Exploit found in Yahoo YUI Uploader affecting VB4 and VB5 forums

http://www.vbulletin.com/forum/foru...4388-yui-security-issue-found-in-uploader-swf

Basically you need to overwrite clientscript/yui/uploader/assets/uploader.swf file with a blank/empty file of the same name.

This will force VB4 to use the AJAX/JavaScript uploader instead.

VB5 has the file but doesn't use it so no functionality will be lost in VB5, but VB4 users will lose the flash uploader.

Yahoo says they will not be fixing the issue.

VB3 is unaffected.

 

Typo'ed the title- can't seem to fix it. Foung = Found, obviously.

 

Does anybody know what effect this will have on the functionality of the asset manager if any?

 

The asset manager continues to work, just uploads will be done via the AJAX form rather than the flash uploader.

 

I wonder why Yahoo decided not to fix the issue...are they working on a replacement?

 

Yahoo considers YUI 2.x end of life. They have YUI 3.x out but they do longer have a flash based uploader in YUI 3.x.

 

Got ya, so basically vBulletin just needs to update to later version.

 

OK, thanks, no disruption to my users then.

 

That's odd, I'm fairly sure I didn't quote myself in that post.

 

Fixed this yesterday. Not sure why VB doesnt list the exploit in the admincp. Another fail.

 

Thanks for the post @BirdOPrey5 as I haven't followed the vB.com boards in quite a while. I patched my clients boards.

 

Birdofprey is amazing.

 

Yes, that was in 2009. vb4 & vb5 were released after YUI3.

 

YUI 3 beat VB4 by just a couple months... Couldn't throw everything out and change to YUI 3 at that point.

 

Weekend?

 

I actually warned vbulletin about the issue long before that, as YUI2 beta releases were already flowing and at that time there also was a YUI2 exploit.
At that time the wisest decision would have been to implement jQuery instead. Back then it was already clear that jQuery was the future.

 

For anyone looking to keep using the flash uploader, a developer over at vB.org released a patched version of the file.

http://www.vbulletin.org/forum/showthread.php?t=307008&page=2

Hope that helps!