The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
|
#1
|
||||
|
||||
URGENT: private.php XSS risk in ALL vB3 including 3.0.5 (up to Revision: 1.262.2.2)
vBulletin.com announcement here:
http://www.vbulletin.com/forum/showt...983#post792983 THIS HAS NOTHING TO DO WITH THE RECENT 3.0.4 and 3.0.5 releases - this is a security hole that has been present in ALL vBulletin 3 releases, and has only just been discovered. Yes, unusually, 2 security loopholes found out in the same week that has been present the whole time in all vBulletin 3. The announcement is this one: ------------------------------------------------------------------------- An XSS issue has been discovered in 3.0.X in private.php; it affects all versions of vBulletin 3. While this issue is not nearly as serious as the issue that prompted the 3.0.5 release, we strongly recommend you patch your installation(s). At the end of this post, you'll find a patched file and what to change if you wish to manually update your file. As of this update, the download in the members' area has been patched. If you have downloaded 3.0.5 before this time, please redownload or use the provided private.php. I just want to reiterate that it is not our intention to force you to have to update constantly. Once a security issue is reported--no matter the severity--we strive to release quick fixes; the same day the issue is discovered, regardless of whether it's a holiday or just any other day of the year, if possible. It just happened that there were several reports in the past week. We aim to have impeccable security, but sometimes things are missed by internal audits. Thank you for understanding. Do you have the patch already? Technically, the members' area was patched before this post. If you don't want to use the provided private.php or see if you need to add the line provided below, search for: CVS: $RCSfile: private.php,v $ - $Revision: 1.262.2.3 $ In your copy of private.php. If you find it, you have the patch already. Manual Patch Instructions In private.php, find the following: PHP Code:
ABOVE it, add the following: PHP Code:
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|