Miscellaneous Hacks - Patched Flash Uploader to Fix Known Exploits

UPDATE Dec 2014: 4.2.2 PL2, 4.2.2 PL3 and 4.2.3 core download packages from vBulletin now include this patched version of uploader.swf as standard.

This is a patched version of YUI 2.9.0 uploader.swf as used by vBulletin 4.x for managing multiple file uploads.

An exploit was found in the flash uploader (uploader.swf) file supplied with vBulletin 4.x. This file is part of the Yahoo YUI 2 Library which is end of life and Yahoo have stated that they will not be fixing it. Yahoo recommends that the file is removed as the flash uploader has been deprecated.

vBulletin's recommended fix is to replace the file with an empty file of the same name. If you do this, however, and rely solely on the Ajax uploader you will not be able to select multiple files without further modifications.

This modification is a recompiled version of uploader.swf with the above exploit fixed. An additional potential exploit has also been fixed by disabling a parameter not used by vBulletin.

The YUI source used is provided freely by Yahoo to whom I give full credit.


1) Installation

a) Extract uploader.swf from the .zip file and replace your existing file here:

<forum_root>/clientscript/yui/uploader/assets/uploader.swf

b) Make sure the flash uploader is enabled in the Admin Control Panel

Options -> Message Attachment Options -> Asset Manager - Enable -> Select "Yes, Flash Upload by Default"

c) Make sure you are NOT using remote YUI

vBulletin Options -> Server Settings and Optimization Options

Use Remote YUI set to None

d) You may also need to clear your browser cache and/or vBulletin cache (Maintenance ->Clear system cache) if you have performed the above steps correctly but clicking the Upload button still does nothing.



2) Changes

11th January 2014

The parameter 'allowedDomain' has been sanitised with a REGEX to prevent malicious javascript being passed in a query string.


11th January 2014 v2

Many thanks to FranzBanz (http://www.vbulletin.com/forum/member/449383-franzbanz) for his suggestions

• finding another exploit (using another parameter). Exploit fixed by setting the parameter (not used by vBulletin) to null.
• '-' Character added to allowed characters in allowedDomain

Non-Flash Alternative
Please note that if you would rather avoid using flash altogether an alternative Mod has been released by BirdOPrey5, although there are some compromises/limitations with IE10+.

Asset Manager / Image Upload Fix to upload multiple files like the Flash uploader


DISCLAIMER
I am not a flash developer, I am just another vBulletin customer trying to keep his members happy!
This file is provided free of charge for the benefit of the vBulletin community. You use it at your own risk!


Copyright ? 2013 Yahoo! Inc. All rights reserved.
Redistribution and use of this software in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

Neither the name of Yahoo! Inc. nor the names of YUI's contributors may be used to endorse or promote products derived from this software without specific prior written permission of Yahoo! Inc.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[tpearl5]

Quote:

Originally Posted by Reef Man

It does not wolve the problem. I have 4.2.2

You're right, it sounds nothing like an organ. But this patch does solve the problem of the flash uploader not working.

[Jennifer2010]

On 4.2.2 PL1, I get this error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

It happens every time an image is uploaded, regardless of image size, format, dimensions or file name. After selecting the image to upload and then clicking upload, the progress bar completed and then the red arrow appears next to the file which when hovered, shows that error.

We don't have security software installed on the server and the max fliesize limit within VB and in php/mysql is over 100MB (vb's restriction is 1MB per file but we've tried as low as 10kb and it reports the error shown above).

Any help is appreciated.

[ForceHSS]

Quote:

Originally Posted by Jennifer2010

On 4.2.2 PL1, I get this error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

It happens every time an image is uploaded, regardless of image size, format, dimensions or file name. After selecting the image to upload and then clicking upload, the progress bar completed and then the red arrow appears next to the file which when hovered, shows that error.

We don't have security software installed on the server and the max fliesize limit within VB and in php/mysql is over 100MB (vb's restriction is 1MB per file but we've tried as low as 10kb and it reports the error shown above).

Any help is appreciated.

http://www.vbulletin.com/forum/forum...t-upload-photo

[Jennifer2010]

Quote:

Originally Posted by ForceHSS

http://www.vbulletin.com/forum/forum...t-upload-photo

Doesn't help. Blames it on server settings, which is why I mentioned in my comment that we don't have security software installed and our php settings aren't restricting anything.

Are we supposed to have anything for custom YUI path? Currently it's set to "none" (no Google/Yahoo library) and the path is blank beneath that.

[Zachery]

So, to deconstruct the error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]
This is the status of the page returned, 404 after the uploaded completed.

This is the error flash returned, which says IO error. This is a super generic, Input/Ouput error thrown by flash. More or less the file wasn't there, when it was done uploading.

This is a server issue, and the problem is your server. Some security, or other server setting is blocking the flash uploader from working, period.

mod_security
suhosin
A module of selinux
Anti(malware/virus) scanners
reverse proxies
bad upload configuration
An internal server error may even be hiding the real error message.


If you disable the flash uploader, to use the ajax one instead, does it work? Yes/No
If you disable the asset manager for the legacy uploader, Does it work? Yes/No

Does the AdminCP > Maintenance > Diagnostics > Upload File test work? Yes/No

[Jennifer2010]

mod_security - Not installed
suhosin - Not installed (using suexec)
A module of selinux - Not installed
Anti(malware/virus) scanners - Not installed
reverse proxies - We're using NGINX?
bad upload configuration - Not sure what this correlates to.

If you disable the flash uploader, to use the ajax one instead, does it work? Yes/No
One image at a time works. Multiple files selected results in the images not being inserted into the post. (one image at a time does not work on flash uploader)

If you disable the asset manager for the legacy uploader, Does it work? Yes/No
One image at a time works. Multiple files selected results in the images not being inserted into the post.

For example, I upload two different images one at a time and it works. If I select both of them and try to insert them, they fail and neither are inserted.

Does the AdminCP > Maintenance > Diagnostics > Upload File test work? Yes/No
Yes

file_uploads: On
open_basedir: None
safe_mode: Off
upload_tmp_dir: /tmp
upload_max_filesize: 100.00 MB

No errors occurred while opening the uploaded file for reading.

What should my image storage directory permissions be?

Thank you

[Jennifer2010]

Problem resolved:
We have a custom "Upload Images" button that calls the same function as the insert image button does on the post editor. However, after we upgraded to 4.2.2 it must not be compatible. Thus, all we have to do now is find the new code and it should work (default vb style works perfect)

I can't remember where I found the old code:
<span class="cke_button">
<input type="button" style="height: 30px; width: 100px; font-size: 14px; margin-top: 15px;" a id="cke_38" class="cke_off cke_button_vbimage" onclick="CKEDITOR.tools.callFunction(77, this); return false;" onfocus="return CKEDITOR.tools.callFunction(76, event);" onkeydown="return CKEDITOR.tools.callFunction(75, event);" onblur="this.style.cssText = this.style.cssText;" aria-labelledby="cke_38_label" hidefocus="true" tabindex="-1" value="Upload Images">
</a>
</span>

Anyway it's not a server issue anymore, lol.

[camoit]

Worked for me V4.1.12
it's a shame VB won't fix the problem. I guess they want to sell new versions.

[Zachery]

Quote:

Originally Posted by camoit

Worked for me V4.1.12
it's a shame VB won't fix the problem. I guess they want to sell new versions.

So, you're just going to ignore what we've already commeted on?

We have other fixes, it just wont' be the flash uploader.

[MySaltyreef]

you sir are a legend ! working perfectly on 4.2.2