Go Back   vb.org Archive > News and Announcements > News and Announcements
Reload this Page vB 3.0.8 released!
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 3 1 23
 
Thread Tools Display Modes
  #1  
Old 07-28-2005, 10:21 PM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default vB 3.0.8 released!
Read here:
http://www.vbulletin.com/forum/showthread.php?t=148584

Main changes:

1. MySQL 4.1 Support added.

2. XSS Flaws in faq.php, private.php, and several templates fixed.

To manually patch your vB 3.0.7 to fix the file security issues 3.0.8:

In private.php, find:

PHP Code:
 // PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
 if (isset($pm['preview']))
 {
  define('PMPREVIEW'1);
  $foruminfo = array('forumid' => 'privatemessage');
  $preview process_post_preview($pm);
  $_REQUEST['do'] = 'newpm';
 } 
REPLACE with:

PHP Code:
 // PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
 if (isset($pm['preview']))
 {
  $temp $pm['title'];
  $pm['title'] = htmlspecialchars_uni(fetch_censored_text($pm['title']));
  define('PMPREVIEW'1);
  $foruminfo = array('forumid' => 'privatemessage');
  $preview process_post_preview($pm);
  $_REQUEST['do'] = 'newpm';
  $pm['title'] = $temp;
 } 
And in faq.php, find:

PHP Code:
 // construct navbits 
ABOVE, add:

PHP Code:
$q htmlspecialchars_uni($q); 
Done!

Then to fix the template IE XSS problem, in all your templates where you see:

HTML Code:
<title>
Move that so that it is BELOW:

HTML Code:
$headinclude
Done fixing the potential security issues.
Reply With Quote
  #2  
Old 07-28-2005, 11:34 PM
Corriewf's Avatar
Corriewf Corriewf is offline
 
Join Date: Dec 2004
Location: parse error
Posts: 799
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Nice to see a new version on the 3.0.x series.
Reply With Quote
  #3  
Old 07-29-2005, 03:38 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Hmm didn't 2.x have the same issues with MySQL?
Reply With Quote
  #4  
Old 07-29-2005, 12:30 PM
Erwin's Avatar
Erwin Erwin is offline
 
Join Date: Jan 2002
Posts: 7,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Bump - added to the first post the security file and template changes needed.
Reply With Quote
  #5  
Old 07-29-2005, 12:39 PM
yoyoyoyo's Avatar
yoyoyoyo yoyoyoyo is offline
 
Join Date: Dec 2004
Location: USA
Posts: 1,612
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Erwin
Done fixing the potential security issues.
THANKS MUCH!

where's the install button?

Quote:
Originally Posted by erwin
Then to fix the template IE XSS problem, in all your templates where you see:

HTML Code:
 <title>
Move that so that it is BELOW:

HTML Code:
 $headinclude
Is there a quick way to do this, such as a "replace all" that is safe to do or do I have to search through all of the templates?
Reply With Quote
  #6  
Old 07-29-2005, 12:59 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Maybe with a SQL-Replace directly in the database.
Reply With Quote
  #7  
Old 07-29-2005, 01:03 PM
Andreas's Avatar
Andreas Andreas is offline
 
Join Date: Jan 2004
Location: Germany
Posts: 6,863
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I love vB search
http://www.vbulletin.com/forum/showthread.php?t=143320

As mySQL also supports regex, it might also be possible to do this directly in the DB.
But mySQL Regex is not PCRE compatible, eg. different Syntax.
Reply With Quote
  #8  
Old 07-29-2005, 01:45 PM
Brinnie's Avatar
Brinnie Brinnie is offline
 
Join Date: Jul 2005
Location: Louisiana
Posts: 360
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So it's just a security release?
Reply With Quote
  #9  
Old 07-29-2005, 02:02 PM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Brinnie
So it's just a security release?
Yes, bug fixes only
Reply With Quote
  #10  
Old 07-29-2005, 08:01 PM
Brinnie's Avatar
Brinnie Brinnie is offline
 
Join Date: Jul 2005
Location: Louisiana
Posts: 360
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Brad
Yes, bug fixes only
Well that's kinda boring. :-\
Reply With Quote
Reply
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 05:30 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05529 seconds
  • Memory Usage 2,269KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_html
  • (4)bbcode_php
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete