YUI Security Issue

**Zachery** · Mon 6 Jan '14, 8:55am

YUI 3 is not a drop in replacement for YUI 2. Its about the same amount of work/effort to move to jquery, as it is YUI3. So that is why its not replaced, the removal will only allow users to use the ajax uploader instead of the flash uploader. The system will auto fallback if the flash uploader does not respond correctly.

**John Lester** · Mon 6 Jan '14, 10:41am

There was no attached file btw.

**Zachery** · Mon 6 Jan '14, 11:54am

There was a bit of human error in the email, check the announcement forum.

**JuniorNation** · Mon 6 Jan '14, 1:17pm

They refuse to fix a broken product go figure.

**Wayne Luke** · Mon 6 Jan '14, 1:43pm

We've provided a fix for the issue without sacrificing overall functionality in vBulletin. We can't fix third-party integrated code. Lack of updates to code is why we've moved away from YUI.

**CPOWA** · Mon 6 Jan '14, 3:15pm

I'm still not seeing a file in the announcement to replace the clientscript\yui\uploader\assets\uploader.swf file. Can I just edit it in place, delete everything in it and save it? Thanks.

**pierguy** · Mon 6 Jan '14, 3:57pm

Where is the attachment .swf file? It's not in the email VB sent, it's not in the post on the announcements forum, it's nowhere. Not the best way to handle a security risk.

**Mark.B** · Mon 6 Jan '14, 3:58pm

It's attached to the announcement post, but it is literally just a blank file with the same name as the original.

**dougdirac** · Mon 6 Jan '14, 4:19pm

Originally posted by Zachery

YUI 3 is not a drop in replacement for YUI 2. Its about the same amount of work/effort to move to jquery, as it is YUI3. So that is why its not replaced, the removal will only allow users to use the ajax uploader instead of the flash uploader. The system will auto fallback if the flash uploader does not respond correctly.

Can we expect any such update using jquery, then?

Is there any way to edit/improve the look of the ajax uploader. The "Upload File(s)" button needs 1) look like a button and 2) to be spaced down from the "Choose File" button. I'd also like to be able to add some text that would explain how to use it.

**Mark.B** · Mon 6 Jan '14, 4:33pm

Originally posted by dougdirac

Can we expect any such update using jquery, then?

Is there any way to edit/improve the look of the ajax uploader. The "Upload File(s)" button needs 1) look like a button and 2) to be spaced down from the "Choose File" button. I'd also like to be able to add some text that would explain how to use it.

It is unlikely this will happen anytime soon, if at all.

**dougdirac** · Mon 6 Jan '14, 5:41pm

So is there a template or a file I can edit to improve the look and clarity of the ajax uploader. I don't want a bunch of confused users.

**Jamsoft** · Mon 6 Jan '14, 5:51pm

So what are the implications of this potential exploit? Do I need to start combing my tree for unauthorized file uploads? What damage could have been done?

**vbsm** · Mon 6 Jan '14, 5:53pm

So I can just delete uploader.swf, and not deal with replacing it?

**dougdirac** · Mon 6 Jan '14, 7:00pm

Originally posted by vbsm

So I can just delete uploader.swf, and not deal with replacing it?

I think if you simply delete the file, it will break things. I.e., the uploader won't work at all. You need to replace it with a blank file.

By the way, this particular exploit was made public on November 11, 2013 -- nearly two months ago. Why are we just hearing about it?

YUI Security Bulletin

http://yuilibrary.com/support/20131111-vulnerability/

vBulletin 4 End of Life

YUI Security Issue

YUI Security Issue

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment