UBB.threads PHP Forum Software Community Forums UBB.threads Bug Reports IMPORTANT UBB.THREADS SECURITY UPDATE

The UBB.threads development team has identified a serious exploit that can allow a standard user to obtain elevated permissions on UBB.threads forums and upload malicious files.

To protect yourself from the vulnerability, patches must be immediately applied if you are running version 7.3 and later. Patches for each version are now available for download in the member’s area of UBBCentral.com:

https://www.ubbcentral.com/members/members.php

To apply the patch upload the files provided in the patch to the appropriate directories in the UBB.threads installation on your server, overwriting the existing files.

Special thanks to Sirdude, gliderdad, Ruben and Gizmo for their assistance.

EDIT - never mind - I downloaded the wrong folder

No full upgrade, just upload the files over the old ones.....

Patched.

Thanks.

Patched our board a few min ago, Thanks!

And thanks to our "identifying sites" for allowing us all to parade through their logs and test patches .

For those of you who had me install the patches for you, you're set, patched as issues where discovered. For those whom I provided DATA on HOW to patch, you'll need to apply the patch from the members area.

I downloaded 12-ubbthreads-7-5-6p1 (I have ver. 7.5.6) - Do I upload the _MACOSX Directory? (I don't have one now)

Bill

I dont see a _MACOSX Directory. There should be 4 directories: admin, languages, libs, and scripts

No, it's for MacOSX servers only

The _MACOSX can be ignored, we updated the downloads so it's not there anymore....

I count 3 .DS_Store files.. Are those needed?


Nevermind, looks like a new version has just been posted without the _MACOSX directory and .DS_Store Files.


Bill

Thanks,

I missed seeing your post before.

Bill, they cleaned up the patch files. So just ftp them up to your site and overwrite the script files by folder. It is just a couple.

Well, It would be nice if I still HAD access to the members area since my subscription ran out waiting for the NEW RELEASE of v8!!!

You should still be able to login and get the patch if your subscription ran out!

Naw, I also had to pay up, to get to the files.

And am now awaiting a bit of help, as I'm part way through the upgrade.

Never had been able to in the past. If your subscription ran out you had zero access. Now if it was so important they should just make that file available to those whom they emailed by clicking a link in the email just as they had a link for the members area.

updated here.

Once I found it, it was smooth as silk.

(Look for the patch on the right side of the member area download page. Not the left! :face palm:)

ahem:

my system is now dead.

send a support ticket in....

i would, except (a) my membership seems to have been foreshortened by a year, and (b) i fixed it myself. mind you, i can think of better things to do with my time while sitting on the beach in Kuta, Bali.

Patched.

After further research and review we have issued a p2 patch to further enhance security. Owners that have not patched yet can use the p2 patch directly. If you have already patched using p1, please update to p2 the same way you applied p1.

To discuss upgrade and patching options, view this thread:

https://www.ubbcentral.com/forums/u...to-upgrade-or-patch-that-is-the-question

Up to date! Thanks!

Re-patched!

There was a lingering security hole that SD was not comfortable with.
So hence the second patch update.
I am happy to say paranoia does help on occasion.

Re-Patched as well. Keep up the good work guys!

BTW is there anything we can see with this patch other than the updated version number at the bottom of the page?

What do you mean?

I re-patched but seems that it still says... 7.5.6p1... is that accurate even with the p2 patch?


Dunny

You sure you patch it with the 7.5.6p2 and upload all the files?

There aren't any "enhancements" to UBB.Threads 7.5.6 other than the security fixes; which won't be visible as it's all backend.

Thanks Gizmo