new XSS vulnerability [4.0.2 PL 1] we are affected?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • tonetu
    Member
    • Aug 2007
    • 56

    [Forum] new XSS vulnerability [4.0.2 PL 1] we are affected?

    Hi there,
    I heard that some one discovered a new way to hack 4.0.2 PL 1 by XSS and they discovered it yesterday and still vb.com didn't tell us what we have to do?

    is this right they can hack our forum by XSS? and we are affected and ready to get hacked?
    Last edited by Zachery; Sun 21 Mar '10, 11:00am.
  • Floris
    Senior Member
    • Dec 2001
    • 37767

    #2


    yes, all 4.0.2 pl1 are affected.

    Comment

    • icarusforde
      Senior Member
      • Feb 2009
      • 1594
      • 3.8.x

      #3
      *sighs*

      Here we go again.

      *Waits for Patch Level Two*

      Comment

      • sd2310
        Member
        • Oct 2008
        • 94
        • 4.1.x

        #4
        Originally posted by icarusforde
        *sighs*

        Here we go again.

        *Waits for Patch Level Two*
        There should be only a few lines of code to edit, why is it taking so long ?

        Comment

        • icarusforde
          Senior Member
          • Feb 2009
          • 1594
          • 3.8.x

          #5
          Because it's not just a few lines of code to edit.

          Comment

          • sd2310
            Member
            • Oct 2008
            • 94
            • 4.1.x

            #6
            Originally posted by icarusforde
            Because it's not just a few lines of code to edit.
            Okay, I thought it must be quite easy

            Comment

            • icarusforde
              Senior Member
              • Feb 2009
              • 1594
              • 3.8.x

              #7
              Not really. It's easier for hackers to get in than to keep hackers out... That being said, it should be harder for them to get in when it comes down to it in the first place.

              Comment

              • Paul M
                Former Lead Developer
                vB.Com & vB.Org
                • Sep 2004
                • 9886

                #8
                Quick [temp] fix ;

                Search the templates for {vb:raw query} replace with {vb:var query}

                There are about 10 of them.
                Baby, I was born this way

                Comment

                • setishock
                  Senior Member
                  • Jun 2005
                  • 1334
                  • 4.2.x

                  #9
                  Back up your databases and current files and folders. If you get smacked you can over write the affected files with your backups. It's a good idea to do that anyway.
                  Hopefully they get a patch out soon.
                  ...

                  Comment

                  • Gumble
                    Senior Member
                    • Sep 2008
                    • 352
                    • 4.0.0

                    #10
                    Originally posted by Paul M
                    Quick [temp] fix ;

                    Search the templates for {vb:raw query} replace with {vb:var query}

                    There are about 10 of them.
                    Thanks Paul

                    Comment

                    • CThiessen
                      Member
                      • May 2007
                      • 51
                      • 4.1.x

                      #11
                      Hi,
                      could something equal has any effect on vB 3.8.x or is that special in vB4.

                      Greetings
                      Christian
                      My Sites in German: Brasilien with Brasilien Forum

                      Comment

                      • sd2310
                        Member
                        • Oct 2008
                        • 94
                        • 4.1.x

                        #12
                        Originally posted by CThiessen
                        Hi,
                        could something equal has any effect on vB 3.8.x or is that special in vB4.

                        Greetings
                        Christian
                        Special for vB4.

                        Comment

                        • sd2310
                          Member
                          • Oct 2008
                          • 94
                          • 4.1.x

                          #13
                          Originally posted by Paul M
                          Quick [temp] fix ;

                          Search the templates for {vb:raw query} replace with {vb:var query}

                          There are about 10 of them.
                          Thanks

                          Comment

                          • lim (x³-7x²) = ∞
                            Senior Member
                            • Apr 2008
                            • 634
                            • 3.0.0 Gamma

                            #14
                            date [2010-03-19]
                            why it take them so long to react? 2 days and still not fixed

                            previous xss was fixed after more then 1 week (first report 2010-02-15, second report 2010-02-20, fixed on 2010-02-23)
                            http://www.vbulletin.com/forum/images/editor/smilie.gif

                            Comment

                            • sd2310
                              Member
                              • Oct 2008
                              • 94
                              • 4.1.x

                              #15
                              Originally posted by lim (x³-7x²) = ∞
                              why it take them so long to react? 2 days and still not fixed
                              Maybe because:
                              Originally posted by icarusforde
                              Because it's not just a few lines of code to edit.

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...