Martin
March 19th, 2005, 08:29 PM
It has come to our attention that an XSS issue exists within vBulletin 3 in versions up to and including 3.0.7.
However, the circumstances that allow this XSS issue to be exploited are rare so the vast majority of installations will be unaffected.
Your installation is vulnerable if
You do not Allow Search Wild Cards or
You have a very large Search Index Minimum Word Length value (more than ten characters)
If these conditions apply to your board, you can easily secure your installation against XSS exploitation by turning on search wild cards and setting a smaller (6 or less) value for Search Index Minimum Word Length.
Both of these settings can be found in vBulletin Options > Message Searching Options (Default Search)
There is also a patched includes/functions_search.php available in the thread at vBulletin.com.
The original thread at vBulletin.com can be found here (http://www.vbulletin.com/forum/showthread.php?t=133459).
However, the circumstances that allow this XSS issue to be exploited are rare so the vast majority of installations will be unaffected.
Your installation is vulnerable if
You do not Allow Search Wild Cards or
You have a very large Search Index Minimum Word Length value (more than ten characters)
If these conditions apply to your board, you can easily secure your installation against XSS exploitation by turning on search wild cards and setting a smaller (6 or less) value for Search Index Minimum Word Length.
Both of these settings can be found in vBulletin Options > Message Searching Options (Default Search)
There is also a patched includes/functions_search.php available in the thread at vBulletin.com.
The original thread at vBulletin.com can be found here (http://www.vbulletin.com/forum/showthread.php?t=133459).