As part of our ongoing efforts to fully secure all of our products from XSS vulnerabilities and other security issues, we have released another security update, vBShout v6.0.7, which fixes a very limited Reflected XSS issue in vBShout's Archive Search feature. This would only affect people visiting a malicious URL and not site users in general.
In addition, we've been able to verify a new fix that should hopefully eliminate encoding issues for forums running in UTF-8 mode.
vBShout v6.0.7:
Fix: Reflected XSS vulnerability in Archive Search
Fix: UTF-8 compatibility code should no longer run for forums that are natively in UTF-8 mode
Manual edits:
/dbtech/vbshout/actions/archive.php
Find
Add Below
/dbtech/vbshout_pro/hooks/dbtech_vbshout_archive_search_query.php
Find
Add Below
As always, thank you for your continued support
Discuss this news here.
In addition, we've been able to verify a new fix that should hopefully eliminate encoding issues for forums running in UTF-8 mode.
vBShout v6.0.7:
Fix: Reflected XSS vulnerability in Archive Search
Fix: UTF-8 compatibility code should no longer run for forums that are natively in UTF-8 mode
Manual edits:
/dbtech/vbshout/actions/archive.php
Find
PHP:
$pagevars['message'] = $vbulletin->GPC['message'];
PHP:
$vbulletin->GPC['message'] = htmlspecialchars_uni($vbulletin->GPC['message']);
/dbtech/vbshout_pro/hooks/dbtech_vbshout_archive_search_query.php
Find
PHP:
$pagevars['username'] = $vbulletin->GPC['username'];
PHP:
$vbulletin->GPC['username'] = htmlspecialchars_uni($vbulletin->GPC['username']);
As always, thank you for your continued support
Discuss this news here.