What is the proper procedure for upgrading from 3.03 to 3.04?

They've acknowledged it and the cause is known as a specific file that 99.9% of the users don't need and can delete.

Import the product and replace the CMS file.

A breeze to install. Thanks so much!

For those that haven't checked, they have released 4.6.2 to fix the problem.

Their are some changes he made to the vbulletin360.php file to note at the very top.

Is their anything we should do with the one we obtained from here? Or should we just use his?

Technically you don't need to do anything, he mass updated the CMS files even though only one was affected, I have however added the little snippet of code to all the vb CMS file releases so that it will be included in any future updates (hence why this was updated to 3.04 today).

You all should read this:

http://www.vbulletin.com/forum/showthread.php?t=198902

Very serious problem with flashchat...

Yes, that's what the last few posts are talking about.

An updated version of Flashchat has been released which cures this.

Sorry, but that's a bit like saying "the operation was a complete success, unfortunately the patient died".

I get regular script updates from tufat, I just checked my emails and the last was on 20 August. I have read that there was a securityfocus exploit was published for this on June 16. I had no notification of this issue. I know that it's "not the fault of this mod" directly, but if I hadnt of had it installed, I wouldnt of spent 4 hours last night going through my site trying to repair the damage done by somne little idiot who exploited this.

I think I'll wait a good while before re-installing flashchat.

I installed flash chat, edited the php files and uploaded the product. But I get no changes. Is there an option in the admincp?

Or is this automatic? What am I missing here?

Um .... :confused:

The supposed exploit posted on June 16th refers to a file that doesn't exist in the Tufat version of Flashchat, afaik, it actually belonged to another chat product, also called flashchat (it's not a unique name). :cool:

It's not the fault of this mod at all, please get that fact very clear. It was the fault of Flashchat itself, installing this made no difference. I'm sorry you spent 4 hours cleaning up your damage, but I don't really appreciate you trying to take out your frustration on me, or my integration mod(s). :alien:

That's your choice, and makes no difference to me :)

I do wonder if you will uninstall vbulletin next time a security hole is found in it ;)

I'm not looking for someone to blame.

..and yes, if vBulletin was so insecure that something like this happened, i would indeed review my choice of forum software. That has never happened though, partly due to the extremely vigilant and speedy security alerts which drop into my mailbox from time to time.

BTW, just FYI - the hackers came again tonight, it would seem that they have left something on the server, some shell script or something, which still gives them access even after flashchat has been completely removed. My host is trying to figure out what/where.

It was NOT the integration mod. It was a Flashchat CMS for aedating which, if you understood what a CMS is, was not necessary for vBulletin integration. Had you understood the Flashchat install, and how Flashchat worked, you would not have left the CMSs for all the other programs there to begin with. If you read the install notes with Flashchat (and here I think), it was specific that only the vBulleting CMS was needed. I deleted the other CMSes after the install as 'foreign' files not needed for Flashchat to run and, of course, I didn't get hacked.

If you don't understand what files you're installing, you should get someone who does to install the program you want installed for you.

Oh, yeah sorry, that's right it's my fault. Silly me. :rolleyes:

@trilOByte, I have edited the inaccuracy from your previous post, despite it being made clear that this mod in no way contributed, your post inferred it was.

@everyone, I'm not prepared to allow this to flare up into a series of personal arguments, everyone please move on, any further off topic/argumentative posts are liable to be removed. Thanks.

Paul, I think you misunderstand me. Your mod has been excellent for my site, it has worked well and I can see no flaws in it. I do totally understand that your mod and tufats script are two different things.

That's not my point.

From my point of view, they come as a package. Like many others, I installed tufats script because of your excellent mod but your mod does need tufat's script to work. I'm not blaming anyone and I'm not looking for someone to moan at. But the fact remains that the package on offer here (your totally blameless mod + tufats flawed script), had or has a stinking great security hole in it.

Now I'm not sure if simply removing one file from the CMS's is going to plug the hole - I hope it does. But having spent the last 2 days running round chasing hackers off my server, I'm not inclined to place too much faith in that.

I hope the newer package from tufat is secure. If it proves to be in time, I will probably put you excellent mod back on my site, but for now, it (tufats script) consitutes too much of a risk. There are mixed messages on the forums. I've read in one thread that the kiddies were logged running a search for other files in the tufat installation. I dont know why, or if they are vulnerable, but the possibility that they might be, seems to exist.

Let me put it another way.

Can you guarantee that tufat's script is now secure?

If not, is it prudent to endorse it's use?

There are a couple of aedating files to remove to be sure, not just one file:

aedating4CMS.php
aedatingCMS2.php
aedatingCMS.php

And you may as well remove all the other cms files (they are unnecesary) except the vBulletin cms for your vBulletin version.

The hole was plugged in 4.6.2.

Look here...

http://www.zone-h.org/component/opti...berLord/page,2

And here: http://forum.tufat.com/showthread.php?t=24428

Paul,

Can you think of a reason why flashchat wouldn't let me log in to any area (admin or chat) itself after I log out and try to log back in? I logged out yesterday, and now all I get is a white screen on the flashchat on misc.php and trying to use the flashchat file in the /chat/ folder.

Of course I can't, anymore than I could guarantee any product is secure (inc vbulletin).

See above. providing this (or any) mod is not endosing anything, just providing extra for those who chose to use something.

That usually means an error is occuring. By default flashchat supresses the displaying of php error messages (not very helpful, I disable that).

No matter what I do I can not get flashchat to run inside my vbulletin. Can anyone please help? Thank you

From the main post ;

I've managed to change the "Flashchat on a vb page" link back to the "old" flashchat link in the Who's Chatting box, but I can't seem to find where to make the change to change it in the "Quick Links" in the navbar. My users don't seem to like it displayed in the vBulletin window, so I'd just like to eliminate all links to that. Where can I find where to change this link? I've searched my templates and my phrases to no avail.

Thank you for the great hack.

It's code within the plugins (1 & 3).

Hello,

Was an e-mail sent to all members who clicked "installed" when this version was released?

Is that even possible for a project owner to do?

I am not bashing anyone involved with this specific project,
but I am becoming increasingly annoyed with the lack of notifications for product updates generally speaking at vbulletin.org.

I'm an open source person. I'm fine with the way free software and systems work.

Proper notifications as new versions and/or patches are made available, especially security releases, would be great.

-Raymond

Notifications are only sent by me if it's necessary to upgrade, in this case it isn't.

OK, understood, thank you for the reply.

-Raymond

Where can I see a demo of the FC VB integration?

Save me some time and tell me which file to look in? :cross-eyed:

The top of common.php

I find the the url showing up in WOL rather ugly looking so I edited the online_location_unknown hook to make it just say FlashChat. Perhaps an idea for a next update?

In the thread referenced above, it mentions this file located in: /public_html/chat/getxml.php being a security risk. They go on to say "This is the 2nd file found from FlashChat to contain vulnerabilities.".

Yet I've not seen any discussion of it here, like the (un-needed) files in the CMS directory I just got rid of. So it is needed for Flashchat functionality, or can it be removed?

For those of us not in the know about such things, where is the php.ini file you referred to?

There are no known vulnerabilities in getxml.php, if you delete it, Flashchat will cease to function.

It's a system file, if you don't know where/what it is then you're probably best leaving it alone and getting help from someone who does, otherwise you may break your php.

is been 3 days that my forum was hacked and now I started from scratch after 3 weeks of setting up the site, I will advise to get the flash chat a boot out as my self will not use it again. I had to paid a security company to secure the servers and network and a backup system on the way...

what a wayto learn ...

Sorry but this is not the place to comment on Flashchat, they have their own forums for that.