Please use this thread to discuss the release of vBulletin 3.0.5.

Do not use this thread to report bugs, as it's likely they will be missed. If you believe you have found a bug, please file a report in the Bug Tracker (http://www.vbulletin.com/forum/bugs.php).

Also please do not post support requests here, these should be posted in the Support Forum or open a support ticket.

Have fun.

That would explain why everytime last night when I tried to download v3.0.4 it was saying the download was not available.


Glad I held off now, a job for this weekend.


Good job by the way, in getting a new update up so quickly.

Arrrgh!

Well, I spose I have only re-installed 3 hacks...

Thanks for the update tho. :)

*sob*
another work day lost in upgrading...

I'm glad I didn't upgrade to 3.0.4.. :)
Time to renew my member area access and get 3.0.5 up and running i think.

I am somewhat concerned about possible data being leaked, since I gave my address to Scott for the vBotM award so that he could send me my winner's mug.

i have to say that "that was something to expect"...

like my friend says "dont fix something that is not broken" I will stay with my stable 3.0.3

cheers

3.0.3 is vulnerable, as are all previous versions of vBulletin 3. You should upgrade as soon as possible.

Kier, do you recommend us that currently on vb3.0.3 upgrading immediately? My members area has expired at the moment, so if i just patch with init.php does it make much safer?

3.0.3 is vulnerable, as are all previous versions of vBulletin 3. You should upgrade as soon as possible.

the vulnerability is not in public yet i think, and who knows how affected can be 3.0.5 ?

thanks for the headsup Kier keep up the good work!

Kier, do you recommend us that currently on vb3.0.3 upgrading immediately? My members area has expired at the moment, so if i just patch with init.php does it make much safer?
Yes. Use the new init.php as soon as you can.

I am just patching the init file for now until the major release... cuz I dont wanna reinstall arcade, bot, and something else a couple of times :p

btw I like the speed of the upgrade now :)

Is 3.0.4 safe if register_globals is set as "off"?

I have updated 3.05 thanks all team you are the best

Is 3.0.4 safe if register_globals is set as "off"?
Yes, it should be. I've not been able to reproduce this issue with that setup.

If you have the chance, I'd still recommend using the init.php that's provided.

I don't use init.php, is it problem ??
but I have upgraded? I can't see any prob.

For people like me who already spend a lot of time to upgrade 3.03 version to 3.04, could you tell us which files have been modified from 3.04 to 3.05 (or better which modifications you did) ? It would be faster for us to upgrade with integrating our hacks.
Best regards


Edit : oups i've read to fast, i can now see which file have modified.

If you have upgraded to 3.0.5, then you are fine. I'm not sure what you mean by "I don't use init.php." Tt's a fundamental file in vBulletin (includes/init.php); it's not called directly though.

I dont understand how to upgrade...
I run 3.01 should I dowload the package of vb 3.05 upload owerwriting the old files and then?

LOTR - upgrade as soon as possible. It's only a matter of time before this flaw will be exploited

cclaerhout - A list of changed files is available below the release announcement (as always).

netcommander - If you use vBulletin, every single page will call init.php behind the scenes

Is this the only modification to do ?Yes, that is the only template modification from 3.0.4 to 3.0.5.

hollyboy - the vB3 upgrade instructions (http://www.vbulletin.com/docs/html/upgrade) are in the manual. Basically upload the 3.0.5 file, overwriting the existing files then run the upgrade script.

Remember to take a backup of the database before you do the upgrade.

thanks sir take a care..

That'd be right. My subscription expired on 5th Jan, so I download 3.04 on 4th Jan, spent all day today upgrading, just about to open board again and see "3.05 latest version" at top of admincp :roll:

Oh well.

I am currently not in the luxory to upgrade, but if i use init.php i will be safe? I am running php 4.3.10 thoug.

Freezerator - Yes, install the latest init.php to close the security hole.

cclaerhout - A list of changed files is available below the release announcement (as always).

I guess he meant a detailed changelog to see which code has changed. So it'd be possible to edit those files by hand and insert/replace the old code by the new one step by step. That way it probably wouldn't affect any hacks..

That'd be right. My subscription expired on 5th Jan, so I download 3.04 on 4th Jan, spent all day today upgrading, just about to open board again and see "3.05 latest version" at top of admincp :roll:

Oh well.
This is another one of the reasons we attach security fixes to our announcements.

I don't use init.php, is it problem ??
but I have upgraded? I can't see any prob.

Oh yes you do - it gets called by global.php.

So we should upgrade every file? Or just init.php from 3.0.5?

I have only just finished re-installing all of my hacks and am not overly keen to do so again (but will to fix the flaw). Will this be the last update for a little while, or can we expect another one in the next week or so?

vb fan site and vb language site upgraded, total time: 9 minutes.

Great job developers, thank you for the effort you put into your product and customers.

So we should upgrade every file? Or just init.php from 3.0.5?If possible, every file. (Don't you like bug fixes? ;)) At the very least, regardless of hacks, use the new init.php.

Will this be the last update for a little while, or can we expect another one in the next week or so?This update was not schedule. It was necessitated by the discovery of the security flaw.

Thanks for the update guys. :)
Upgraded to the latest version with no problems.

If this update so imported, why we don't get an email with the message that there is a new update for download?

There are weeks that I don't check the vbulletin website/forum.

thx,
p

So we should upgrade every file? Or just init.php from 3.0.5?You just need to use init.php from 3.0.5 if you want to plug the flaw without upgrading again.


Will this be the last update for a little while, or can we expect another one in the next week or so?I suspect 3.1.0 is due within the next couple of months, but that's just a gut feeling. I was putting off upgrading to 3.0.4 for this reason..

This is another one of the reasons we attach security fixes to our announcements.
Sorry, I'm not complaining, in fact happy you guys are on the ball. Just an observation on my impeccably bad timing is all.

Anyway, already renewed and downloaded.

Cheers

If this update so imported, why we don't get an email with the message that there is a new update for download? We are currently preparing the email to be sent. It takes quite some time to email all customers though, so you will always see the announcement posted here first.

Sorry, I'm not complaining, in fact happy you guys are on the ball. Just an observation on my impeccably bad timing is all.Sorry, didn't mean anything by my comment either. I guess you could say I meant that in a salesman-sort of tone. "Oh, and look what else it does..." :)

Updated, total time less than 3 minutes. Nice, fast and easy. Thank you for making this so easy for newbie's like me.

What can I do if I have no access to the Member Area (but my friend, the license owner has...) ( I can prove he has btw.. )

Just download the init.php from the first post and exchange that with your current init.php

What can I do if I have no access to the Member Area (but my friend, the license owner has...) ( I can prove he has btw.. )
Upload the attached init.php overtop of your existing includes/init.php. It should be backwards compatible with the entire 3.0.x series (betas untested).

Upload the attached init.php overtop of your existing includes/init.php. It should be backwards compatible with the entire 3.0.x series (betas untested).

Ok, thanks, I'm doing that right now (we are still using 3.0.3)
Do you guys think that after I update init.php, I could still be vulnerable? I hope not. I'm going to make a backup anyway, just for sure. :)

Ok, thanks, I'm doing that right now (we are still using 3.0.3)
Do you guys think that after I update init.php, I could still be vulnerable? I hope not. I'm going to make a backup anyway, just for sure. :)
You shouldn't be vulnerable, however if it is discovered that other boards are still indeed vulnerable, Jelsoft will create another patch to be made available to the public to rectify the situation.

Mad Props to the Jelsoft team for correcting this bug before it did any massive damage :)

Flexifoil Community (http://www.flexifoil.com/community/forums/) updated in 14 minutes, all looking good - no problems...

im confused, what does init.php do? and how important is it?

im confused, what does init.php do? and how important is it?
It's a fundamental system file that is executed with every page of vBulletin. It sets up fundamental objects/data for the rest of the system to use.

will the init.php effect any hacks.

are all versions on threat ? or only 3.0.4 version ?
we have php 4.3.10 running and on 3.0.3 version of vbulletin do we need the patch ?

Regards,

ok now im totaly confused, i have loads of mods installed
Are there like any avalable file edits?
What can i do to update my vbulletin?

are all versions on threat ? or only 3.0.4 version ?
we have php 4.3.10 running and on 3.0.3 version of vbulletin do we need the patch ?

Regards,
Please read the full announcement.

The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole.

The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.

This is a CRITICAL update, and urge all affected customers to upgrade vBulletin with the utmost urgency.

All 3.x versions of vBulletin are vulnerable. You should upgrade as soon as possible.

ok now im totaly confused, i have loads of mods installed
Are there like any avalable file edits?
What can i do to update my vbulletin?

One hint for further upgrades:

I have a changelog of every sourcecode and all modifications i did. In my case, it isnt huge but it helps alot.

Best regards
hj

Hello,
My site is heavily modified. I will and have announced to my sitethat I will be upgrading as instructed. I was curious if there is a way for me to avoid reinstalling all of the mods/hacks that have been added.
Also, my license expires in March. How do I go about renewing it? Do I need to repurchase Vbulletin, or is there a renewal fee associated with it?

well it would help if after every update a list of files to edit with new code to add. As that would help those with mods.

I would really like that.

I don't really understand, do I just have to overwrite init.php?

I don't really understand, do I just have to overwrite init.php?
If you dont want to upgrade, it is enough to overwrite the init.php.

Best regards
hj

Yes, overwrite the existing init.php with the new file. This will secure your forums without having to upgrade completely, although we would advise you do upgrade to the full 3.0.5 version as soon as you can.

Thank you very much :).

Edit: I just patched my vB, but now I'm getting this error:

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Located at line 2854, functions.php, I see this:
foreach ($_FIELDNAMES AS $field => $bitvalue)

How to fix this?

Now, you guys have REALLY got to be sh1tting me this time ....... arggggggggghhhhhhhhhhh :(

Back to beyond compare ..... :p

Jelsoft, a definitive answer would be good here: -

I upgraded last night to 3.04, then you say that you have found a security flaw in all version of 3x, do I really need to upgrade or can I just copy over the init.php for now
Also there is rumours that there is going be a major release soon, so was holding back doing anymore upgrades because of re-adding hacks again until this rumoured release was released.

Is this indeed just a rumour or is this common knowledge

If I do not use the update script and only modify the PHP files and templates that have changed, it will be good as well right?

You should still run the update script as it contains revision data (like new templates etc.)

I am sure, Jelsoft is doing this just to keep us busy :p

Best regards
hj

but my templates are modified. a lot!!
how can I update without the loose of modified templates?

Located at line 2854, functions.php, I see this:
foreach ($_FIELDNAMES AS $field => $bitvalue)

How to fix this?You have the arcade hack installed. I'd say remove it, but I'm sure you can edit your files some how to keep it...

but my templates are modified. a lot!!
how can I update without the loose of modified templates?
Upgrading will not edit any of your customized templates. After upgrading, run "find updated templates" to see what's been changed. You should then integrate those changes into your customized templates (or recustomize the new template).

Yeah, I do have the arcade hack installed. But I'm not sure how to edit my files so I can keep the hack.

thanks mike! so just change the php files, run the update script and then change the customized templates?

Yes.

* Backup files & database
* Test backup
* Upload 3.0.5
* Run upgrade.php
* Check for errors (and if found, revert the template causing it and re-apply your custom code)
* Done!

Located at line 2854, functions.php, I see this:
foreach ($_FIELDNAMES AS $field => $bitvalue)

How to fix this?Re-edit includes/init.php with the changes made by the arcade again.. :)

thanks mike! so just change the php files, run the update script and then change the customized templates?
Correct. If you'are already on 3.0.4, then you only have one template to update. If you're on 3.0.3, you have a bit more to go through.

You can also refer to the announcements. We list all templates changed, what changes were made (in sentence form usually :)), and whether the changes are required. Some are cosmetic; leaving them won't break anything.

vBulletin 3.0.5

If we upgrade to vBulletin 3.0.5
can we use the language file of the vBulletin 3.0.4 ?
coz i spent time translating the language file for arabic language,
so can it be used to the newer version vBulletin 3.0.5 ?

if it can not be used and translating is needed for the newer version, can you tell me about the changes in the file of language for the newer version, for winning time insdit of losing it searching for the changes.

You should be able to use your 3.0.4 language file with no problem.

Thanks guys for the very quick turnaround, before the problem was exploited. Much appreciated

You should be able to use your 3.0.4 language file with no problem.

Thank You

Re-edit includes/init.php with the changes made by the arcade again.. :)Ah, thank you. I forgot about that one :(.

I'm running vBulletin 3.0. Am I correct in assuming by uploading ini.php instead of upgrading, that should take care of any known exploits by itself right?

Thanks,

I'm running vBulletin 3.0. Am I correct in assuming by uploading ini.php instead of upgrading, that should take care of any known exploits by itself right?

Thanks,includes/init.php

Yes, though many additional bugs have been fixed since 3.0.0 so it is recommended that you upgrade when you have the time and funds to do so.

woow , We are in era of the speed :p

, just wanna ask about 3.0.6 :D

This is probably not the place for this, but here goes.

I have a custom script which displays the latest posts on the forum home page. The script is as follows

$lasts = $DB_site->query("
SELECT threadid, thread.title, thread.lastpost, thread.forumid, postusername, thread.lastposter, postuserid, views, thread.replycount, forum.title AS forumtitle
FROM " . TABLE_PREFIX . "thread AS thread
LEFT JOIN " . TABLE_PREFIX . "forum AS forum ON forum.forumid = thread.forumid
WHERE visible = 1
ORDER BY lastpost DESC LIMIT $vboptions[nbrlast]
");
while ($last = $DB_site->fetch_array($lasts))
{

if ($bbuserinfo['forumpermissions']["$last[forumid]"] & CANVIEW)
{

if (strlen($last['title']) > $vboptions['nbrcarlast'])
{
$last['title'] = substr($last['title'], 0, $vboptions['nbrcarlast']) . "...";
}

$last['title'] = htmlspecialchars($last['title']);

$last['lastpost'] = vbdate($vboptions['dateformat'], $last['lastpost'], true);

eval("\$lastbit .= \"".fetch_template('forumhome_lastbit')."\";");

}

}

This was working fine under 3.0.3 and 3.0.4 but in 3.0.5 it is generating this error:

Database error in vBulletin 3.0.5:

Invalid SQL:
SELECT threadid, thread.title, thread.lastpost, thread.forumid, postusername, thread.lastposter, postuserid, views, thread.replycount, forum.title AS forumtitle
FROM thread AS thread
LEFT JOIN forum AS forum ON forum.forumid = thread.forumid
WHERE visible = 1
ORDER BY lastpost DESC LIMIT

mysql error: You have an error in your SQL syntax near '' at line 7

mysql error number: 1064

Any thoughts?

This just can't be true.. :mad:


How comes those things can't be discovered before all customers upgrade to 3.0.4?
How can the 3.0.4 be more insecure than the 3.0.3 ever was?
Upgrading from 3.0.3 to 3.0.4 was a pain and Iam afraid that this upgrade will be even more work.

I won't be a party-pooper but to be honest: this really sucks!

Just my 0,02€..

The only question is: Will this be the last version for the next 3 months or is the 3.0.6 to come?

3.0.4 is more secure than 3.0.3, but all versions of vBulletin 3 before 3.0.5 have this newly found flaw.

dudes , just download the init.php , open it and open your init.php just look what basic code is changed so you only need to make those adjustments to the file without replacing it. (i use 3.0.4 and i'll wait for the major update)

This just can't be true.. :mad:


How comes those things can't be discovered before all customers upgrade to 3.0.4?
How can the 3.0.4 be more insecure than the 3.0.3 ever was?
Upgrading from 3.0.3 to 3.0.4 was a pain and Iam afraid that this upgrade will be even more work.

I won't be a party-pooper but to be honest: this really sucks!

Just my 0,02€..

The only question is: Will this be the last version for the next 3 months or is the 3.0.6 to come?
Dude, this is a NEW security flaw that's present in ALL vB3 except 3.0.5, and is not caused by 3.0.4.

Well, I was a little shocked at how quickly it came, but in the end - I would rather vB told us, than instead choose to hope nobody notices in an effort not to annoy anybody on here.

I have only used vB for a couple of weeks now - but I am very impressed.

Everybody makes mistakes - from us 'ants' all the way up to the most huge company - take Microsoft for example! We are only human.

Credit vB for being honest and quick with a fix.

Thats my opinion anyway. :)

Note - I upgraded without any problems. :P

I have an idea but could someone please clarify.

In the announcement under template changes it says for some:
Requires revert? Yes
So after I upgrade what exactly am I supposed to do with these templates or do I have to do anything?

Thanks in advance

3.0.4 to 3.0.5MEMBERINFO Line 250, change this
<if condition="$userinfo['birthday'] OR $customfields">
to this
<if condition="$show['extrainfo']">
Requires revert? Yes

Just checked on my 3.0.5 and the change is already there. Does that make sense?

I've applied the new init.php to my 3.0.0 installation and it appeared to break the style sheet. Anyone else had a problem with this?

John

< Edit: I've upgraded to 3.0.5 now, no probs :D >

Attachments:
- with new init.php
- how it should be

The init.php update will plug the security hole.

Remember, the security hole is in ALL vBulletin 3 forums. It was always there. It just so happens that someone bright figured out a way to exploit it now.

I am glad we didn't start hacking our forum yet. As I am unable to update right now, We have had to suspend the site.
Is this flaw bad or what? What could someone do if they managed to exploit it?

Hello,

My site is down after replacing the 3.03 init.php file with the 3.05 init.php file. I am getting the following error:

Warning: Constants may only evaluate to scalar values in /includes/init.php on line 804

Any ideas what could be causing this?

Thanks

To Ricoche,

I got that error a long time ago when upgrading php to 4.3.10, you should update Zend optimizer to 2.5.7 and all will be fixed.

Best regards,
Francois

Ps: upgrade to 3.0.5 worked perfectly, thanks Jelsoft, waitting for a 3.X release now ;)

To Ricoche,

I got that error a long time ago when upgrading php to 4.3.10, you should update Zend optimizer to 2.5.7 and all will be fixed.

Best regards,
Francois

Ps: upgrade to 3.0.5 worked perfectly, thanks Jelsoft, waitting for a 3.X release now ;)

Thank you very very much. That worked great. All is well now.

Ricoche :)

One hint for further upgrades:

I have a changelog of every sourcecode and all modifications i did. In my case, it isnt huge but it helps alot.I also keep a change log with my own notes
## open file.php
## find
## add above and so forth

I also comment after <?php
// mod installed and where I found it

// mod start
// no longer needed code
// mod end

and in my templates at the top <!-- mod installed -->
Each time the changelog gets a little clearer.

seeing as 3.03 was around for so long i finally decided to install a couple of hacks the other day thinking there wouldnt be any updates for a while now.

guess i can kiss those good bye :(

is it possible to remain the showthread.php of 3.0.3?
its modified and with the new file the modified thing is not working

Just checked on my 3.0.5 and the change is already there. Does that make sense?
That list is for manual editing i guess...

ok ive uploaded the new init.php file to do me until tomorrow morning when im more awake.

i just installed a couple of hacks, the main one being the VBTrader Hack that took me ages to get looking nice. im definately going to lose all hacks when i do the 3.05 upgrade arent i? :(

Ummm... I don't have an 'init.php' file in my 'includes' folder. My forum has been running quite happily for sever months (ver. 3.03) without it! Is this right? Do I need to add the new init file anyway?

I see a quick fix in the search.php for threads search. Is this related to the bug in the full text mode by any chance? If yes they i so love you guys! If not, then i still do but I'd loved to see a fix for it.

EDIT: Just upgraded and checked it out. It works! Much thanks! :)

OK I upgrated without loosing any modifications (thanks to Araxis Merge).
But some of the features that should be in the new ver are not. like alt3 CSS. I have no such thing in Style Manager.

How can i be sure that everything is alright and upgrated...?

dgpurvis, the includes folder is the one off the forum folder. init.php is integral to vBulletin 3 so you won't be running without it. Take another look and I think you should find it.

What a world, what a world!

At least we get good upgrade notes. :)

dgpurvis, the includes folder is the one off the forum folder. init.php is integral to vBulletin 3 so you won't be running without it. Take another look and I think you should find it.

Of course...! I was being an idiot and looking in the wrong 'includes' folder!!! Thanks.

had already patched my old init.php for 3.0.4 and will do the same for 3.0.5 as I have alot of hacks installed and no time to make the changes to everything for at least a few weeks. Have also verified I am running PHP 4.3.10 as well so covered on both ends :)

And once again, I get to sing the praises of FreeDiff (http://www.saltybrine.com/) FreeDiff – File Difference Viewer - for Windows 95/98/Me - XP/2000/NT
This program may be freely used and distributed.

I'm still running 3.0.1 and won't have time to update to 3.0.5 until later next week, so can I just upload init.php now until I can update my forums later next week? Or is init.php only for 3.0.4?


-Michael

Was there actually something wrong with the init.php file? I'm just asking as I've been trying to install a couple of mods which required changes made to init.php, but have been unable to do keep these mods on the board as the index.php would start printing code from init.php. Probably doesn't have anything to do with it, but just thought it was strange.

I'm still running 3.0.1 and won't have time to update to 3.0.5 until later next week, so can I just upload init.php now until I can update my forums later next week? Or is init.php only for 3.0.4?


-Michael

Download the most recent patched init.php, and if you have hacked your original copy, make the changed needed so your hacks continue to function and replace the file and you should be fine. Make a copy of the original incase you fubar something.

On my mine, this updating for all branch Vbulletin 3.x.x

Was there actually something wrong with the init.php file? I'm just asking as I've been trying to install a couple of mods which required changes made to init.php, but have been unable to do keep these mods on the board as the index.php would start printing code from init.php. Probably doesn't have anything to do with it, but just thought it was strange.


You should be able to get your hacks to work fine, I had made several alterations to my 3.0.1 init.php file, use a program like araxis merge to compare the files and bring your alterations to your new init.php file, should take all of 5 or ten minutes to do....

I upgraded 3.0.4 -> 3.0.5 but I can not view any images (registered, moderator, administrator group) and guest see it normally.
My forum has one super Administrator (he can see it)

I dont know what happen to me >.<

Help me, plz :(

On my mine, this updating for all branch Vbulletin 3.x.x


As has been instructed by the vbulletin team, if you do not have the init.php file with the following version, you MUST UPGRADE TO THE MOST RECENT VERSION OF init.php AT THE VERY LEAST: (even if you used the file they released a few days ago, you MUST replace it with this one)


|| # Downloaded from vBulletin 3.0.5 release announcement thread
|| # CVS: $RCSfile: init.php,v $ - $Revision: 1.239.2.10 $

if your includes/init.php file is any other version, then you are vulnerable to attack/security issues.

Good thing I didn't upgrade anything yet, as something told me to hold off for the time being, so I guess I was right ;)

When I uploaded the newest init.php file I get warnings at the top of all forum pages:

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

and warnings where the thread lists should be:

Unable to add cookies, header already sent.
File: /usr/local/apache/dev/forums/includes/init.php
Line: 27

ideas?

I don't want to sound like I'm complaining, but why does this keep happening? The 3.0.2/3.0.3 upgrade went the same way.

OK another upgrade i see, nice to know a security fix is the cause. OK well i think i will just patch the file as im not willing to spend another 5 hours installing everything again. The question from me is how long is the expected release of the next major upgrade to be? If this is of a long period then i may upgrade fully to 3.0.5.

When I uploaded the newest init.php file I get warnings at the top of all forum pages:

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2854

and warnings where the thread lists should be:

Unable to add cookies, header already sent.
File: /usr/local/apache/dev/forums/includes/init.php
Line: 27

ideas?

Changes to other files have also been made, maybe check those to.

<sigh>

Oh, well.... I took Erwin's suggestion about looking into Araxis Merge and that made my upgrade of 3.0.3 with several hacks to 3.0.4 easy enough so it looks like one more round tonight will needed. :)

OK another upgrade i see, nice to know a security fix is the cause. OK well i think i will just patch the file as im not willing to spend another 5 hours installing everything again. The question from me is how long is the expected release of the next major upgrade to be? If this is of a long period then i may upgrade fully to 3.0.5.You can upgrade to 3.0.5 now :)

If I rn the full update ( I got 3.03 currently) will I lose all the hacks I got installed?
Can I only change the init.php in 3.03 with the new one?

mili

If I need help with the upgrade, is it best to ask here or?

sorry, but what means "supercedes"?
can you pls dont use slangwords? no translationtool i used know that word
thanks

I am still running 3.0 - I dont want to upgrade until the major release - (dont laugh)


am I ok if I just upgrade the init.php for now until the major release?

sorry, but what means "supercedes"?
can you pls dont use slangwords? no translationtool i used know that word
thanks

I'm pretty sure it means that it follows a previous item :)

Thanks for the quick fixes.

Changed the new, new version of init.php right away, no problems.
Anyway, is this a typo? I was going through the new 3.0.5 files comparing them to my existing files, 3.0.4 (I use - Beyond Compare, great little program by the way) and I found this difference (besides the date and version number), on line 701 of admincp\forumpermission.php :
My version, 3.0.4 (Yup, just upgraded last night! - Ugh! here we go again):
$select = '<div align="center"><select name="forumid" id="sel_forumid" tabindex="1" class="bginput" onchange="js_forum_jump(this.options[selectedIndex].value);">';
And in the 3.0.5 version:
$select = '<div align="center"><select name="forumid" id="sel_foruid" tabindex="1" class="bginput" onchange="js_forum_jump(this.options[selectedIndex].value);">';
Typo or use the new 3.0.5 file?

so i need just upload the .04 ini and then the 5 or what?

im extremly confused!

MEMBERINFO Line 250, change this
<if condition="$userinfo['birthday'] OR $customfields">
to this
<if condition="$show['extrainfo']">
Requires revert? Yes

Ill upgrade tommrow :/ a bit busy today

Just to clarify, if I updated init.php with the attached fix, the security hole is plugged, right?


We just launched our new site. Part of it included a *lot* of VBulletin hacks, and I really don't want to upgrade and re-implement all the hacks.

How would you know if your server had been compromised by this flaw?

Do you have any information for server admins about detecting these compromises? Surely updating the software itself is not enough if you have already been compromised.

Just to clarify, if I updated init.php with the attached fix, the security hole is plugged, right?


We just launched our new site. Part of it included a *lot* of VBulletin hacks, and I really don't want to upgrade and re-implement all the hacks.


I want to know this too - im still on 3.0 and waiting for the major upgrade.





-

Ok, I have noticed many of you keep asking the same question, and let me just give you one simple answer, To fix the security hole all you need to do is replace your init.php with the new init.php, it should not a effect your hacks UNLESS you had to modify init.php for some reason. While it is recommended that you download the whole vBulletin 3.0.5 (For the Security Fix AND Minor bug fixes) it is not something necessary.
Personal Note: I suggest if you have a lot of hacks installed on your forum that you just patch the init.php for now and wait for 3.1.0 (next major release) before you upgrade your forum completly.
-Slybone

*EDIT*
kbadr & joeychgo: Yes It fixes the security risk

Heh, I only installed vb yesterday :D

Ah well, thanks for patching it so quickly jelsoft, upgrade went without a hitch.

Why do I get "you do not have permission to access this page" when I try to download the patched init.php? I am using the same account I have used for years here.

Typo or use the new 3.0.5 file?That appears to have been a typo in the 3.0.4 file (a mis-correction), since my 3.0.3 has sel_foruid in the line that you mentioned..

I'd wait for the vBulletin staff to confirm this though.

How would you know if your server had been compromised by this flaw?

Do you have any information for server admins about detecting these compromises? Surely updating the software itself is not enough if you have already been compromised.

I'd like to know this as well.

I noticed the upgrades usually comes in twos! :D

I'm glad I didn't upgrade to 3.0.4.. :)
Time to renew my member area access and get 3.0.5 up and running i think.

I am somewhat concerned about possible data being leaked, since I gave my address to Scott for the vBotM award so that he could send me my winner's mug.

thx!

:) :) :) :) ;) ;) ;) Just a Reminder....

Floris contributed a nice ACP Style, I've not done anything quite like that for the main disto yet :)

For all I know, this could be due to hacks one of my admins put into the 3.03 forum, but when I replaced the init.php I got "foreach" errors in function.php on line 2854, which was:


foreach ($_FIELDNAMES AS $field => $bitvalue)
{
if ($bitfield & $bitvalue)
{
$arry["$field"] = 1;
}
else

{
$arry["$field"] = 0;
}
}
return $arry;
}

So I wrapped that code like so:

if ($_FIELDNAMES != "") {
foreach ($_FIELDNAMES AS $field => $bitvalue)
{
if ($bitfield & $bitvalue)
{
$arry["$field"] = 1;
}
else

{
$arry["$field"] = 0;
}
}
return $arry;
}
}

Most likely hacks, if you are having issues with the new init.php and have hacks please check them first before reporting any problems, also please use the correct support forums for any issues. the announcment thread is not for support matters.

Now that I have actually read the entire thread, I see the foreach error is due to the arcade hack.. My fix above seems to take care of it..

I wont be upgrading, I just spent £20 getting the hacks reinstalled from the upgrade to 3.0.4 and I am not spending more money on upgrading.

RWD we strongly recommend you update init.php, just use a compare program like examdiff which is completely free to see the changes. Hell I'll even do it for you if you drop me a pm, it will take less than 5 minutes to do.

I see a lot of people complaining about the time between releases but we found out about this literally a few hours before the release, the flaw is not public but if it was then the results could be devestating. We didn't want to sit on this and our priority is to make sure that our customers have the best security that we can provide.

Installed the upgrade and re-installed the few hacks I had put into play just the other day, so far...so good. **knocks on wood** :)

Edit: I'm glad I had to do the upgrade. I'd much rather take a few hours out of my day doing the upgrade and redoing the hacks than trying to reconstruct everything. I think it's awesome that you guys found it and corrected it so fast so no complaints here.

I will have a look into the compare programmes

Does anyone know a good free compare program as I have alot of hacks installed?

PM would be great.

Cheers

Watson

RWD we strongly recommend you update init.php, just use a compare program like examdiff which is completely free to see the changes. Hell I'll even do it for you if you drop me a pm, it will take less than 5 minutes to do.

I see a lot of people complaining about the time between releases but we found out about this literally a few hours before the release, the flaw is not public but if it was then the results could be devestating. We didn't want to sit on this and our priority is to make sure that our customers have the best security that we can provide.

Some of us would still like to know what the exploit does. I mean what is the point of upgrading if you have allready been exploited. As in your release aaouncement you guys stated that sensitive data might have been leaked due to the exploit, however you don't tell us what we admins should be looking at to ensure that we ourselves have not suffered the same.

The majority of people are complaining because of the hacks that they've installed and are having to redo them. Jelsoft have made the upgrade process VERY simple for unhacked boards, but editing the code is something that people choose to do and unfortunately as a consequence, must do again when they upgrade..

If people want easy upgrades - don't install hacks.! :)

Thanks again for being so quick to fix vulnerabilities in the software. I plan to upgrade tonight. Cheers.

Some of us would still like to know what the exploit does. I mean what is the point of upgrading if you have allready been exploited. As in your release aaouncement you guys stated that sensitive data might have been leaked due to the exploit, however you don't tell us what we admins should be looking at to ensure that we ourselves have not suffered the same.

Probably because the same people who hack boards for fun (to detroy them) would be able to read what the exploitable files are and take advantage of it. Perhaps an email to current members would be in order. All things take time though, I'd much rather take care of the important things first.

Its a remote execution vulnerability that effects anyone using PHP 4 with register_globals On, due to the nature of this security hole we're not planning to release any sort of information regarding it especially at this early stage.

For a free comparison tool try http://www.prestosoft.com/ps.asp?page=edp_examdiff#Download thats why Kier and I use at least for dev work.

Thank you for providing a quick turn around on the patch for this vulnerabillity.

Probably because the same people who hack boards for fun (to detroy them) would be able to read what the exploitable files are and take advantage of it. Perhaps an email to current members would be in order. All things take time though, I'd much rather take care of the important things first.

I didn't ask what the exploit was, but asked what it did and what we should be looking at to ensure we were not targets. Scott explanined it just fine without giving the exploit away :)

Changed the new, new version of init.php right away, no problems.
Anyway, is this a typo? I was going through the new 3.0.5 files comparing them to my existing files, 3.0.4 (I use - Beyond Compare, great little program by the way) and I found this difference (besides the date and version number), on line 701 of admincp\forumpermission.php :
My version, 3.0.4 (Yup, just upgraded last night! - Ugh! here we go again):

And in the 3.0.5 version:

Typo or use the new 3.0.5 file?

It was sel_foruid in the 3.0.4 release as well according to cvs and i've changed it now for the sake of changing it but the id isn't really used anywhere, same spelling mistake is also present in admincp/forum.php as well but again not used.

This is the 1st time I'm doing an upgrade on vb (since I only just installed 3.0.3). Do I:

1) Loose all my template settings, like additions on the navbar?
2) Have to reinstall all mods again?
3) Do all the templates get replaced? or can I save them as XML and recall them?

Thanks.

Code exploits, or attempts thereto, are easy enough to spot should you review your server access logs. As we know it was the init.php file that contained the hole, it should not be too hard to figure out the code changes and locate the variable that posed the problem. Find the variable, search your log files.

Now, given that the exploit is marked critical by the vB team, it seems to imply that server access or data grabbing is certainly possible, especially given that the vB announcement mentioned a possible breach of sensitive data. Logic, logic people. P&M gets you nowhere in a big hurry with these things.

As was posted, and likely will be posted numerous times, overwrite the init.php file at the very least. Otherwise, suck it up and do the full upgrade. Nothing saves you from rehacking a full upgrade. Given this point in time, it is doubtful that the exploit is widely cracker known, but it is only a matter of time.

No rip or offense to the phpBB team, but look at how fast that expliot bounded. Things like this happen everyday with various programs including PHP itself. Take a deep breath and then overwrite the init.php file or do the upgrade. Otherwise, expect to pay the piper sooner or later, but do not be surprised.

Had a few hacks on my board, but as the previous upgrade wasn't so long ago, what I did was already in my head so modified what I had to while I uploaded the /install/ folder ... left me with about 900kb to upload.


Forums off
Upload files
Upgrade templates
Quick check
Forums on

> 5 minutes.

Great job :)

If upgrading vBulletin seems too much work then turn off register_globals in php.ini and it will also prevent the problem.

is it possible to remain the showthread.php of 3.0.3?
its modified and with the new file the modified thing is not working

Sorry if this has been asked in the thread before, but I looked and didn't see it. Will setting the value of register_globals = off in PHP.INI, not VB's init.php, work the same way? I'm unable to download the init.php because our firewall at work is set to block these files. Thanks

Vtec44, look two posts up from your post. ;)

DOH!!!!!!!!!!!!!!! Thanks

zurih, please use a seperate thread or support ticket.

Had a few hacks on my board, but as the previous upgrade wasn't so long ago, what I did was already in my head so modified what I had to while I uploaded the /install/ folder ... left me with about 900kb to upload.


Forums off
Upload files
Upgrade templates
Quick check
Forums on

> 5 minutes.

Great job :)
Yep, me too... flew through it, wham, it was over. I can't help but feel for the people who don't know yet. Despite the notice in the adminCP, some people are going to get hit. Oh, and I got my email notification, so despite that too, some people somewhere are going to get hit. Foo.

hi,
on my 3.0.1 version when i use new init.php appears

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2874


line 2874 of /includes/functions.php is:
foreach ($_FIELDNAMES AS $field => $bitvalue)

this is part of the code


// ###################### Start bits2array #######################
// takes a bitfield and the array describing the resulting fields
function convert_bits_to_array(&$bitfield, $_FIELDNAMES)
{
$bitfield = intval($bitfield);
$arry = array();
foreach ($_FIELDNAMES AS $field => $bitvalue)
{
if ($bitfield & $bitvalue)
{
$arry["$field"] = 1;
}
else

{
$arry["$field"] = 0;
}
}
return $arry;
}


someone can help me?

Could we just get the code changes in the init.php . Figuring which hacks used the init.php could take forever.

weitalia, this has already been addressed. Looks like you have a mod installed so surround the foreach with a check like so:

if (!empty($_FIELDNAMES))
{
foreach ($_FIELDNAMES AS $field => $bitvalue)
{
if ($bitfield & $bitvalue)
{
$arry["$field"] = 1;
}
else

{
$arry["$field"] = 0;
}
}
}

Merely using programs like Axalis Merge or Beyond Compare would be a better idea..some portions may have had whole lines of code rewritten.

Plus I don't think Jelsoft would want to publish what exactly was the flaw

Could we just get the code changes in the init.php . Figuring which hacks used the init.php could take forever.

Beyond Compare (scootersoftware.com) seems to be rather recommended.

Examdiff is freeware, http://www.prestosoft.com/ps.asp?page=edp_examdiff#Download

Is vB 2.3.X effected by this security issue?

No, only 3.0.x

You should update the init.php at the very very least

Its a remote execution vulnerability that effects anyone using PHP 4 with register_globals On, due to the nature of this security hole we're not planning to release any sort of information regarding it especially at this early stage.

For a free comparison tool try http://www.prestosoft.com/ps.asp?page=edp_examdiff#Download thats why Kier and I use at least for dev work.
Ah, you vB team using freeware to sell software.

* snicker snicker snicker * :D

The majority of people are complaining because of the hacks that they've installed and are having to redo them. Jelsoft have made the upgrade process VERY simple for unhacked boards, but editing the code is something that people choose to do and unfortunately as a consequence, must do again when they upgrade..

If people want easy upgrades - don't install hacks.! :)

Then please provide a board that handles double-byte searches (chinese/japanese/korean) without the need for "hacks" like PHPBB does.:confused:

Upgraded in 15 minutes. everything went fine, Thanks God!


edit:
[ok, everything is fine!] ftp needed some time for updating.!

sorry, but what means "supercedes"?
can you pls dont use slangwords? no translationtool i used know that word
thanks

That isn't a slang word it is a valid english word.

Actually its a typo ;)

It's supersede...unless its an english version..

Yes, i've updated 3.05.
Many thanks for all the team !! ;)

Actually its a typo ;)

It's supersede...unless its an english version..

Erm in the UK it is spelt supercede.

Hmm, my spelling has become crap over the years. :D

Even so with a typo it is still a valid word and not a slang word as previously stated.

Erm in the UK it is spelt supercede.
That's what I was afraid of.

US: supersede
UK: supercede :)

Personally I like the UK version :p

Then please provide a board that handles double-byte searches (chinese/japanese/korean) without the need for "hacks" like PHPBB does.:confused:a.) I'm not part of the vBulletin team.

b.) vB has many things that phpBB doesn't. You can't please everyone.. If you would like that feature for a future version, you should suggest it to the devs in the Suggestions and Feedback forum.

:)

That's what I was afraid of.

US: supersede
UK: supercede :)

Personally I like the UK version :p

I edited my post. ;)

With only 1 Hack, Full upgrade done within 10 Minutes.
Thanks team :)

a.) I'm not part of the vBulletin team.

b.) vB has many things that phpBB doesn't. You can't please everyone.. If you would like that feature for a future version, you should suggest it to the devs in the Suggestions and Feedback forum.

:)

Thanks, I understand and did not mean any insult to you.:o Personally, I hate to install hacks, beside voiding support from Jelfoft I have this nightmare in upgrading. But when 80% of my users are Chinese the ability for them to do a search is not a "feature" but a basic requirment in a forum we run. I'm having second thoughts about even moving to Vbulletin now. Our PHPBB works just fine it just is a step below what we wanted to offer. Vbulletin seemed like a ideal solution, we just didn't realise it's designed for the "single byte" world of America and Europe.

We may be offering a secondhand owned licence for sale soon. Those in english speaking countries may find it a good buy.

thank goodness I didn't upgrade to 3.0.4 yet on my most hacked board.

now to spend the night upgrading two heavily hacked sites. :(

Good job at the e-bulletin though guys otherwise I wouldn't have realised till tomorrow.

Well, its more MySQL's issue than it is vBulletins, vBulletin 3.1 should handle this better I think (dont quote me Im only speaking from memory that can be shoddy at best). MySQL did not support character encoding untill 4.1.X which would provide better support.

This is my first time upgrading/installing. A friend did the orginal installation for me. Will installing the upgrade revert everything back to the default settings that come with the original download? I'm worried about custom colors and some style changes that may be affected.

*edit*
are there staff members who can install the upgrade for those of us who are technically challenged?

<sigh>

Oh, well.... I took Erwin's suggestion about looking into Araxis Merge and that made my upgrade of 3.0.3 with several hacks to 3.0.4 easy enough so it looks like one more round tonight will needed. :)


Where did you get this prog?

Then please provide a board that handles double-byte searches (chinese/japanese/korean) without the need for "hacks" like PHPBB does.:confused:We are working on it.

This is my first time upgrading/installing. A friend did the orginal installation for me. Will installing the upgrade revert everything back to the default settings that come with the original download? I'm worried about custom colors and some style changes that may be affected.


Ditto here.



Also what exactly is the harm this could cause us if not updated.I want to know what has been compromised.We as customers deserve a more in depth explanation then "THERES A FLAW UPGRADE NOW!".I think its great that yall have found and fixed this flaw and respect the hard work involved.I am just asking that yall share the same respect to your customers who will now need to spend hours or days of their time reinstalling all hacks/mods for a flaw that we dont even know the details of.Please offer some insight, thanks.

Give this a read Corrie and EasyTarget

http://www.vbulletin.com/forum/showthread.php?t=124989

It was serrious enough of an exploit that we released another update, giving you details on the exploit would allow people to find and abuse this exploit, It is best at this time to not diclose enough informaqtion. You are best to upgrade with EVERY new release, security issue or not.

You installed hacks at your own risk and there is nothing much we can do about that.

However even without a compare program I can do an upgrade in about an hour rehacking from scratch.

Give this a read Corrie and EasyTarget

http://www.vbulletin.com/forum/showthread.php?t=124989

It was serrious enough of an exploit that we released another update, giving you details on the exploit would allow people to find and abuse this exploit, It is best at this time to not diclose enough informaqtion. You are best to upgrade with EVERY new release, security issue or not.

You installed hacks at your own risk and there is nothing much we can do about that.

However even without a compare program I can do an upgrade in about an hour rehacking from scratch.

Dont get me wrong as I think yall offer a great product or I wouldnt even bother posting here.I love the almost instant tech support ect ect.I do not want details, but a very general description would be nice.Something similar to what Microsoft or other software companies would issue.For example is this a hole that a virus could explore or one that someone could use to crash the sql tables.Something to that extent would warrant a more positive reaction from your members.As you can see most of these posts reflect a demeanor of panic because we are all left guessing as to what could happen to our boards that we have worked so hard on.

The thing I have a problem with is the statement in the email that vbulletins servers could have been compromised with this exploit, yet you refuse to give us admins any idea of what the exploit is or can do.
How can we check our servers if we don't know what to look for?
I understand you can't post exactly how to exploit the hole. You could at least tell us what to look for in our server logs or what can be done with the exploit.
If you think your servers were compromised by it then more then likely many of our servers were as well. It would be nice to know what happpened and what to look for.
Even Microsoft explains what the exploits do when they release a patch. This non-information is rather dishearting to hear since this vulnerabilty seems to be rather serious.

I want to know too, AWS. Could someone please clear this up? It's been posted a number of times in this thread and has gone ignored...

@aws,

It's been my experience that you wouldn't have to know exactly what the exploit would be to determine whether or not your server had been compromised. Most of the time there is some evidence that your perimeter had been violated. You can tripwire, antivir, securely configure php, mysql, apache, add all the latest kernel security mods, and then read logs all day etc.. and all this is fine, but in the end, if you really want a secure practice for your server, I always suggest creating an image of your server at different intervals so that you can go back to a known good state within minutes. I've had success with this. There are several softwares that allow you to compress mirror a drive to a file in real time mode, password protect the file etc... Even if you found vB to be cracked (or any other intrusion, defacement, injection...), you could still recover fairly decently with minimal downtime. Whole server to known good in about 3 minutes. I look at it this way, with the various backend software issues that arise periodically, front end software is just a fraction of the security considerations.

Most of the "Oh no, I've been hacked" threads usually end up being something simple like forgetting to .htaccess the admin/modcp panels or too many users with administrator privs.

It was a remote execution flaw in init.php. As a remote execution, it means people could have run unsanitized code on your, or our server.

Okay, thanks.

So this new flaw has nothing to do with yesterday's downtime right?

So this new flaw has nothing to do with yesterday's downtime right?

Only indirectly as the system had to be taken down to garantee that customer information was securely backed up and employee passwords were changed for future security.

Wow this was a quick release. It reminds me of the 3.0.2 and 3.0.3 releases so close together. Well, another hour pf my life will be lost changing and uploading files:D .

Currently running a moded version of 3.0.3 and I don't want to upgrade today (prefer to plan these things...)

The release announcement says this:

The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.


Could someone confirm that this mean that if my PHP installtion has register_globals disabled then I'm not vulnerable to this attack?

Currently running a moded version of 3.0.3 and I don't want to upgrade today (prefer to plan these things...)

The release announcement says this:


Could someone confirm that this mean that if my PHP installtion has register_globals disabled then I'm not vulnerable to this attack?

You didn't read this whole thread, now did you? :D

Asked and answered. Affirmative.

Could the security risk have anything to do with my 0 posts count? J/K

:D

Hi,

Thanks for the reply.....

14 pages on this thread and, no, I didn't read everything. :o

What I should have done was search the thread for "register_globals". :o

Sorry....:o :o :o

You installed hacks at your own risk and there is nothing much we can do about that.

as far as I know there have been no "hacks" installed. The vBulletin team made some changes for me and gave me instructions on how to manually make a few other changes like customizing the welcome email and stuff.

Updated to 3.0.5 with vBJournal and V3Arcade. Installed vB Journal and V3Arcade hacks in 3.0.5 files as is. No probs.

Anthony

Could the security risk have anything to do with my 0 posts count? J/K

:D
Your zero post count is most likely caused because we have this 'Announcement Discussions' forum set to not count posts.

Just wanted to confirm on how to upgrade. I just download 3.0.5 from members area, then upload all the files, then run /install/upgrade.php.

Right?

Just wanted to confirm on how to upgrade. I just download 3.0.5 from members area, then upload all the files, then run /install/upgrade.php.

Right?

Yeppers.
Just that simple.
Good Luck

http://www.vbulletin.com/forum/showthread.php?p=788269#post788269

The install went smoothe. 3 min.

Thank You

Firefox bug fixed?! :D That's one reason I use IE in the AdminCP. :(

Upgrade went fine for me too, thanks for the quick action on this.

Thanks for the email notice.

Did just the init.php since I have two sites I am admining and don't have the time right now to do a full blown upgrade with the modifications I currently have.

Beyond Compare helped out alot and thanks to those that recommended it.

One other question, can someone point me in a direction on a good change log or such so when I do the upgrades I know exactly what was changed to make future upgrades easier?

Firefox bug in the admin panel was regarding the template editor, its sorted now.

sorry, but what means "supercedes"?

1. to replace; to take the place of as by reason of superiority or right.

Your zero post count is most likely caused because we have this 'Announcement Discussions' forum set to not count posts.


Aww I was poking fun.No worries :p

It would be great if the arcade were to become part of the core product one day. I'd have upgraded in 5 minutes if it weren't for a missing arcade entry in init.php where I had forgotten to put a comment hack in - // Begin Hack

Other than that, thankfully my ISP 1&1 already upgraded everything to PHP 4.3.10 so that's good.
my 3.05 upgrade took less than an hour even though I had to "repair" my arcade and timeslip database hacks

Firefox bug in the admin panel was regarding the template editor, its sorted now.

I think I was first to spot that in the 3.04 discussion thread - do I get a trainspotters award? like Esther Rantzen used to give out on "that's life"

Thanks for being on top of this and for getting a fix out so quick. I really appreciate all your hard work! :)

Rebecca

The updated PHP versions, which fix the vulnerability are:

So just to clarify, if im running php version 4.3.10 with my 3.0.3 board I am safe?

So just to clarify, if im running php version 4.3.10 with my 3.0.3 board I am safe?
No. You need to upload the latest init.php file at the very least.

No, put the init.php from the announcement thread on to your board.

There was a fix in the code for pre 4.3.10 to stop the unserialize bug from being used.

For next "releases" or upgrades.

Can you make a member-only section to tell people what is going on? I know we don't spend 1000 of Dollars on a license but it would be good to know. None of this mysterious "exploit" stuff.

Also, could you consider offering upgrade packages.

I mean, not from every version of VB there is. But for example, current is 3.0.5, when 3.0.6 is released, offer a package with changed files (or patches) and 1 update script.

Going all through this is very messy and ends up being a waste of time. Especially when one runs a bit modified board - and I know that you don't support this. But that's also not what I mean, rather easing the upgrade part.

Thanks and all the best,
Tom

For next "releases" or upgrades.

Can you make a member-only section to tell people what is going on? I know we don't spend 1000 of Dollars on a license but it would be good to know. None of this mysterious "exploit" stuff.

Also, could you consider offering upgrade packages.

I mean, not from every version of VB there is. But for example, current is 3.0.5, when 3.0.6 is released, offer a package with changed files (or patches) and 1 update script.

Going all through this is very messy and ends up being a waste of time. Especially when one runs a bit modified board - and I know that you don't support this. But that's also not what I mean, rather easing the upgrade part.

Thanks and all the best,
Tom
Agreed. For us 28k users downloading the full package is a lot of time. It takes me about 20 minutes to get it downloaded and uploaded, and put in 5 more minutes to run the upgrade script. That's quite too much.

Also, our host has said that they have installed some sort of program on their servers to prevent the worm that was first used on phpbb. Are we vulnerable to the newer bug?

Another smooth upgrade .. many thanks guys :cool:

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894



Unable to add cookies, header already sent.
File: /home/user/public_html/includes/init.php
Line: 27


I upload the latest vb 3.05 init.php and functions.php
But i'm getting the above errors.
How do i fix it

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894

Warning: Invalid argument supplied for foreach() in /includes/functions.php on line 2894



Unable to add cookies, header already sent.
File: /home/user/public_html/includes/init.php
Line: 27


I upload the latest vb 3.05 init.php and functions.php
But i'm getting the above errors.
How do i fix it
Do you have the arcade hack?

If so, that is the cause of this.

The fix is to reapply the arcade hack instructions for init.php *only*.

If you don't have them, grab them from the vb.org arcade thread, but ONLY do the init.php edits, nothing else. There are about four altogether.

Edit: You don't need to replace functions.php, you should keep your existing copy of that if you're not doing the full upgrade.

No, put the init.php from the announcement thread on to your board.

There was a fix in the code for pre 4.3.10 to stop the unserialize bug from being used.


I will buy you a case of moutain dew if you do it for me ? ;)

I would like to add that those with gallery software need to edit the init.php .

Ahhhhhhhh!!!!

I seem to be the only man not being able to download the god damn init.php :(

Everything went smoothly in our upgrades...thanks. :)

shell> grep comma= /full/path/to/server.log | more
shell>

Ah, what I like to see. It was suggested to search for &comma= but as a & is used in a query string, searching for comma= is more generic. Note though that searching for comma= can return results whenever comma= is present, such as with legitcomma= so you'll need to scan any results that may be returned for potential badness. If you search for &comma= you may need to escape the & as in \&command= but I'd first search for comma= as it provides for a wider search. If you want to go really wide, search for comma but again note that you'll get any results containing comma such as command and the like.

i'm obviously a newbie i use

cat /logs/access_log | grep comma= | more

i'm obviously a newbie i use

cat /logs/access_log | grep comma= | more
Nah, not a newbie, just... different. :D :D :D

Nah, not a newbie, just... different. :D :D :D
Actually, we call him 'special'. ;)

Will impex support importing 3.0.5 to 3.0.5

i'm obviously a newbie i use

cat /logs/access_log | grep comma= | more
If you get a lot of replies you can also add the results to a file. Makes it easier to handle.

cat *.log | grep comma= > results.txt | mail user@email.com

Upgraded my forum:

overwrite selected new files
delete install.php (accidently uploaded it, good thing for the warning)
run upgrade.php

DONE!

Not sure its very clear.. so i m asking again
Understood that (as stated above) replacing init.php makes the installation "much safer"
Meaning that all recent SECURITY ISSUES are handled effectivly by replacing only this particular file?
I do not care at this time to upgrade from 03 to 05 for reasons like fixind other minor "bugs", i ONLY care about security issues.. Thats why i replaced this file only, as suggested. So.. ""much safer" means same safety level as if upgrading to 05?
Or i need to update ALL files (upgrade the entire installation) in order to be safe from those recently discovered security problems?
I repeat i dont mind about other bugs fixed, only security bugs.

I have just done the upgrade to 3.0.4 and done al the moduls al over again.

I was hoping this was a joke.:eek:

I have just done the upgrade to 3.0.4 and done al the moduls al over again.

I was hoping this was a joke.:eek:
Upgraded to 3.0.5 without a problem tonight

Upgraded from 3.0.4 to 3.0.5 with no problems..

THanks again for the fixes :cool:

OK, I'm a bit worried now. I'm running vBulletin 3.0.0 RC4 on my board. I would upgrade, however, my members area subscription has expired (I have an owned license), and I have no money to update my subscription.

In your post, you said:If you are running a RC or Beta version of vB3, you will need to upgrade to 3.0.5 now. Does that mean I am unable to use the updated init.php file attached to the announcement, like, is it incompatible?

What can I do?

IF i upgrade, will I loose all my hacks?

Perhaps I should wait for the next major version.... instead of upgrading now (just using the init.php fix for the moment). Would it be many months of wait for that? If only up to six months, I think I would rather wait for that.

Thanks for the update guys. :)
Upgraded to the latest version with no problems.

For next "releases" or upgrades.
Can you make a member-only section to tell people what is going on? I know we don't spend 1000 of Dollars on a license but it would be good to know. None of this mysterious "exploit" stuff.

As lovely as they might be, whats to stop these users then using exploits on competitors sites?