Fix of uploader security issue.

[TransAmDan]

vBulletin News: YUI Security Issue found in uploader.swf
there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue. Their recommendation is to remove the file from your server. We recommend that you replace this with an empty file of the same name (attached). What this will do is force vBulletin to use a fallback javascript based uploader which is already provided in your system.
See: YUI Security Bulletin
The vulnerable file is also present in the vBulletin 5 download package though not used by the vBulletin 5 front-end. We recommend that you delete the file and replace it with the attached file.
We have also updated all download packages for vBulletin 4.X and 5.X with the new empty file.
To resolve this issue take the following steps:

• Delete uploader.swf located in clientscript/yui/uploader/assets or /core/clientscript/yui/uploader/assets
• Replace it with the file attached to the linked thread.
• Alternatively, you can download the vBulletin package for your version and replace it from that download.

Note: We will not be fixing the vulnerability in the SWF file directly nor do we plan to take any other action on this issue at this time.

Sorted by popping on a black file. In hope it will fall back to the internal uploader.


Testing the upload of a file. Yep its working. From a local machine.


Testing from uploading from another website. Thats working too.


Great, security issue solved and no impact on our website.

 

[TransAmDan]

However multiple uploading of more than 5 files cant be done without selecting each file individually. When you have a few hundred photos from a car show this would take someone hours to do.
The reason behind with the a security issue in the Flash file. VBulletin are not helping anyone out on this, many posts on forums. I came across this post YUI flash uploader exploit and the vb recommended fix - vBulletin Community Forum Someone has modified the uploader to get it all working as it was, and made it secure.
So i go to download this patched file. its on vBulletin.org, i don't use this website often, and my usual username and passwords were not working. So i try to log in from work as it automatically logs me in from there. Well nope, no auto login. I get it to send a password reminder but its to an email address I don't use anymore, so after reactivating my email address. I get the password reset. I try to login, but i still need to wait 15mins. So i log in from work, change my email address to a valid one I now use.
By doing that, I now need to prove my forum licence, I recall which being a long username beginning with VBE or J something, I need to find that now. All to download one file. arghhh.....

 

[TransAmDan]

Well after jumping though a few hoops and spending 2 hours more than expected on it, its finally in there. Where there is content caching in the browsers i had to flush the cache for the multiple upload to appear. Anyway, finally done and appears to perform well. Yay