vB 3.0.2 XSS Secuity fix

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • IDN
    Senior Member
    • Apr 2002
    • 4030
    • 3.5.x

    vB 3.0.2 XSS Secuity fix

    My owned license expired, I don't plan to renew for awhile. In the past there have been security fixes able to download instead of downloading a whole new version. Will this happen with 3.0.1?

    Also, I have this enabled, does that mean I am not affected? Enable Standard Controls
    Last edited by IDN; Fri 2 Jul '04, 2:07pm.
    Running vB since 4-14-2002
  • Floris
    Senior Member
    • Dec 2001
    • 37767

    #2
    I remember someone posted the fix you can include in the phpinclude_start template for your styles. But I can't seem to find it right now.

    Comment

    • Vega
      Senior Member
      • Mar 2004
      • 155
      • 3.5.x

      #3
      Code:
      [font=Courier New][color=#007700]if ([/color][color=#0000bb]strpos[/color][color=#007700]([/color][color=#0000bb]$_SERVER[/color][color=#007700][[/color][color=#dd0000]'HTTP_REFERER'[/color][color=#007700]], [/color][color=#0000bb]$vboptions[/color][color=#007700][[/color][color=#dd0000]'bburl'[/color][color=#007700]]) != [/color][color=#0000bb]0 [/color][color=#007700]AND !empty([/color][color=#0000bb]$_SERVER[/color][color=#007700][[/color][color=#dd0000]'HTTP_REFERER'[/color][/font][font=Courier New][color=#007700]])) 
      { 
      	  unset([/color][color=#0000bb]$_POST[/color][color=#007700][[/color][color=#dd0000]'preview'[/color][/font][color=#007700][font=Courier New]]); 
      } [/font]
      [/color][color=#0000bb][/color]


      There you go.

      Comment

      • Floris
        Senior Member
        • Dec 2001
        • 37767

        #4
        There it is! Thank you.

        Comment

        • IDN
          Senior Member
          • Apr 2002
          • 4030
          • 3.5.x

          #5
          I have this selected in the controls: "Enable Standard Controls" Does this mean I am not affected?
          Running vB since 4-14-2002

          Comment

          • Floris
            Senior Member
            • Dec 2001
            • 37767

            #6
            Turning off the wysiwyg editor makes it not possible to run the exploit yes

            Comment

            • DWZ
              Senior Member
              • Jan 2002
              • 985
              • 2.2.9

              #7
              So if you put the above code in phpinclude_start in say, vBulletin 3.0.0 RC4 everything should be good?

              And we can keep using WYSIWYG?

              Comment

              • Wayne Luke
                vBulletin Technical Support Lead
                • Aug 2000
                • 73981

                #8
                Here is the fix:


                However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.
                Translations provided by Google.

                Wayne Luke
                The Rabid Badger - a vBulletin Cloud demonstration site.
                vBulletin 5 API

                Comment

                • Merjawy
                  Senior Member
                  • Sep 2002
                  • 2613

                  #9
                  I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

                  thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

                  thnx
                  To be or not to be... Where the hell is the question????
                  My psychiatrist told me I was crazy and I said I want a second opinion. He said okay, you're ugly too

                  Live vBulletin 4.2.0 Multilingual * Alpha/Beta vB 4 - vB 5 Tier 1A
                  CentOS 6.2 - Apache:2.2.15(Apache2Handler) - PHP:5.3.3 - MySQL:5.1.61
                  Xampp/Win-XP - Apache v2.2.21(Apache2Handler) - PHP:5.3.8 - MySQL:5.5.16

                  Comment

                  • Zachery
                    Former vBulletin Support
                    • Jul 2002
                    • 59097

                    #10
                    The only sites that had problems during the upgrade, were generaly sites that had added hacks that interfeared with the upgrade it self.

                    Comment

                    • Guest

                      #11
                      Originally posted by Merjawy
                      I did apply the fix for includes/functions_editor.php but now I see something to do with phpinclude_start template too? should I add that to my template of each style?

                      thnx.. I am just worried since I read all bad upgrade reports so far, I wanted to give it few more days before I upgrade the sites

                      thnx
                      The phpinclude version is a alternate fix, if you have already used a patch posted on these forums by a vBteam member or developer it should be correct.

                      Comment

                      • Floris
                        Senior Member
                        • Dec 2001
                        • 37767

                        #12
                        Forget my phpinclude comment!

                        Comment

                        • DWZ
                          Senior Member
                          • Jan 2002
                          • 985
                          • 2.2.9

                          #13
                          Originally posted by Wayne Luke
                          Here is the fix:


                          However, I don't recommend running RC4 on a production server. You should upgrade to the latest release.
                          Thanks for your relpy

                          I've replaced the code from that post. So now I should be protected? I don't need to disable the WYSIWYG interface?

                          And yeah, I would upgrade to a newer version, but my owned licence updates have expired and I have no money

                          Comment

                          • Stachel
                            Member
                            • Apr 2004
                            • 96
                            • 3.0.0 'Gold'

                            #14
                            Hi Zach or Floris,

                            Similar - I'd like to apply ONLY the security fix to my production instance of vBulletin 3.0.1 (so I can still be secure without disabling WYSIWYG cos I love WYSIWYG!)

                            Because...I haven't tested the integrity of my vBulletin backup yet (via a restore to a duplicate instance / environment that I still need to create).

                            Sooooo, from what I read above, I need to do this:

                            ==> Edit the phpinclude_start template to add these lines:

                            Code:
                            if (strpos($_SERVER['HTTP_REFERER'], $vboptions['bburl']) != 0 AND !empty($_SERVER['HTTP_REFERER'])) 
                            { 
                            unset($_POST['preview']); 
                            }
                            Question: Where in the phpinclude_start file should it be added?

                            Stachel

                            Comment

                            • Scott MacVicar
                              Former vBulletin Developer
                              • Dec 2000
                              • 13286

                              #15
                              Download 3.0.2 and upload functions_editor.php from 3.0.2. There was no other change to that file between 3.0.1 and 3.0.2.
                              Scott MacVicar

                              My Blog | Twitter

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...