Exploit found in Yahoo YUI Uploader affecting VB4 and VB5 forums

Discussion in 'vBulletin Discussions' started by BirdOPrey5, Jan 3, 2014.

  1. BirdOPrey5

    BirdOPrey5 #Awesome

    http://www.vbulletin.com/forum/foru...4388-yui-security-issue-found-in-uploader-swf

    Basically you need to overwrite clientscript/yui/uploader/assets/uploader.swf file with a blank/empty file of the same name.

    This will force VB4 to use the AJAX/JavaScript uploader instead.

    VB5 has the file but doesn't use it so no functionality will be lost in VB5, but VB4 users will lose the flash uploader.

    Yahoo says they will not be fixing the issue.

    VB3 is unaffected.
     
    BirdOPrey5, Jan 3, 2014
    #1
    too_cool_3 and Dan Hutter like this.
  2. AWS

    AWS Administrator Admin Talk Staff

    Thanks Joe. This should affect a few products. I think others also use this.
     
    AWS, Jan 3, 2014
    #2
  3. BirdOPrey5

    BirdOPrey5 #Awesome

    Typo'ed the title- can't seem to fix it. :( Foung = Found, obviously. :oops:
     
    Last edited: Jan 3, 2014
    BirdOPrey5, Jan 3, 2014
    #3
  4. AWS

    AWS Administrator Admin Talk Staff

    Fixed. Got to check permissions too while I'm at it. You should have edit permissions on the title.
     
    AWS, Jan 3, 2014
    #4
    BirdOPrey5 likes this.
  5. zappaDPJ

    zappaDPJ Regular Member

    Does anybody know what effect this will have on the functionality of the asset manager if any?
     
    zappaDPJ, Jan 4, 2014
    #5
  6. BirdOPrey5

    BirdOPrey5 #Awesome

    The asset manager continues to work, just uploads will be done via the AJAX form rather than the flash uploader.
     
    BirdOPrey5, Jan 4, 2014
    #6
    zappaDPJ likes this.
  7. jmurrayhead

    jmurrayhead Regular Member

    I wonder why Yahoo decided not to fix the issue...are they working on a replacement?
     
    jmurrayhead, Jan 4, 2014
    #7
  8. BirdOPrey5

    BirdOPrey5 #Awesome

    Yahoo considers YUI 2.x end of life. They have YUI 3.x out but they do longer have a flash based uploader in YUI 3.x.
     
    BirdOPrey5, Jan 4, 2014
    #8
  9. jmurrayhead

    jmurrayhead Regular Member

    Got ya, so basically vBulletin just needs to update to later version.
     
    jmurrayhead, Jan 4, 2014
    #9
  10. zappaDPJ

    zappaDPJ Regular Member

    OK, thanks, no disruption to my users then.
     
    zappaDPJ, Jan 4, 2014
    #10
  11. BamaStangGuy

    BamaStangGuy Administrator

    Thanks
     
    BamaStangGuy, Jan 4, 2014
    #11
  12. zappaDPJ

    zappaDPJ Regular Member

    That's odd, I'm fairly sure I didn't quote myself in that post.
     
    zappaDPJ, Jan 5, 2014
    #12
  13. WEfail

    WEfail Regular Member

    Fixed this yesterday. Not sure why VB doesnt list the exploit in the admincp. Another fail.
     
    WEfail, Jan 5, 2014
    #13
  14. Dan Hutter

    Dan Hutter aka Big Dan

    Thanks for the post @BirdOPrey5 as I haven't followed the vB.com boards in quite a while. I patched my clients boards.
     
    Dan Hutter, Jan 5, 2014
    #14
  15. WEfail

    WEfail Regular Member

    Birdofprey is amazing.
     
    WEfail, Jan 5, 2014
    #15
  16. Alfa1

    Alfa1 Regular Member

    Yes, that was in 2009. vb4 & vb5 were released after YUI3.
     
    Alfa1, Jan 5, 2014
    #16
  17. BirdOPrey5

    BirdOPrey5 #Awesome

    YUI 3 beat VB4 by just a couple months... Couldn't throw everything out and change to YUI 3 at that point.
     
    BirdOPrey5, Jan 5, 2014
    #17
  18. NixFifty

    NixFifty Regular Member

    Weekend? :)
     
    NixFifty, Jan 6, 2014
    #18
  19. Alfa1

    Alfa1 Regular Member

    I actually warned vbulletin about the issue long before that, as YUI2 beta releases were already flowing and at that time there also was a YUI2 exploit.
    At that time the wisest decision would have been to implement jQuery instead. Back then it was already clear that jQuery was the future.
     
    Alfa1, Jan 6, 2014
    #19
  20. Peace

    Peace Regular Member

    Peace, Jan 17, 2014
    #20
    BirdOPrey5 likes this.

Share This Page