vB.Org System
03-21-2010, 05:20 PM
Regarding this reported exploit: http://inj3ct0r.com/exploits/9697
An official patch is forthcoming. Meanwhile I have attached a patched type.php file to this message. Unzip that file and upload it, replacing the existing ../vb/search/type.php file
Note: This is for those running 4.0.2 PL1 only.
If for some reason you want to apply this patch yourself, find the following file:
../vb/search/type.php
In that type.php file, find this near the bottom of the file:
'query' => TYPE_STR,
Replace that with this:
'query' => TYPE_NOHTML,
Please note that if you have already applied Paul M's path here (http://www.vbulletin.com/forum/showthread.php?346294-new-XSS-vulnerability-4.0.2-PL-1-we-are-affected&p=1949475&viewfull=1#post1949475), then you do not have to apply this patch.
Attached Files
https://vborg.vbsupport.ru/ type..zip‎ (http://www.vbulletin.com/forum/attachment.php?attachmentid=43968&d=1269195339) (5.2 KB)
More... (http://www.vbulletin.com/forum/showthread.php?346345-Reported-4.0.2-PL1-XSS-Vunerability&goto=newpost)
An official patch is forthcoming. Meanwhile I have attached a patched type.php file to this message. Unzip that file and upload it, replacing the existing ../vb/search/type.php file
Note: This is for those running 4.0.2 PL1 only.
If for some reason you want to apply this patch yourself, find the following file:
../vb/search/type.php
In that type.php file, find this near the bottom of the file:
'query' => TYPE_STR,
Replace that with this:
'query' => TYPE_NOHTML,
Please note that if you have already applied Paul M's path here (http://www.vbulletin.com/forum/showthread.php?346294-new-XSS-vulnerability-4.0.2-PL-1-we-are-affected&p=1949475&viewfull=1#post1949475), then you do not have to apply this patch.
Attached Files
https://vborg.vbsupport.ru/ type..zip‎ (http://www.vbulletin.com/forum/attachment.php?attachmentid=43968&d=1269195339) (5.2 KB)
More... (http://www.vbulletin.com/forum/showthread.php?346345-Reported-4.0.2-PL1-XSS-Vunerability&goto=newpost)