vb.org Archive - vB 3.0.8 released!

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- News and Announcements (https://vborg.vbsupport.ru/forumdisplay.php?f=2)

- - vB 3.0.8 released! (https://vborg.vbsupport.ru/showthread.php?t=93098)

Erwin

07-28-2005 10:21 PM

vB 3.0.8 released!

Read here:
http://www.vbulletin.com/forum/showthread.php?t=148584

Main changes:

1. MySQL 4.1 Support added.

2. XSS Flaws in faq.php, private.php, and several templates fixed.

To manually patch your vB 3.0.7 to fix the file security issues 3.0.8:

In private.php, find:

PHP Code:


		
			
 // PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
 if (isset($pm['preview']))
 {
  define('PMPREVIEW', 1);
  $foruminfo = array('forumid' => 'privatemessage');
  $preview = process_post_preview($pm);
  $_REQUEST['do'] = 'newpm';
 }

REPLACE with:

PHP Code:


		
			
 // PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
 if (isset($pm['preview']))
 {
  $temp = $pm['title'];
  $pm['title'] = htmlspecialchars_uni(fetch_censored_text($pm['title']));
  define('PMPREVIEW', 1);
  $foruminfo = array('forumid' => 'privatemessage');
  $preview = process_post_preview($pm);
  $_REQUEST['do'] = 'newpm';
  $pm['title'] = $temp;
 }

And in faq.php, find:

PHP Code:


		
			
 // construct navbits

ABOVE, add:

PHP Code:


		
			
$q = htmlspecialchars_uni($q);

Done!

Then to fix the template IE XSS problem, in all your templates where you see:

HTML Code:

<title>

Move that so that it is BELOW:

HTML Code:

$headinclude

Done fixing the potential security issues.

Corriewf

07-28-2005 11:34 PM

Nice to see a new version on the 3.0.x series.

Marco van Herwaarden

07-29-2005 03:38 AM

Hmm didn't 2.x have the same issues with MySQL?

Erwin

07-29-2005 12:30 PM

Bump - added to the first post the security file and template changes needed. ;)

yoyoyoyo

07-29-2005 12:39 PM

Quote:

Originally Posted by Erwin

Done fixing the potential security issues.

THANKS MUCH!

where's the install button? :D

Quote:

Originally Posted by erwin

Then to fix the template IE XSS problem, in all your templates where you see:

HTML Code:

<title>

Move that so that it is BELOW:

HTML Code:

$headinclude

Is there a quick way to do this, such as a "replace all" that is safe to do or do I have to search through all of the templates?

Marco van Herwaarden

07-29-2005 12:59 PM

Maybe with a SQL-Replace directly in the database.

Andreas

07-29-2005 01:03 PM

I love vB search :)
http://www.vbulletin.com/forum/showthread.php?t=143320

As mySQL also supports regex, it might also be possible to do this directly in the DB.
But mySQL Regex is not PCRE compatible, eg. different Syntax.

Brinnie

07-29-2005 01:45 PM

So it's just a security release?

Brad	07-29-2005 02:02 PM

Quote:

Originally Posted by Brinnie

So it's just a security release?

Yes, bug fixes only :)

Brinnie

07-29-2005 08:01 PM

Quote:

Originally Posted by Brad

Yes, bug fixes only :)

Well that's kinda boring. :-\

derekivey

07-29-2005 08:02 PM

Won't be boring if someone hacks your board!

Blootix

07-29-2005 11:02 PM

Heh. Too lazy to upgrade. I'll patch it until 3.5 goes stable.

Dark Riku

07-30-2005 04:34 AM

Is this all the fixed? If so how do you make the message in the AdminCP go away?

derekivey

07-30-2005 02:34 PM

Did you run the upgrade script?

jeanne

07-31-2005 12:12 PM

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

Brad	07-31-2005 12:57 PM

Quote:

Originally Posted by jeanne

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

You should try asking for help in the hack's thread :)

jeanne

07-31-2005 01:04 PM

crap..didn't realize it was a hack. Since they set it up for me...grrr...thanks!

derekivey

07-31-2005 01:34 PM

Did you redo all of the file edits for it?

jeanne

07-31-2005 01:37 PM

I had it installed through vbulletin originally...they did it for me. what are the file edits? is there a reference to walk me through it? thanks!

sabret00the

07-31-2005 08:40 PM

Quote:

Originally Posted by jeanne

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

sounds like you just need to reinstall the templates

jeanne

07-31-2005 09:36 PM

that was mentioned on vb.com as well. any directions out there to tell me how? thanks..

James T Brock

08-03-2005 12:04 AM

Go to http://vbadvanced.com and ask your question.

They have a new version of the CMPS for you to download, but you probably need the file edits associated with the older version.

All times are GMT. The time now is 04:44 PM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01207 seconds Memory Usage 1,766KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (4)bbcode_html_printable (4)bbcode_php_printable (6)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (22)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: