vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   News and Announcements (https://vborg.vbsupport.ru/forumdisplay.php?f=2)
-   -   Potential XSS in vBulletin 3.0.7 and older (https://vborg.vbsupport.ru/showthread.php?t=78464)

Erwin 03-20-2005 08:46 PM
Potential XSS in vBulletin 3.0.7 and older
 
Posted at vBulletin.com by Kier:
http://www.vbulletin.com/forum/showthread.php?t=133459

--------------------------------------------------------------------------

It has come to our attention that an XSS issue exists within vBulletin 3 in versions up to and including 3.0.7.

However, the circumstances that allow this XSS issue to be exploited are rare so the vast majority of installations will be unaffected.

Your installation is vulnerable if
  • You do not Allow Search Wild Cards or
  • You have a very large Search Index Minimum Word Length value (more than ten characters)
If these conditions apply to your board, you can easily secure your installation against XSS exploitation by turning on search wild cards and setting a smaller (6 or less) value for Search Index Minimum Word Length.

Both of these settings can be found in vBulletin Options > Message Searching Options (Default Search)

If you are unable to change these settings, you can simply overwrite the existing includes/functions_search.php file with the one attached to this thread. If neither of these conditions applies to you, there is no need to download this file at all.
Attached Fileshttps://vborg.vbsupport.ru/external/2005/03/2.giffunctions_search.php (21.9 KB, 177

Delphiprogrammi 03-21-2005 08:39 AM
hi,

patch downloaded & my vbulletin installation patched thanks jelsoft ...

msimplay 03-21-2005 10:39 AM
what about installations that have the full text searching hack installed ?


All times are GMT. The time now is 06:33 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01439 seconds
  • Memory Usage 1,712KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (3)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete