vBActivity / vBShout / Forumon RPG / vBDownloads / vBQuiz Updates (Security Releases)

Fillip H.

Staff member
Owner
Developer
Customer
Hey all,

As a result of the audits performed due to the recent crop-up of XSS vulnerabilities, we've discovered a few more that we're now bringing you fixes for:

vBActivity v3.0.1:
Fix: (Pro) XSS vulnerability in Request and Nominate Award

vBShout v6.0.6:
Fix: XSS vulnerability in Shout Reports

Forumon v1.0.8:
Fix: XSS vulnerability in Create New Monster



For those who'd rather perform manual edits:

/dbtech/vbactivity/actions/nominatemedal.php

Find
PHP:
$reason = $vbulletin->input->clean_gpc('p', 'reason', TYPE_STR);
Replace With
PHP:
$reason = $vbulletin->input->clean_gpc('p', 'reason', TYPE_NOHTML);



/dbtech/vbactivity/actions/requestmedal.php

Find
PHP:
$reason = $vbulletin->input->clean_gpc('p', 'reason', TYPE_STR);
Replace With
PHP:
$reason = $vbulletin->input->clean_gpc('p', 'reason', TYPE_NOHTML);



/dbtech/vbshout/actions/doreport.php

Find
PHP:
$reportreason = $vbulletin->input->clean_gpc('p', 'reportreason', TYPE_STR);
Replace With
PHP:
$reportreason = $vbulletin->input->clean_gpc('p', 'reportreason', TYPE_NOHTML);



/dbtech/vbshout/actions/updatereport.php

Find
PHP:
$modnotes = $vbulletin->input->clean_gpc('p', 'modnotes', TYPE_STR);
Replace With
PHP:
$modnotes = $vbulletin->input->clean_gpc('p', 'modnotes', TYPE_NOHTML);



/dbtech/forumon/actions/main.php

Find
PHP:
    // Grab category id
    $vbulletin->input->clean_array_gpc('p', array(
        'monster'     => TYPE_ARRAY,
    ));
Add Below
PHP:
    $vbulletin->GPC['monster']['title']         = htmlspecialchars_uni($vbulletin->GPC['monster']['title']);
    $vbulletin->GPC['monster']['description']     = htmlspecialchars_uni($vbulletin->GPC['monster']['description']);


Find
PHP:
            // Grab a random hex colour
            $vbulletin->GPC['monster']['colors']["$foldername"] .= strtoupper(base_convert(mt_rand(0, 16), 10, 16));
        }
    }
Add Below
PHP:
    $vbulletin->GPC['monster']['title']         = htmlspecialchars_uni($vbulletin->GPC['monster']['title']);
    $vbulletin->GPC['monster']['description']     = htmlspecialchars_uni($vbulletin->GPC['monster']['description']);



In addition, in co-operation with BugAbuse.net, we've found additional vulnerabilities in two other mods; vBDownloads and vBQuiz.

Their latest release versions have been hotfixed. You can re-download the latest versions and re-upload the files to get the fixes.

If for whatever reason you are unable to download the latest versions, manual file edits are as follows:


/dbtech/downloads/actions/editdownload.php

Find
PHP:
$mirrorhtml .= '<input type="text" class="textbox" name="mirrors[]" style="margin-top: 4px;" value="' . $mirror . '" /><br />';
Replace With
PHP:
$mirrorhtml .= '<input type="text" class="textbox" name="mirrors[]" style="margin-top: 4px;" value="' . htmlspecialchars_uni($mirror) . '" /><br />';



/dbtech/vbquiz/hooks/process_templates_complete.php

Find
PHP:
?>
Add Above
PHP:
$vbulletin->options['dbtech_vbquiz_urlpath_text'] = ($vbulletin->options['dbtech_vbquiz_urlpath_text'] ? $vbulletin->options['dbtech_vbquiz_urlpath_text'] : $vbulletin->options['bburl'] . '/');



/dbtech/vbquiz/includes/class_profileblock.php

Find
PHP:
$quiz_url = '[url="' . $quiz_link . '"]' . $data_data['quiz_name'] . '[/url]';
Replace With
PHP:
$quiz_url = '[url="' . $quiz_link . '"]' . htmlspecialchars_uni($data_data['quiz_name']) . '[/url]';


Finally, while it doesn't affect any of you, vulnerabilities were also discovered in our vBeCommerce system as well, also thanks to BugAbuse.


We suggest you either update or apply the file edits A.S.A.P., before these exploits leak to the wild.


Thank you for your continued support, and once again sorry for the inconvenience :(

Discuss this news here.
 
Back
Top