Register Members List Search Today's Posts Mark Forums Read

Reply
 
Mod Options
Patched Flash Uploader to Fix Known Exploits Details »
Patched Flash Uploader to Fix Known Exploits
Mod Version: 2.00, by alexm (Coder) alexm is offline
Developer Last Online: Jun 2021 I like it Show Printable Version Email this Page

vB Version: 4.x.x Rating: (33 votes - 4.88 average) Installs: 204
Released: 14 Jan 2014 Last Update: Never Downloads: 845
Supported Code Changes Additional Files  

UPDATE Dec 2014: 4.2.2 PL2, 4.2.2 PL3 and 4.2.3 core download packages from vBulletin now include this patched version of uploader.swf as standard.

This is a patched version of YUI 2.9.0 uploader.swf as used by vBulletin 4.x for managing multiple file uploads.

An exploit was found in the flash uploader (uploader.swf) file supplied with vBulletin 4.x. This file is part of the Yahoo YUI 2 Library which is end of life and Yahoo have stated that they will not be fixing it. Yahoo recommends that the file is removed as the flash uploader has been deprecated.

vBulletin's recommended fix is to replace the file with an empty file of the same name. If you do this, however, and rely solely on the Ajax uploader you will not be able to select multiple files without further modifications.

This modification is a recompiled version of uploader.swf with the above exploit fixed. An additional potential exploit has also been fixed by disabling a parameter not used by vBulletin.

The YUI source used is provided freely by Yahoo to whom I give full credit.


1) Installation

a) Extract uploader.swf from the .zip file and replace your existing file here:

<forum_root>/clientscript/yui/uploader/assets/uploader.swf

b) Make sure the flash uploader is enabled in the Admin Control Panel

Options -> Message Attachment Options -> Asset Manager - Enable -> Select "Yes, Flash Upload by Default"

c) Make sure you are NOT using remote YUI

vBulletin Options -> Server Settings and Optimization Options

Use Remote YUI set to None

d) You may also need to clear your browser cache and/or vBulletin cache (Maintenance ->Clear system cache) if you have performed the above steps correctly but clicking the Upload button still does nothing.



2) Changes

11th January 2014

The parameter 'allowedDomain' has been sanitised with a REGEX to prevent malicious javascript being passed in a query string.


11th January 2014 v2

Many thanks to FranzBanz (http://www.vbulletin.com/forum/member/449383-franzbanz) for his suggestions
  • finding another exploit (using another parameter). Exploit fixed by setting the parameter (not used by vBulletin) to null.
  • '-' Character added to allowed characters in allowedDomain


Non-Flash Alternative
Please note that if you would rather avoid using flash altogether an alternative Mod has been released by BirdOPrey5, although there are some compromises/limitations with IE10+.

Asset Manager / Image Upload Fix to upload multiple files like the Flash uploader


DISCLAIMER
I am not a flash developer, I am just another vBulletin customer trying to keep his members happy!
This file is provided free of charge for the benefit of the vBulletin community. You use it at your own risk!


Copyright 2013 Yahoo! Inc. All rights reserved.
Redistribution and use of this software in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

Neither the name of Yahoo! Inc. nor the names of YUI's contributors may be used to endorse or promote products derived from this software without specific prior written permission of Yahoo! Inc.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Download Now

Only licensed members can download files, Click Here for more information.

Show Your Support

  • To receive notifications regarding updates -> Click to Mark as Installed.
  • This modification may not be copied, reproduced or published elsewhere without author's permission.
  #46  
Old 14 Mar 2014, 23:56
joeychgo's Avatar
joeychgo joeychgo is offline
 
Join Date: Mar 2004
Real name: Joey
Originally Posted by Zachery View Post
there are no plans to add the flash uploader back, in any form, at this time.

Zack, is there any reason to think this fix doesn't solve the problem? If not, then why not add it back with this fix?
__________________
Lincoln vs Cadillac Forums -
Reply With Quote
  #47  
Old 15 Mar 2014, 00:40
BirdOPrey5's Avatar
BirdOPrey5 BirdOPrey5 is offline
 
Join Date: Jun 2008
Real name: Joe D.
Originally Posted by joeychgo View Post
Zack, is there any reason to think this fix doesn't solve the problem? If not, then why not add it back with this fix?
Legal reasons...
__________________
-Joe
Former vb.org Moderator. Retired.

@BirdOPrey5 | All Things BOP5 | Joe's Ultimate Off Topic
Note - I no longer making new VB mods, sorry.
Reply With Quote
  #48  
Old 15 Mar 2014, 01:55
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Originally Posted by joeychgo View Post
Zack, is there any reason to think this fix doesn't solve the problem? If not, then why not add it back with this fix?
It may solve today's problems, but not tomorrow, or the day after, or the day after.

There have been a long and sordid history with the flash uploader, and YUI's security of flash scripts. The YUI devs themselves have abandoned the script.

We can address the changes with something like relying on the HTML5 constructs of modern browsers instead by adding a simple MULTIPLE line to the input. That'd be the fix we'd go with, without adding another issue into the mix.
__________________
Looking for ImpEx?
Reply With Quote
  #49  
Old 15 Mar 2014, 10:05
tbworld tbworld is offline
 
Join Date: Oct 2008
Thanks @Zachery, nice explanation. Always appreciated.
Reply With Quote
  #50  
Old 25 Mar 2014, 14:08
Reef Man Reef Man is offline
 
Join Date: Nov 2006
It does not wolve the problem. I have 4.2.2
Reply With Quote
  #51  
Old 25 Mar 2014, 15:05
tpearl5's Avatar
tpearl5 tpearl5 is offline
 
Join Date: Nov 2001
Real name: John
Originally Posted by Reef Man View Post
It does not wolve the problem. I have 4.2.2
You're right, it sounds nothing like an organ. But this patch does solve the problem of the flash uploader not working.
__________________
John
Reply With Quote
  #52  
Old 03 Apr 2014, 22:24
Jennifer2010 Jennifer2010 is offline
 
Join Date: Mar 2011
On 4.2.2 PL1, I get this error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

It happens every time an image is uploaded, regardless of image size, format, dimensions or file name. After selecting the image to upload and then clicking upload, the progress bar completed and then the red arrow appears next to the file which when hovered, shows that error.

We don't have security software installed on the server and the max fliesize limit within VB and in php/mysql is over 100MB (vb's restriction is 1MB per file but we've tried as low as 10kb and it reports the error shown above).

Any help is appreciated.
Reply With Quote
  #53  
Old 03 Apr 2014, 22:31
ForceHSS's Avatar
ForceHSS ForceHSS is offline
 
Join Date: Apr 2008
Originally Posted by Jennifer2010 View Post
On 4.2.2 PL1, I get this error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]

It happens every time an image is uploaded, regardless of image size, format, dimensions or file name. After selecting the image to upload and then clicking upload, the progress bar completed and then the red arrow appears next to the file which when hovered, shows that error.

We don't have security software installed on the server and the max fliesize limit within VB and in php/mysql is over 100MB (vb's restriction is 1MB per file but we've tried as low as 10kb and it reports the error shown above).

Any help is appreciated.
http://www.vbulletin.com/forum/forum...t-upload-photo
Reply With Quote
  #54  
Old 03 Apr 2014, 22:50
Jennifer2010 Jennifer2010 is offline
 
Join Date: Mar 2011
Doesn't help. Blames it on server settings, which is why I mentioned in my comment that we don't have security software installed and our php settings aren't restricting anything.

Are we supposed to have anything for custom YUI path? Currently it's set to "none" (no Google/Yahoo library) and the path is blank beneath that.
Reply With Quote
  #55  
Old 04 Apr 2014, 08:23
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
So, to deconstruct the error:

404 [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2038"]
This is the status of the page returned, 404 after the uploaded completed.

This is the error flash returned, which says IO error. This is a super generic, Input/Ouput error thrown by flash. More or less the file wasn't there, when it was done uploading.

This is a server issue, and the problem is your server. Some security, or other server setting is blocking the flash uploader from working, period.

mod_security
suhosin
A module of selinux
Anti(malware/virus) scanners
reverse proxies
bad upload configuration
An internal server error may even be hiding the real error message.


If you disable the flash uploader, to use the ajax one instead, does it work? Yes/No
If you disable the asset manager for the legacy uploader, Does it work? Yes/No

Does the AdminCP > Maintenance > Diagnostics > Upload File test work? Yes/No
__________________
Looking for ImpEx?
Reply With Quote
  #56  
Old 04 Apr 2014, 21:48
Jennifer2010 Jennifer2010 is offline
 
Join Date: Mar 2011
mod_security - Not installed
suhosin - Not installed (using suexec)
A module of selinux - Not installed
Anti(malware/virus) scanners - Not installed
reverse proxies - We're using NGINX?
bad upload configuration - Not sure what this correlates to.

If you disable the flash uploader, to use the ajax one instead, does it work? Yes/No
One image at a time works. Multiple files selected results in the images not being inserted into the post. (one image at a time does not work on flash uploader)

If you disable the asset manager for the legacy uploader, Does it work? Yes/No
One image at a time works. Multiple files selected results in the images not being inserted into the post.

For example, I upload two different images one at a time and it works. If I select both of them and try to insert them, they fail and neither are inserted.

Does the AdminCP > Maintenance > Diagnostics > Upload File test work? Yes/No
Yes

file_uploads: On
open_basedir: None
safe_mode: Off
upload_tmp_dir: /tmp
upload_max_filesize: 100.00 MB

No errors occurred while opening the uploaded file for reading.

What should my image storage directory permissions be?


Thank you

Last edited by Jennifer2010; 04 Apr 2014 at 21:57.
Reply With Quote
  #57  
Old 04 Apr 2014, 23:31
Jennifer2010 Jennifer2010 is offline
 
Join Date: Mar 2011
Problem resolved:
We have a custom "Upload Images" button that calls the same function as the insert image button does on the post editor. However, after we upgraded to 4.2.2 it must not be compatible. Thus, all we have to do now is find the new code and it should work (default vb style works perfect)

I can't remember where I found the old code:
<span class="cke_button">
<input type="button" style="height: 30px; width: 100px; font-size: 14px; margin-top: 15px;" a id="cke_38" class="cke_off cke_button_vbimage" onclick="CKEDITOR.tools.callFunction(77, this); return false;" onfocus="return CKEDITOR.tools.callFunction(76, event);" onkeydown="return CKEDITOR.tools.callFunction(75, event);" onblur="this.style.cssText = this.style.cssText;" aria-labelledby="cke_38_label" hidefocus="true" tabindex="-1" value="Upload Images">
</a>
</span>

Anyway it's not a server issue anymore, lol.
Reply With Quote
  #58  
Old 11 Apr 2014, 07:16
camoit camoit is offline
 
Join Date: Feb 2011
Worked for me V4.1.12
it's a shame VB won't fix the problem. I guess they want to sell new versions.
Reply With Quote
  #59  
Old 11 Apr 2014, 07:32
Zachery's Avatar
Zachery Zachery is offline
 
Join Date: Jul 2002
Real name: Zachery Woods
Originally Posted by camoit View Post
Worked for me V4.1.12
it's a shame VB won't fix the problem. I guess they want to sell new versions.
So, you're just going to ignore what we've already commeted on?

We have other fixes, it just wont' be the flash uploader.
__________________
Looking for ImpEx?
Reply With Quote
  #60  
Old 13 Apr 2014, 17:16
MySaltyreef's Avatar
MySaltyreef MySaltyreef is offline
 
Join Date: Jun 2011
you sir are a legend ! working perfectly on 4.2.2

Last edited by MySaltyreef; 13 Apr 2014 at 17:25.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Mod Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 03:46.

Layout Options | Width: Wide Color: