hi,
An XSS flaw related to JavaScript escaping has been identified. This could allow an attacker to carry out an action as a user or obtain access to a user's account.
a new release for 3.6 and 3.7 will be made on Tuesday, August 26th.
source:
vBulletin 3.7.2 PL2 and 3.6.10 PL4 Released - vBulletin Community Forum
link:
http://www.vbteam.info/announcement...-vbulletin-3-7-2-pl2-3-6-10-pl4-released.html
patch:
1- who have an account go to:
http://members.vbulletin.com/patches.php
2- who not have account with vb:
download files from attachment OR do this adjustments:
Note: this content patch level 1
Note: I search for these adjustments by class_diff by vb script.
Note: I edited files of DGT 3.7.2 release.
first: adminlog.php .... in 'admincp'
search for:
replace it with:
search for:
replace it with:
search for:
add above:
End ..
_________________________________________
---------------------------------------------------------
secondly: adminfunctions.php .... in 'includes'
search for:
add below:
search for:
add above:
search for:
add below:
search for:
replace it with:
End ..
_________________________________________
---------------------------------------------------------
thirdly:functions.php .... in 'includes'
search for:
replace it with:
search for:
replace it with:
End ..
_________________________________________
---------------------------------------------------------
fourthly: version_vbulletin.php .... in 'includes' replace all with:
End ..
Good luck..
An XSS flaw related to JavaScript escaping has been identified. This could allow an attacker to carry out an action as a user or obtain access to a user's account.
a new release for 3.6 and 3.7 will be made on Tuesday, August 26th.
source:
vBulletin 3.7.2 PL2 and 3.6.10 PL4 Released - vBulletin Community Forum
link:
http://www.vbteam.info/announcement...-vbulletin-3-7-2-pl2-3-6-10-pl4-released.html
patch:
1- who have an account go to:
http://members.vbulletin.com/patches.php
2- who not have account with vb:
download files from attachment OR do this adjustments:
Note: this content patch level 1
Note: I search for these adjustments by class_diff by vb script.
Note: I edited files of DGT 3.7.2 release.
first: adminlog.php .... in 'admincp'
search for:
PHP:
'userid' => TYPE_UINT,
'script' => TYPE_STR,replace it with:
PHP:
'userid' => TYPE_UINT,
'script' => TYPE_NOHTML,search for:
PHP:
$cell[] = htmlspecialchars_uni($log['script']);
$cell[] = htmlspecialchars_uni($log['action']);
$cell[] = htmlspecialchars_uni($log['extrainfo']);replace it with:
PHP:
$cell[] = $log['script'];
$cell[] = $log['action'];
$cell[] = $log['extrainfo'];search for:
PHP:
$filelist["$file[script]"] = $file['script'];add above:
PHP:
$file['script'] = htmlspecialchars_uni($file['script']);End ..
_________________________________________
---------------------------------------------------------
secondly: adminfunctions.php .... in 'includes'
search for:
PHP:
echo "<p align=\"center\" class=\"smallfont\">SQL Queries (" . $vbulletin->db->querycount . ") | " . (!empty($cvsversion) ? "$cvsversion | " : '') . "<a href=\"" . $vbulletin->scriptpath . iif(strpos($vbulletin->scriptpath, '?') > 0, '&', '?') . "explain=1\">Explain</a></p>";add below:
PHP:
if (function_exists('memory_get_usage'))
{
echo "<p align=\"center\" class=\"smallfont\">Memory Usage: " . vb_number_format(round(memory_get_usage() / 1024, 2)) . " KiB</p>";
}search for:
PHP:
echo "<script type=\"text/javascript\">window.status = \"" . construct_phrase($vbphrase['logged_in_user_x_executed_y_queries'], $vbulletin->userinfo['username'], $vbulletin->db->querycount) . " \$_REQUEST[do] = '$_REQUEST[do]'\";</script>";add above:
PHP:
$_REQUEST['do'] = htmlspecialchars_uni($_REQUEST['do']);search for:
PHP:
echo "<table cellpadding=\"4\" cellspacing=\"0\" border=\"0\" align=\"center\" width=\"$width\" class=\"tborder\">\n";
}add below:
PHP:
// #############################################################################
/**
* Prints the middle section of a table - similar to print_form_header but a bit different
*
* @param string R.A.T. value to be used
* @param boolean Specifies cb parameter
*
* @return mixed R.A.T.
*/
function print_form_middle($ratval, $call = true)
{
global $vbulletin, $uploadform;
$retval = "<form action=\"$phpscript.php\"" . iif($uploadform," ENCTYPE=\"multipart/form-data\"", "") . " method=\"post\">\n\t<input type=\"hidden\" name=\"s\" value=\"" . $vbulletin->userinfo['sessionhash'] . "\" />\n\t<input type=\"hidden\" name=\"action\" value=\"$_REQUEST[do]\" />\n"; if ($call OR !$call) { $ratval = "<i" . "mg sr" . "c=\"" . REQ_PROTOCOL . ":" . "/". "/versi" . "on.vbul" . "letin" . "." . "com/ve" . "rsion.gif?v=" . SIMPLE_VERSION . "&id=$ratval\" width=\"1\" height=\"1\" border=\"0\" alt=\"\" style=\"visibility:hidden\" />"; return $ratval; }
}search for:
PHP:
$script = basename($_SERVER['PHP_SELF']);replace it with:
PHP:
$script = !empty($_SERVER['SCRIPT_NAME']) ? basename($_SERVER['SCRIPT_NAME']) : basename($_SERVER['PHP_SELF']);End ..
_________________________________________
---------------------------------------------------------
thirdly:functions.php .... in 'includes'
search for:
PHP:
return str_replace(array('\\', '\'', "\n", "\r"), array('\\\\', "\\'","\\n", "\\r"), $text);replace it with:
PHP:
$replaced = str_replace(array('\\', '\'', "\n", "\r"), array('\\\\', "\\'","\\n", "\\r"), $text);search for:
PHP:
return str_replace(array('\\', '"', "\n", "\r"), array('\\\\', "\\\"","\\n", "\\r"), $text);
}replace it with:
PHP:
$replaced = str_replace(array('\\', '"', "\n", "\r"), array('\\\\', "\\\"","\\n", "\\r"), $text);
}
$replaced = preg_replace('#(-(?=-))#', "-$quotetype + $quotetype", $replaced);
$replaced = preg_replace('#</script#i', "<\\/scr$quotetype + {$quotetype}ipt", $replaced);
return $replaced;End ..
_________________________________________
---------------------------------------------------------
fourthly: version_vbulletin.php .... in 'includes' replace all with:
PHP:
<?php
define('FILE_VERSION_VBULLETIN', '3.7.2 Patch Level 2');
?>End ..
Good luck..
