])) !== false)
                 {
                    $temp = unserialize($check);
    Replace the line:
    Code:
                    $temp = unserialize($check);
    With:
    Code:
                    $temp = json_decode($check, true);
    In login.php (note- in some versions of 4.x this code does not exist, in that case ignore this step)

    Find the code:
    Code:
         exec_unstrike_user($vbulletin->GPC['vb_login_username']);
     
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    Replace the line:
    Code:
        $_postvars = @unserialize(verify_client_string($vbulletin->GPC['postvars']));
    With:
    Code:
        $_postvars = array();
        $client_string = verify_client_string($vbulletin->GPC['postvars']);
        if ($client_string)
        {
            $_postvars = @json_decode($client_string, true);
        }


    After editing each file upload it back to your server. Keep a backup of the old file just in case. If you ever need a backup of the original file you can re-download your version of VB 4.x from the Member's Area. Only vBulletin 4.2.2 will be officially patched in the Member's Area.

    If you are on Windows use a dedicated code editor like Notepad2 or Notepad++ (both are free) to edit your .php files, do not use Windows Notepad.
    Last edited by Joe D.; Wed 19th Mar '14, 4:45pm. Reason: added missing step in functions_misc.php

  • #2
    includes/functions.php is located in two places. Should both be changed?

    Comment


    • #3
      There should only be one copy of that file, and that folder. If you have two, you need to review what's on your server - compare the folder structure with that of the download package.
      MARK.B | vBULLETIN SUPPORT

      TalkNewsUK - My vBulletin 5.5.2 Demo
      AdminAmmo - My Cloud Demo

      Comment


      • #4
        I don't get it, can't we just have patch files to overwrite the old files? The patch files in the member area are not these files are have <?php

        define('FILE_VERSION_VBULLETIN', '4.2.1 Patch Level 1');

        ?>

        Shouldn't there be a patch level 2? Am I missing something?

        Comment


        • #5
          For vB4: There are patch files for 4.2.2 only.
          If you have an earlier version our recommendation is to upgrade.
          If you do not wish to do so, we have provided manual patching instructions.
          MARK.B | vBULLETIN SUPPORT

          TalkNewsUK - My vBulletin 5.5.2 Demo
          AdminAmmo - My Cloud Demo

          Comment


          • #6
            I gotcha thanks Mark

            Comment


            • #7
              Function misc is wrong. You have included:
              $string = json_encode($_POST); return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n"; But haven't removed it from the take out line, the forum doesn't function by following these instructions. If you do this word for word
              . "\n"; is included twice and breaks the forum.

              Comment


              • #8
                Originally posted by toon79 View Post
                Function misc is wrong. You have included:
                $string = json_encode($_POST); return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n"; But haven't removed it from the take out line, the forum doesn't function by following these instructions. If you do this word for word
                . "\n"; is included twice and breaks the forum.
                Hello- the "\n" is there but you need to scroll the code box to the right to see it.

                I will update the instructions to remind people they may need to scroll to see the full line of text.

                Comment


                • #9
                  I guess this part is missing:
                  In includes/functions_misc.php
                  Code:
                  @@ -773,7 +774,7 @@
                   */
                   function construct_hidden_var_fields($serializedarr)
                   {
                  -    $temp = unserialize($serializedarr);
                  +    $temp = json_decode($serializedarr, true);
                   
                       if (!is_array($temp))
                       {
                  http://www.vbulletin.com/forum/forum...x-of-vbulletin
                  Macht mit beim 2-Wheel-Planet Adventskalender:

                  2WP Adventskalender

                  Comment


                  • #10
                    That's from the diff file...you should follow the instructions in Joe's post.
                    MARK.B | vBULLETIN SUPPORT

                    TalkNewsUK - My vBulletin 5.5.2 Demo
                    AdminAmmo - My Cloud Demo

                    Comment


                    • #11
                      Good day, bit not clear, Is it not enough to rewrite files from Security patch: 4.2.0 Suite PL4?

                      Comment


                      • #12
                        Originally posted by _Avalon_ View Post
                        Good day, bit not clear, Is it not enough to rewrite files from Security patch: 4.2.0 Suite PL4?
                        If you are running 4.2.0 you will need to go through the manual instructions.
                        MARK.B | vBULLETIN SUPPORT

                        TalkNewsUK - My vBulletin 5.5.2 Demo
                        AdminAmmo - My Cloud Demo

                        Comment


                        • #13
                          4.2.0 Patch 4 does NOT contain the fix. The only patch version of 4.x that includes the fix is 4.2.2 Patch 1.

                          Comment


                          • #14
                            Hello Mark B
                            can u plz let me know where are the manual instructions for vb 4.2.0

                            regards

                            Comment


                            • #15
                              Originally posted by Mark.B View Post
                              That's from the diff file...you should follow the instructions in Joe's post.
                              So you tell me that the diff file is not the latest version? Diff file and Joe's post are 90% similar, just this one step.
                              Macht mit beim 2-Wheel-Planet Adventskalender:

                              2WP Adventskalender

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X