PDA

View Full Version : Reported 4.0.2 PL1 XSS Vunerability


vB.Org System
03-21-2010, 05:20 PM
Regarding this reported exploit: http://inj3ct0r.com/exploits/9697

An official patch is forthcoming. Meanwhile I have attached a patched type.php file to this message. Unzip that file and upload it, replacing the existing ../vb/search/type.php file

Note: This is for those running 4.0.2 PL1 only.

If for some reason you want to apply this patch yourself, find the following file:

../vb/search/type.php

In that type.php file, find this near the bottom of the file:

'query' => TYPE_STR,

Replace that with this:

'query' => TYPE_NOHTML,

Please note that if you have already applied Paul M's path here (http://www.vbulletin.com/forum/showthread.php?346294-new-XSS-vulnerability-4.0.2-PL-1-we-are-affected&p=1949475&viewfull=1#post1949475), then you do not have to apply this patch.
Attached Files
https://vborg.vbsupport.ru/ type..zip‎ (http://www.vbulletin.com/forum/attachment.php?attachmentid=43968&d=1269195339) (5.2 KB)


More... (http://www.vbulletin.com/forum/showthread.php?346345-Reported-4.0.2-PL1-XSS-Vunerability&goto=newpost)