bzcomputers
01-11-2014, 03:45 AM
For those that do not know vBulletin announced last week that there was a security issue with "uploader.swf". This file is an integral part of the Yahoo User Interface (YUI) 2 Library included with all versions of vB 4, and affects the functionality of uploads. At this time Yahoo says they no longer support this version since it is end-of-life and they have no intentions of fixing it.
You can read the specific details here:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4014388-yui-security-issue-found-in-uploader-swf
vB's current solution they have is to remove the "uploader.swf" file and replace it with a blank file of the same name. The problem with this is that this will break your site's ability for multiple uploads at once. For many sites not having the ability to upload multiple files at once is a major problem, and at the least it's not very convenient for any site.
Earlier today a quick fix to get multiple file uploading abilities back was posted over at vb.com and I thought it should be reposted here.
This was originally posted by user FrankBanz at vb.com and all credit should go to him.
You will find the Setting Options mentioned below in the AdminCP under Options - Message Attachment Options.
Originally posted by FranzBanz
A quick workaround I've implemented for our forums is to increase the number of `Attachment Upload Inputs` (Options -> Message Attachment Options) to the number of files you want to allow uploading concurrently, and then adding a `multiple` attribute for the file input elements:
In the `assetmanager` template, find
HTML Code:
<input id="firstuploadinput" type="file" class="bginput uploadinput" name="attachment[]" size="30" tabindex="1" />
and replace it by
HTML Code:
<input id="firstuploadinput" type="file" class="bginput uploadinput" name="attachment[]" size="30" tabindex="1" multiple />
In the `editor_upload_overlay` template, find
HTML Code:
<input id="fileupload1" class="textbox" type="file" size="30" name="attachment[]" tabindex="1" />
and replace it by
HTML Code:
<input id="fileupload1" class="textbox" type="file" size="30" name="attachment[]" tabindex="1" multiple />
This will allow users with modern (HTML5 compliant) browsers to select multiple files for uploading by using the usual file picker dialog of their operating system (holding the ctrl/shift keys to select multiple files). No code changes or plugins are required for this to work, since vBulletin is ready to process multiple uploads at once. If an user selects more files than the limit you specified in the option named above, extra uploads will fail.
Remember that this is not well tested yet, so it should be considered experimental.
It only takes about 30 seconds to implement this solution and it gives your site the ability back for multiple uploads at once. I have been using this solution without issue to this point, keep in mind it has only been a few hours though.
You can read the specific details here:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4014388-yui-security-issue-found-in-uploader-swf
vB's current solution they have is to remove the "uploader.swf" file and replace it with a blank file of the same name. The problem with this is that this will break your site's ability for multiple uploads at once. For many sites not having the ability to upload multiple files at once is a major problem, and at the least it's not very convenient for any site.
Earlier today a quick fix to get multiple file uploading abilities back was posted over at vb.com and I thought it should be reposted here.
This was originally posted by user FrankBanz at vb.com and all credit should go to him.
You will find the Setting Options mentioned below in the AdminCP under Options - Message Attachment Options.
Originally posted by FranzBanz
A quick workaround I've implemented for our forums is to increase the number of `Attachment Upload Inputs` (Options -> Message Attachment Options) to the number of files you want to allow uploading concurrently, and then adding a `multiple` attribute for the file input elements:
In the `assetmanager` template, find
HTML Code:
<input id="firstuploadinput" type="file" class="bginput uploadinput" name="attachment[]" size="30" tabindex="1" />
and replace it by
HTML Code:
<input id="firstuploadinput" type="file" class="bginput uploadinput" name="attachment[]" size="30" tabindex="1" multiple />
In the `editor_upload_overlay` template, find
HTML Code:
<input id="fileupload1" class="textbox" type="file" size="30" name="attachment[]" tabindex="1" />
and replace it by
HTML Code:
<input id="fileupload1" class="textbox" type="file" size="30" name="attachment[]" tabindex="1" multiple />
This will allow users with modern (HTML5 compliant) browsers to select multiple files for uploading by using the usual file picker dialog of their operating system (holding the ctrl/shift keys to select multiple files). No code changes or plugins are required for this to work, since vBulletin is ready to process multiple uploads at once. If an user selects more files than the limit you specified in the option named above, extra uploads will fail.
Remember that this is not well tested yet, so it should be considered experimental.
It only takes about 30 seconds to implement this solution and it gives your site the ability back for multiple uploads at once. I have been using this solution without issue to this point, keep in mind it has only been a few hours though.