موضوع: اخبار فروم
نمایش پست تنها
  #324  
قدیمی 03-25-2014
کارگر سایت آواتار ها
کارگر سایت کارگر سایت آنلاین نیست.
ادمین در لباس کارگر!
  
تاریخ عضویت: Aug 2007
محل سکونت: کرمانشاه
نوشته ها: 1,444
سپاسها: : 907

4,878 سپاس در 836 نوشته ایشان در یکماه اخیر
کارگر سایت به Yahoo ارسال پیام
پیش فرض
Security Exploit Patched in versions 3.5, 3.6, 3.7, 3.8, 4.X, 5.X of vBulletin






A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.


Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately via http://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.




Installing the Patch
Please install the patch for your version of vBulletin immediately.
  • Upgrade PHP to the minimum version or install the JSON PECL, if necessary.
  • Download the patch from https://members.vbulletin.com/patches.php.
  • Extract the vBulletin patches files from the Zip file.
  • Upload the patch files to your server, overwriting the old files.
As with all security related releases, we recommend all affected customers patch/upgrade as soon as possible.


If you're using an unpatched version of 3.X or 4.X, and you need to manually apply the DIFF patches please see these threads:
vBulletin 3.X
vBulletin 4.X


Frequently Asked Questions


Do I need to run the upgrade scripts?
No, you do not with this patch.


If I apply the patch to 3.8.7 or 4.2.2 do I need to mess with the DIFF files?
No, you do not.


How do I use the DIFF patch for my version?
Please see the thread linked above.


Will you release the details of this issue?
To allow our customers time to upgrade and apply the patch, we will not release any further details.




If you have never patched your site, there are instructions in the manual:
How to Patch Your Site





يك مشكل امنيتي در تمام نسخ vb ديده شده


حدود 4 ماه پيش مقاله اي در خصوص متغير هاي سوپرگلوبال php و توابع سريال سازي منتشر شد به نظر ميرسه اين اشكال مرتبط به اون مقاله باشه .








كساني كه مثل ما از نسخ نسل 3 استفاده ميكنند هم بايد مشكل رو رفع كنند


3.8.7 در پنل خود vb به صورت پچ شده براي دانلود وجود داره و مشكلش حل شده


نسخ قديمي تر يا بايد پچ جديد رو از ادرس هاي داده شده بالا دانلود كنند يا به صورت دستي كدها رو ترميم كنند :








لازمه ش هم اين هست كه حتما حتما نسخه php بالاي 5.2 باشه (در غير اينصورت به راهنما توجه كنيد)





حتما هم يك بك اپ از فايليها






forumdisplay.php







includes/functions_misc.php






تهيه كنيد










---------------------




The following are instructions for manually patching vBulletin 3.5.x, 3.6.x, 3.7.x, and 3.8.x for the patch released March 13, 2014.


This patch should be applied by everyone running vBulletin 3.x but it requires you be on PHP 5.2.0 or higher.


Verify you have PHP 5.2.0 or higher before you make these changes. If you don't you will break the site by making these changes.


The version of PHP on your server is visible in the Admin CP in the table near the top of the page, under thew news.








If your PHP version is not at least 5.2.0 see the announcement thread for more options.
[HR][/HR]


In forumdisplay.php


Step 1.


Find the code:
کد:
$temp = unserialize($check);
Replace with:
کد:
$temp = json_decode($check, true);
IF, and ONLY IF you cannot find the text above then instead look for the code below-


Step 1 Alternate.


Find the code:
کد:
$temp = unserialize($vbulletin->GPC['postvars']);
and Replace with:
کد:
$temp = json_decode($vbulletin->GPC['postvars'], true);
[HR][/HR]


In includes/functions_misc.php


Step 2.


Find the code:
کد:
return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string(serialize($_POST))) . '" />' . "\n";
Replace with:
کد:
$string = json_encode($_POST);
return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(sign_client_string($string)) . '" />' . "\n";
IF, and ONLY IF you cannot find the text above then instead look for the code below-


Step 2 Alternate.


Find the code:
کد:
return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni(serialize($_POST)) . '" />' . "\n";
Replace with:
کد:
$string = json_encode($_POST);
return '<input type="hidden" name="postvars" value="' . htmlspecialchars_uni($string) . '" />' . "\n";
Step 3.


Find the code:
کد:
$temp = unserialize($serializedarr);
Replace with:
کد:
$temp = json_decode($serializedarr, true);
After editing each file upload it back to your server. Keep a backup of the old file just in case. If you ever need a backup of the original file you can re-download your version of VB 3.x from the Member's Area. Only vBulletin 3.8.7 will be officially patched in the Member's Area. VB 3.8.8 Beta 4 will also contain the changes in this patch.




هيچ وقت از notepad ويندوز براي ويرايش فايلهاي خود استفاده نكنيد . پيشنهاد من notepad++ هست .


If you are on Windows use a dedicated code editor like Notepad2 or Notepad++ (both are free) to edit your .php files, do not use Windows Notepad.
پاسخ با نقل قول
کاربران زیر از کارگر سایت به خاطر پست مفیدش تشکر کرده اند :
جای تبلیغات شما اینجا خالیست با ما تماس بگیرید