Hey all,
As reported to us by BugAbuse and Hacking.RS, an XSS vulnerability was discovered in vBShout v6.0.3 and lower. Thus, we bring you this emergency release to address these issues.
In brighter news, we've also re-implemented the auto-scrolling for the Oldest First mode!
vBShout v6.0.4:
Fix: Fixed a security issue that could allow malicious code to be executed when viewing the Archive
Change: Re-implemented auto-scrolling when viewing the shoutbox in Oldest First mode
Thank you for your continued support, and we apologise for this inconvenience
Discuss this news here.
---------- Post added 24th March 2012 at 03:08 ---------- Previous post was 21st March 2012 at 14:23 ----------
For those who can't upgrade to 6.0.4, here's the list of changes from v6.0.3. Note that these changes will not work with the v5.4 branch or lower, and that performing these changes manually is unsupported.
/dbtech/vbshout/actions/archive.php
Find
Add Below
/dbtech/vbshout/clientscript/vbshout.js
Find
Replace With
Template: dbtech_vbshout_archive_shoutbit (vB3)
Find
Replace With
Template: dbtech_vbshout_archive (vB4)
Find
Replace With
As reported to us by BugAbuse and Hacking.RS, an XSS vulnerability was discovered in vBShout v6.0.3 and lower. Thus, we bring you this emergency release to address these issues.
In brighter news, we've also re-implemented the auto-scrolling for the Oldest First mode!
vBShout v6.0.4:
Fix: Fixed a security issue that could allow malicious code to be executed when viewing the Archive
Change: Re-implemented auto-scrolling when viewing the shoutbox in Oldest First mode
Thank you for your continued support, and we apologise for this inconvenience
Discuss this news here.
---------- Post added 24th March 2012 at 03:08 ---------- Previous post was 21st March 2012 at 14:23 ----------
For those who can't upgrade to 6.0.4, here's the list of changes from v6.0.3. Note that these changes will not work with the v5.4 branch or lower, and that performing these changes manually is unsupported.
/dbtech/vbshout/actions/archive.php
Find
PHP:
if ($shouts_r['message_raw'] == '/silencelist' OR $shouts_r['message_raw'] == '/banlist')
{
// Special cases, allow HTML
$shouts_r['message'] = unhtmlspecialchars($shouts_r['message']);
}Add Below
PHP:
else
{
// Ensure this is safe
$shouts_r['message_raw'] = htmlspecialchars_uni($shouts_r['message_raw']);
}/dbtech/vbshout/clientscript/vbshout.js
Find
PHP:
fetchElem('archive_message', instanceId).filter('[data-shoutid="' + shoutId + '"]').html(editor.val());
fetchElem('archive_message_raw', instanceId).filter('[data-shoutid="' + shoutId + '"]').html(editor.val());Replace With
PHP:
fetchElem('archive_message', instanceId).filter('[data-shoutid="' + shoutId + '"]').text(editor.val());
fetchElem('archive_message_raw', instanceId).filter('[data-shoutid="' + shoutId + '"]').val(editor.val());Template: dbtech_vbshout_archive_shoutbit (vB3)
Find
HTML:
<td><div style="display:none; {$shout[styleprops]}" name="dbtech_vbshout_archive_message_raw" data-instanceid="$instance[instanceid]" data-shoutid="$shout[shoutid]">{$shout[message_raw]}</div></td>Replace With
HTML:
<td><input name="dbtech_vbshout_archive_message_raw" type="hidden" value="{$shout[message_raw]}" data-instanceid="{$instance[instanceid]}" data-shoutid="{$shout[shoutid]}" /></td>Template: dbtech_vbshout_archive (vB4)
Find
HTML:
<div class="blockrow floatcontainer" style="display:none;" name="dbtech_vbshout_archive_message_raw" data-instanceid="{vb:var instance.instanceid}" data-shoutid="{vb:raw shout.shoutid}">{vb:raw shout.message_raw}</div>Replace With
HTML:
<input name="dbtech_vbshout_archive_message_raw" type="hidden" value="{vb:raw shout.message_raw}" data-instanceid="{vb:var instance.instanceid}" data-shoutid="{vb:raw shout.shoutid}" />