Go Back   vb.org Archive > News and Announcements > News and Announcements
Reload this Page Urgent: XSS vulnerability in RC 2, 3 & 4 - fix available!
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 3 1 23
 
Thread Tools Display Modes
  #1  
Old 02-14-2004, 02:01 AM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Urgent: XSS vulnerability in RC 2, 3 & 4 - fix available!
From this announcement today by Kier at vB.com:
http://www.vbulletin.com/forum/showthread.php?t=95284

An XSS vulnerability has been discovered in vBulletin 3 and posted to BugTraq.

vBulletin 3 versions RC2, RC3 and RC4 are affected. This has necessitated the release of an updated version of includes/init.php to patch the problem.

The members' area package has been updated with this file.

If you are already running vBulletin 3 RC4, simply upload the attached init.php file to the 'includes' folder in your forum directory, overwriting the existing one.

If you are running a previous version of vBulletin 3, we recommend that you upgrade to the version of RC4 available in the members' area as soon as possible.

vBulletin 2.3.4 and earlier are not affected. Sites running vBulletin 2 need take no action.


Link to vB.com attachment: init.php
__________________
Reply With Quote
  #2  
Old 02-14-2004, 08:09 PM
Chroder's Avatar
Chroder Chroder is offline
 
Join Date: Sep 2003
Location: Toronto, Ontario
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Does the vulv still affect me if I don't have the external data providor features enabled? Or is that a totally different thing?
Reply With Quote
  #3  
Old 02-14-2004, 10:04 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
it's a totally different thing.

the external data provieder is in the file external.php but the security hole is in init.php
Reply With Quote
  #4  
Old 02-14-2004, 10:14 PM
Chroder's Avatar
Chroder Chroder is offline
 
Join Date: Sep 2003
Location: Toronto, Ontario
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Can I still use the updated file if I'm using RC3? or do I have to upgrade to RC4? I'm waiting for gold before I do all my template-fixes. I don't want to do 'em twice.
Reply With Quote
  #5  
Old 02-14-2004, 10:15 PM
Xenon's Avatar
Xenon Xenon is offline
 
Join Date: Oct 2001
Location: Bavaria
Posts: 12,878
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
you just have to compare the files and apply the xss changes.

That's what we did on vb.org
Reply With Quote
  #6  
Old 02-14-2004, 10:17 PM
Chroder's Avatar
Chroder Chroder is offline
 
Join Date: Sep 2003
Location: Toronto, Ontario
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Xenon
you just have to compare the files and apply the xss changes.

That's what we did on vb.org
I just uploaded it over my RC3 init.php file and everything seems to be going smoothly. I'll compare them if something starts acting up.

Thanks
Reply With Quote
  #7  
Old 02-15-2004, 01:15 AM
Chroder's Avatar
Chroder Chroder is offline
 
Join Date: Sep 2003
Location: Toronto, Ontario
Posts: 112
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Just a heads up that there's also a fix for search.php here
Reply With Quote
  #8  
Old 02-23-2004, 06:26 AM
DCX DCX is offline
 
Join Date: Dec 2003
Posts: 29
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Chroder
Just a heads up that there's also a fix for search.php here

does this update just overwrite the forums/search.php file? i just wanna make sure before i overwrite something....
Reply With Quote
  #9  
Old 02-23-2004, 12:31 PM
Tim Wheatley's Avatar
Tim Wheatley Tim Wheatley is offline
 
Join Date: Nov 2001
Location: England
Posts: 489
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by DCX
does this update just overwrite the forums/search.php file? i just wanna make sure before i overwrite something....
Yeah just overwrite the init.php and search.php ones on your server with the ones made available. Note: any hacks installed within those files will need to have the code changes made again in those files.
Reply With Quote
  #10  
Old 03-13-2004, 12:22 PM
djohn djohn is offline
 
Join Date: Feb 2004
Posts: 165
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Any way to upgrade manually? I remember chaging init.php whilst installing some hack...
Reply With Quote
Reply
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 02:03 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04281 seconds
  • Memory Usage 2,252KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete