I have users complaining of this as well! has this been addressed?

http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3675

I have users complaining of this as well! has this been addressed?
For the space stripping issue, see: http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3675

(Doh! Too slow!)

thanks guys... found that after I made that post :o

PLEASE NOTE THAT IF YOU ARE CURRENTLY RUNNING A VERSION OF VBULLETIN 3 OLDER THAN 3.0.5 AND YOU WANT TO PATCH, RATHER THAN UPGRADE, YOU MUST ALSO APPLY THE PATCH SUPPLIED WITH THE 3.0.5 RELEASE ANNOUNCEMENT (http://www.vbulletin.com/forum/showthread.php?t=125480)

Thank you for continuing to support security fixes on the 2.x series.

As some others have mentioned, Jelsoft should release patches as needed to fix security/severe performance issues as they already are doing.

But Jelsoft should limit version releases (excluding patches as I mentioned above) to say one every several weeks at most.

I understand Jelsoft likely believes that rolling security fixes and various bug fixes all into one makes things easier, but it does not for many folks...

In addition, frequently releasing entire new versions is likely increasing the risk of more bugs/security problems for some folks.

With all that said, perhaps Jelsoft should release interrim beta versions to folks who are willing to run beta versions and don't mind upgrading all the time to iron out problems.

For example, release beta updates of the current version (ie. 3.06a, 3.06b, 3.06c, etc) and then once it looks somewhat clean *and* at least several weeks have elapsed, then release a next version based upon that (ie. 3.07) intended for all.

Hope this makes sense ... and thank you for the fine software and great support; vBulletin is a great value!

Ron

Some of these members actually sound like a few members I have on my board who will complain about every little thing that interupts their daily routine even for 5 Minutes. I don't pay them any attention, matter of fact yesterday I had enough and shut the place down for 12 hours so they could complain else where about the forum being down.

The description says that for vBulletin 2 the files changed are private.php, showthread.php, and functions.php. However, the vbulletin_2_patch.zip contains just one file - functions.php.



Please advise.

Upgraded from 3.05 to 3.0.6 in about 10minutes...

Kudos to the vBulletin team ;)

Not trying to be a jerk, but this is ridiculous. How did vB3 make it out of beta testing? vBulletin is supposed to be the most professional software and they take complete advantage of that. It is so unsatisfactory that everything on here has to cost money. After paying $160 for a license to use the software, the last thing i should have to pay for is yearly access to the members section. The members section is completely useless except for one feature... software updates!

You would think a company which is used by hundres of thousands of sites would thoroughly test their products before releasing them. All of this "oops, we found something... quick get the patch ASAP!" stuff is highly unprofessional. Everyone would've gladly stuck with vB2.3 and waited for a flawless version for 3.0. It is highly annoying to add 20-30 hacks, then have them all wiped out because someone overlooked something. It makes me think that all of this is purposely left open so that every week or two another release can come out, eventually forcing people to have to buy members access to get the upgrades. :mad:

like i said... not trying to be a jerk, but this has been on my mind for a while now and since i paid for this service, i will speak my mind on it

Chill, try to ....... chill. :)

I honestly can't see anything unprofessional in the way Jelsoft handles the current security-holes. Releasing such quick fixes is highly professional if you asked me. Furthermore the way they (Scott) react to (more or less understandable) 'frustrated' customers like yourself is also very professional.

One of the many things I like about VB/Jelsoft is the level of professionalism actually.

I am a n00b so please bear with me. I would like to just install the patch. How do I do this?

I just replaced the file on my server with the file in the patch zip. Is it really as simple as that or am I missing something?

As some others have mentioned, Jelsoft should release patches as needed to fix security/severe performance issues as they already are doing.

But Jelsoft should limit version releases (excluding patches as I mentioned above) to say one every several weeks at most.

I understand Jelsoft likely believes that rolling security fixes and various bug fixes all into one makes things easier, but it does not for many folks...

In addition, frequently releasing entire new versions is likely increasing the risk of more bugs/security problems for some folks.

With all that said, perhaps Jelsoft should release interrim beta versions to folks who are willing to run beta versions and don't mind upgrading all the time to iron out problems.

For example, release beta updates of the current version (ie. 3.06a, 3.06b, 3.06c, etc) and then once it looks somewhat clean *and* at least several weeks have elapsed, then release a next version based upon that (ie. 3.07) intended for all.

Hope this makes sense ... and thank you for the fine software and great support; vBulletin is a great value!

Ron

I agree.

that would indeed be much better.

Im getting hang of this now.:p

Upgraded and ready fore "rumbel" Now i have to innstal al the **** my users want.:p
I had no problems.

I would like a better way to be notified when the current version has changes from within.

For instance 3.0.6 had functions_bbcodeparse.php changes after the release.
I seem to remember either 3.0.4 or 3.0.5 have some files changed after they where release too.

I do notice that the original announcement has a few edits that denote changes. Maybe there can be a better way? Say a new announcement?

I was thinking of subscribing to the announcement thread but I would not be notified when edits are made. Only new posts have been added. Maybe there can be an additional post to the announcement thread?

I'm getting better at applying my hacks.
Each time I improve my changelog to make the next change easier.

We need to cater to the majority of our users who do not run hacks, however we do take into consideration the users who do, that is why we provide a list of files that have changed since the last release in every announcment.

My question seems to have gotten lost amongst all the debates. I would be grateful for an answer from someone at Jelsoft. Thanks.


I was running 3.0.3 when 3.0.4 came out. There was a patch IIRC so I used that and was told I didn't need the full 3.0.4 upgrade. When 3.0.5 came out it also had a patch but I was told that to be "100% safe" I really needed the full upgrade.

Can someone tell me definitively into which category 3.0.6 falls? That is.. am I 100% safe with just the patch as in 3.0.4, or do I need to do the full upgrade as I did in 3.0.5?

Thanks.

This has been the way vb has released new versions for years so everyone that has a beef with it, get over it.
We used to do the same thing complain about this everytime. We finally used the product as it was meant to be meaning using the basic code, removing over 60 hacks we had like 2 years ago, where now we have one small hack that takes less then 3 minutes to install.
If you are going to have all these hacks installed on your boards then you will have issues each time a release comes out because of all the work you have to do. VB did not ask you to install all of this stuff so get off their back.

I saw there are lots of file modified. I am wondering how I may keep my modification on 3.03? since I have modified lots codes for my specific requirments. Thanks.

The only way I may think is

1) back up all my old files
2) upgrade to latest files
3) modify all new updated files

is there any new easier way to do it? Thanks.

Sorry, guys for breaking into this thread, but as far as we are going to buy vbulletin soon, and we already recomend 3.0.5 version to couple of our clients, so we think we have right to put short note.

Partially we choosen vB for security and reliability, but we based on opinions of peoples who used previous versions. In versions 3.0.x it sounds like beta version of forum, we here agreed with guy who wrote before about it. Normal companies pay people money for beta-testing, instead demadning money from users of beta-version, take a look to any game for example.
The guys who telling "don't install the hacks and you'll have no problems" and "team are quick in releasing fixes" basically would be right... if it would be free forum. In normal situation if we pay money for forum, we would of course install many hacks and add-ons, because we don't want to looks like "all the others", and our members will want something special. So installing hacks it's respect to members of forum.

What we can say... We would put much more trusth to vbulletin team if they would prefer to make complex beta-testing before releases. Last security holes are really scare. Yes, it's good that fixes are realised fast, but it's bad that security holes and bugs appears too often.

Anyway, we think that vbulletin have no alternative... and vbulletin team shouldn't use monopoly such way. Be the best not only one to select guys! Luck to all you!

I dont see what your moaning about. You would moan more if you got hacked and vBulletin didnt have a fix for you. Why moan and say they should release security updates once every few weeks rather than when possible? I mean you dont have to update its totally up to you when you update.
Anyway I used to run vBArcade on my forum so know how hard long it takes to keep a forum upto date when you have hacks installed. I removed the hack after getting annoyed with long upgrade installs back in 3.0.4. Im glad to say since I am using a normal forum again upgrades are done in less than 3 minutes.

Memo to Jelsoft Team:

Great Job on getting this addressed! Now go tell the rest of the people who forget to visit here daily... *cough*ebulletin*cough*

Sorry, guys for breaking into this thread, but as far as we are going to buy vbulletin soon, and we already recomend 3.0.5 version to couple of our clients, so we think we have right to put short note.



quit ur moaning, takes all of five mins to upgrade

not ever a company as big as microsoft can release something perfect o the launch, windows has updates just like everything else

and having clients that have lots of forums, that just goes with the territory


:Patiently awaits vB 3.0.7:

My question seems to have gotten lost amongst all the debates. I would be grateful for an answer from someone at Jelsoft. Thanks.
Ixl, using the 3.0.5 patch (and private.php) would've made you 100% safe at that time; you didn't have to upgrade. The 3.0.6 patch is the same as 3.0.4 and 3.0.5: it will fix the security issue.

OMG, this was awful.

For future releases, you may need to make 2 different discussion threads... one for actually discussing the latest patch, and another for all the people who just want to whine.


sounds to me like you just whine about whiners

i think its perfectly fine to whine about whiners. but sooner or later its better to just ignore them. :D

sounds to me like you just whine about whiners
that's deep.

Please answer my question. Is it really just one file for the security fix, or there are files missing in the patch?



The description says that for vBulletin 2 the files changed are private.php, showthread.php, and functions.php. However, the vbulletin_2_patch.zip contains just one file - functions.php.



Please advise.

Did my upgrade to 3.0.6 and all is well, hacks an all took less than 20 minutes well done jelsoft for an excellent service keep up the good work!!



But for someone just starting out with your software and doing hacks and stuff it is a little annoying to have to redo all your work over and over but hey i am not whining its just my opinion.



Keep up the good work

by the way when is ver 3.0.7 due???

Please answer my question. Is it really just one file for the security fix, or there are files missing in the patch?
The file in the zip fixes the reported XSS with BB code parsing.

Thanks Mike.

But for someone just starting out with your software and doing hacks and stuff it is a little annoying to have to redo all your work over and over but hey i am not whining its just my opinion.
No, I agree with your opinion completely. But as you said, the burden is on the customer's experience level, time spent, number of hacks they installed, and their personal choice to upgrade or patch... not necessarily something Jelsoft is doing wrong, imo.

Thank you!

Can't wait for 3.07 keep up the great work....

Upgraded in 3 min.

No hacks this is the reason why.

Thanks again

Hmmm, I've just finished upgrading the umpteen sites that I manage. Oh well now to start again. It'll keep me busy at least another 2 weeks.

What we can say... We would put much more trusth to vbulletin team if they would prefer to make complex beta-testing before releases. Last security holes are really scare. Yes, it's good that fixes are realised fast, but it's bad that security holes and bugs appears too often.

Anyway, we think that vbulletin have no alternative... and vbulletin team shouldn't use monopoly such way. Be the best not only one to select guys! Luck to all you!

How many patches have you installed on your pc?
If it's Windows, Linux or vBulletin, even the best program contains some little bugs, I'm happy they are discovered nowe instead by a virus. I pay for good software, not for developers that wants to earn money and are too proud to publish a bugfix even there were 2 others last week.

How many patches have you installed on your pc?
If it's Windows, Linux or vBulletin, even the best program contains some little bugs, I'm happy they are discovered nowe instead by a virus. I pay for good software, not for developers that wants to earn money and are too proud to publish a bugfix even there were 2 others last week.
Are you suggesting that we were aware of the bbcode tag exploit when 3.0.5 was being released? I can assure you that when we were made aware of it, we dedicated time to determining if it was serious enough to warrant a release. Once that was determined, we spent time closing other open issues. All of this time probably spans 30 - 40 hours at the most. We did not plan this release nor did we have a long lead time where we knew it was going to come about.

Are you suggesting that we were aware of the bbcode tag exploit when 3.0.5 was being released? I can assure you that when we were made aware of it, we dedicated time to determining if it was serious enough to warrant a release. Once that was determined, we spent time closing other open issues. All of this time probably spans 30 - 40 hours at the most. We did not plan this release nor did we have a long lead time where we knew it was going to come about.
sjaakie's post was a compliment that even after 2 quick security releases, you still made another security release after a flaw was found instead of just ignoring the issue.

He quoted the wrong person me thinks :)

As some others have mentioned, Jelsoft should release patches as needed to fix security/severe performance issues as they already are doing.

But Jelsoft should limit version releases (excluding patches as I mentioned above) to say one every several weeks at most.

I understand Jelsoft likely believes that rolling security fixes and various bug fixes all into one makes things easier, but it does not for many folks...

In addition, frequently releasing entire new versions is likely increasing the risk of more bugs/security problems for some folks.

With all that said, perhaps Jelsoft should release interrim beta versions to folks who are willing to run beta versions and don't mind upgrading all the time to iron out problems.

For example, release beta updates of the current version (ie. 3.06a, 3.06b, 3.06c, etc) and then once it looks somewhat clean *and* at least several weeks have elapsed, then release a next version based upon that (ie. 3.07) intended for all.

Hope this makes sense ... and thank you for the fine software and great support; vBulletin is a great value!

Ron
No, not really. In those seven weeks your board could be hacked. Do what you want and dont upgrade. Jestloft is just doing what you guys paid for.

I read many posts in this thread and have not found a satisfactory answer to my question. I would like to ask the VB team (among all the debating going on in this thread).

Q: I applied the vb3 ZIP file patch.
a - Does that secure my board from the WORM virus (reported by BBC)?
b - if NOT, what is the prequite for the applying the 3.0.6 patch?

I wud appreciate if the vB team can reply back to my questions.

thanks


Vik

For some reason or another, I am never able to download attachments from this forum. I get the 'insuffcient privleges' error. Any idea why this may be?

For some reason or another, I am never able to download attachments from this forum. I get the 'insuffcient privleges' error. Any idea why this may be?

probably Your email doesnt fit to the one in members section or You didnt payed for license...

probably Your email doesnt fit to the one in members section or You didnt payed for license...

I did pay for the licence... Maybe I need to update my e-mail address in the members area then??

Will give it a try.

I did pay for the licence... Maybe I need to update my e-mail address in the members area then??

Will give it a try.

Problem solved.

Thanks for that.

havnt some of these people heard of 'beyond compare' if you have addons on your board, use that to make the changes to the updated files

that way you dont have to 'rehack' the addons to your site, its not hard.

May I just say the upgrade went well

Got 2 hacks to re-add but that will not be a problem

I'm liking the new "neatness" of the info stats

We'll all have upgrading done to a T soon enuff lol:D

I agree, Beyond Compare, works great! got the update done in like 20mins :D

So many upgrades... so little time...

Whatever. Just come up with SOMETHING! PLEASE! Otherwise I'm going tostart submitting support tickets when I need you to come over and tellmy 50,000 members why we need to go offline for a day -- again.
Why exactly would you need to go down for a day? Are you referring to hack installations? If so, if it takes you that long to re-install hacks, possibly you should consider not using them, eh? I can have mine up and running in a half hour after uploading the updated files and re-installing hacks.

This has been the way vb has released new versions for years so everyone that has a beef with it, get over it.
We used to do the same thing complain about this everytime. We finally used the product as it was meant to be meaning using the basic code, removing over 60 hacks we had like 2 years ago, where now we have one small hack that takes less then 3 minutes to install.
If you are going to have all these hacks installed on your boards then you will have issues each time a release comes out because of all the work you have to do. VB did not ask you to install all of this stuff so get off their back.


people add hacks because it makes the experience of being a forum that much funner.... maybe people who do put hacks on their boards wouldn't have to complain about weekly upgrades if vB would add the majority of the popular hacks into their software automatically.... i know they did that for a few things like Quick Reply... but if all of those features were added on, then you wouldn't have to pop a gasket telling people to stop complaining about re-doing the hacks ;)

Not trying to be a jerk, but this is ridiculous. How did vB3 make it out of beta testing? vBulletin is supposed to be the most professional software and they take complete advantage of that. It is so unsatisfactory that everything on here has to cost money. After paying $160 for a license to use the software, the last thing i should have to pay for is yearly access to the members section. The members section is completely useless except for one feature... software updates!

You would think a company which is used by hundres of thousands of sites would thoroughly test their products before releasing them. All of this "oops, we found something... quick get the patch ASAP!" stuff is highly unprofessional. Everyone would've gladly stuck with vB2.3 and waited for a flawless version for 3.0. It is highly annoying to add 20-30 hacks, then have them all wiped out because someone overlooked something. It makes me think that all of this is purposely left open so that every week or two another release can come out, eventually forcing people to have to buy members access to get the upgrades. :mad:

like i said... not trying to be a jerk, but this has been on my mind for a while now and since i paid for this service, i will speak my mind on it

Saying you’re sorry ahead of time for being a jerk does not excuse you to be a jerk; seems to be a common misnomer these days.

It would have been nice if you sent email to registered users telling us about this security update. I just saw it by chance browsing the forum!

:mad:

Saying you’re sorry ahead of time for being a jerk does not excuse you to be a jerk; seems to be a common misnomer these days.

i didn't apologize for it... i said i wasn't trying to be one... seems to be a misnomer these days when people get overly sensitive about someone speaking their mind... like i said... i paid for this service, i have the right to voice my feelings.

if i didn't think vB was a good product, then i wouldn't have bothered buying it, nor would i have taken the time to post here... i just wish updates would be handled in a better way and that Members Access didn't have to be a paid feature... buying the license should give you the right to access for as long as you own it

The download access helps pay the bills and keeps us developing :)

Well, I am just going to reserve friday afternoon every week for upgrading and re installing my "hacks" (needed just to provide multi language support, standard in PHPBB BTW). It will save me money I might spend if I went out...:cool:


This week 3.06
next week 3.07 etc etc etc

By christmas we should be up to 3.0.52 !

The download access helps pay the bills and keeps us developing :)

yes but wouldn't charging $80 and $160 for a license keep the bills paid up just fine?.... there are a bazillion sites which have vBulletin software

and i am not neccessarily against charging for yearly access... but if i buy vB 3.0... then i should be allowed to download the updates whether my access is expired or not.... but a major release... yes i can see why that would be for up-to-date access only

people add hacks because it makes the experience of being a forum that much funner.... maybe people who do put hacks on their boards wouldn't have to complain about weekly upgrades if vB would add the majority of the popular hacks into their software automatically.... i know they did that for a few things like Quick Reply... but if all of those features were added on, then you wouldn't have to pop a gasket telling people to stop complaining about re-doing the hacks ;)Also, if I remember correctly, Kier mentioned that they're working on a new feature that will "make the hacking community very happy." *cough*module system*cough*

that would, indeed, be great :D

http://www.vbulletin.com/members/upgrade_instructions.php only had instructions on upgrading to 2.3.6 from 2.3.4. I have/had version 2.3.5 installed & get the following message when I run the upgrade28.php script:



Warning: you are currently running version 2.3.5 and this script upgrades from version 2.3.4. If you are sure you want to continue, please click *here* otherwise please consult the upgrade instructions.



The upgrade instructions aren't clear about how to upgrade from 2.3.5 to 2.3.6, can anyone help? Thanks.

Reminder: This is a discussion thread. If you have a problem or need help with something, please start a new thread in the appropriate forum. Thanks.

Steve, thanks for your quick reply. I thought that this would be the appropriate place since it is regarding the 2.3.6 release. I reposted my question here: http://www.vbulletin.com/forum/showthread.php?t=127319

There are over 300 posts in this thread. It really isn't the best place to get help with one issue. ;)

vB2 was good. vB3 is a masterpiece. vB4 will be amazing.

I believe Jelsoft is a fabulous softare development company. For sites that don't use hacks, like ours, the longest part of this upgrade was the file transfers. The actual upgrade took about a minute.

For those with hacks, be thankful that Jelsoft creates open software that you can customize. If you complain too much, they might license the software and specify no hacks allowed, or license invalid :eek:

Of course, they won't.. because they care about you, and that is why they test and upgrade their complex and feature rich software. I repeat, vB3 is a masterpiece.

yes but wouldn't charging $80 and $160 for a license keep the bills paid up just fine?.... there are a bazillion sites which have vBulletin software

and i am not neccessarily against charging for yearly access... but if i buy vB 3.0... then i should be allowed to download the updates whether my access is expired or not.... but a major release... yes i can see why that would be for up-to-date access only
The system has been inplace for 5 years now, and only a very few people have ever complained about the 30 dollars a year, thats only about 2 dollars a month when you break it down.

yep $30 isn't bad at all for someone who takes having the Best seriously. ;)
I don't even visit too many boards that are vB for that very reason.
I know if a site uses vB, that they care more about the people that come there.
And
vB "Is" the best.

I just renewed a few hours ago. :)

vB2 was good. vB3 is a masterpiece. vB4 will be amazing.

I believe Jelsoft is a fabulous softare development company. For sites that don't use hacks, like ours, the longest part of this upgrade was the file transfers. The actual upgrade took about a minute.

For those with hacks, be thankful that Jelsoft creates open software that you can customize. If you complain too much, they might license the software and specify no hacks allowed, or license invalid :eek:

Of course, they won't.. because they care about you, and that is why they test and upgrade their complex and feature rich software. I repeat, vB3 is a masterpiece.

I agree, however for a site that serves users in more than one language some of the "hacks" (and I hate that term, should be "add ons") are not cute or fancy additions but features that render the board useable for many users. Without them half our userbase could not register or choose their native language!

Example
Auto selection of interface language based upon browser language.

Choice of interface language AT REGISTRATION in addition to the User CP.

Both these excellent mods found at Vbulletin.org are quite small but make the board functional for a multilanguage based forum. If Vbulletin had them I would not need to add them.

Are you suggesting that we were aware of the bbcode tag exploit when 3.0.5 was being released?

No, see the post from sqall14716. :)



sjaakie's post was a compliment that even after 2 quick security releases, you still made another security release after a flaw was found instead of just ignoring the issue.

So it was a hidden compliment. ;)

$2.50 Zach... ;)

Or roughly .083333333333333333333333333333 cents every thirty days.

No, not really. In those seven weeks your board could be hacked. Do what you want and dont upgrade. Jestloft is just doing what you guys paid for.

Originally Posted by Ron Bennett
As some others have mentioned, Jelsoft should release patches as needed to fix security/severe performance issues as they already are doing.

But Jelsoft should limit version releases (excluding patches as I mentioned above) to say one every several weeks at most.

I understand Jelsoft likely believes that rolling security fixes and various bug fixes all into one makes things easier, but it does not for many folks...

In addition, frequently releasing entire new versions is likely increasing the risk of more bugs/security problems for some folks.

With all that said, perhaps Jelsoft should release interrim beta versions to folks who are willing to run beta versions and don't mind upgrading all the time to iron out problems.

For example, release beta updates of the current version (ie. 3.06a, 3.06b, 3.06c, etc) and then once it looks somewhat clean *and* at least several weeks have elapsed, then release a next version based upon that (ie. 3.07) intended for all.

Hope this makes sense ... and thank you for the fine software and great support; vBulletin is a great value!

Ron

In a nutshell, security patches and bug fixes are not exactly the same thing. What I suggested was Jelsoft should continue to release critical security patches *as often as needed*, but *not* entire new versions so frequently ... hope this makes sense now :rolleyes:

Ron

Originally Posted by Ron Bennett
As some others have mentioned, Jelsoft should release patches as needed to fix security/severe performance issues as they already are doing.

But Jelsoft should limit version releases (excluding patches as I mentioned above) to say one every several weeks at most.

I understand Jelsoft likely believes that rolling security fixes and various bug fixes all into one makes things easier, but it does not for many folks...

In addition, frequently releasing entire new versions is likely increasing the risk of more bugs/security problems for some folks.

With all that said, perhaps Jelsoft should release interrim beta versions to folks who are willing to run beta versions and don't mind upgrading all the time to iron out problems.

For example, release beta updates of the current version (ie. 3.06a, 3.06b, 3.06c, etc) and then once it looks somewhat clean *and* at least several weeks have elapsed, then release a next version based upon that (ie. 3.07) intended for all.

Hope this makes sense ... and thank you for the fine software and great support; vBulletin is a great value!

Ron

In a nutshell, security patches and bug fixes are not exactly the same thing. What I suggested was Jelsoft should continue to release critical security patches *as often as needed*, but *not* entire new versions so frequently ... hope this makes sense now :rolleyes:

Ron


Hi Ron:

I think the ultimate goal here is to keep things as simple as possible. The amount of work to create a release is pretty big. We're talking about creating a new branch in the CVS, going throug bug fixes with 3/4 of the devs and they work OT just trying to get the main security fix addressed. It can sometimes go as far as 24hr work marathons. After these security fixes are here, while you have the devs around, why not address a few bugs as well? You might as well do so they say as you have everyone with you.

While you are proposing, though a great idea, it probably may not be such a fesible proposal. It's basically the same thing as doing a regular release, but 3x worst. If they have to do that for version A, B, C, D, etc., imagine the number of nightmares they are going to have. Pretty soon we're gonna have dead Jelsoft employees. Reason of death: High Stress.

I personally feel that out of convience for a webmaster, that while they release a security fix, they can go ahead and address bugs as well. This way I don't have to come around and REAPPLY any special lines of codes we have or any template modifications I've done because of upgrades.

Granted Security Fixes and Bug Fixes are not the same, I applaud Jelsoft for doing this. Some people may not want to upgrade to the versions because the amount of customizations, but that's why there are security fixes made available for people to use to apply to their boards to limit the amount of flaws. Grab the PHP file form the Announcement area, patch, and move on. That's like an interm version right there :)

I paid $165 for my copy of vbulletin. I expect to see lots of updates and new versions. If I wanted to wait forever for bug fixes and new features I'd go download phpbb.

I paid $165 for my copy of vbulletin. I expect to see lots of updates and new versions. If I wanted to wait forever for bug fixes and new features I'd go download phpbb.
165.00??? O_O How is that possible? Plus I personally believe vB3 is ahead of everyone else. I don't know anyone else that comes as close as to what Jelsoft is offering.

165.00??? O_O How is that possible? Plus I personally believe vB3 is ahead of everyone else. I don't know anyone else that comes as close as to what Jelsoft is offering.

$160 rather :p

$160 rather :p
now THAT does make more sense :D

now THAT does make more sense :D

if you want to get picky, I actually paid $196 :eek:

(Canadian)

I paid $165 for my copy of vbulletin. I expect to see lots of updates and new versions. If I wanted to wait forever for bug fixes and new features I'd go download phpbb.

I second that, And personally I think the regular updates show that Jelsoft is on top of any issue that arises to help us from being the next victim. Thanks for this Great piece of software and keeping us up to date. Best money I ever spent.
:) :) :) :) :)

It would be irresponsible for us to issue a warning (to declare a version insecure) without releasing a patch.

I'm sorry, but at this point I'll have assume each vB release is insecure whether you declare it or not. What else am I supposed to think? This isn't the first time rapid-fire releases have occurred. Some advanced notice of pending fixes would be appreciated. Giving the community a heads up will not impact their security and may save their sanity.

I third that. The reason I paid for vBulletin. =D

I'm sorry, but at this point I'll have assume each vB release is insecure whether you declare it or not. What else am I supposed to think? This isn't the first time rapid-fire releases have occurred. Some advanced notice of pending fixes would be appreciated. Giving the community a heads up will not impact their security and may save their sanity.

I don't think you can assume any release of software 100% secure because like with anything in the world, its prone to bugs, errors and mistakes. But from my standing point, vB3 is much more secure than other platforms I've seen and I haven't had a hacking incident severe enough to be thrown into utter chaos.

Thank you for continuing to support security releases for VB2. For integration and speed purposes, I have not yet upgraded to Version 3.

As for all the patches and fixed - keep them coming. This isn't a standalone Windows machine - it's webserver software that can used and abused by tens of thousands of users each day...

-Wayne

I think you should reassured that we quickly fix all issues that we are aware and inform you of of the seriousness. There are many applications that choose to not mention security fixes or hide them in the changelog (I am not making any references to our competitors here). By your logic, you would feel more secure by the sake of being uninformed.

165.00??? O_O How is that possible? Plus I personally believe vB3 is ahead of everyone else. I don't know anyone else that comes as close as to what Jelsoft is offering.
I paid $163. ;)

Can't wait for 3.07 keep up the great work....




You, and everyone else who has said that they can't wait for vB 3.0.7 will have to forgive me - because I disagree...


I can't wait for vB 4.0!!! (or whatever the next major version is supposed to be) :D :D :D

I'm still running v2.2.x -- will this security patch break anything?

We can't say for sure. The patch has not been tested on vB 2.2.x. My guess is that it won't work and you will need to upgraqde to 2.3.6. You should do this anyway because: (a) we can no longer provide suppoort for extremely old versions of vB, and (b) there are other security holes in those old versions.

a big thanks to Jelsoft and the team and developers for keeping on top of things. this forum software just keeps on getting better!

thanks.

I really appreciate the attention and care paid to security issues by the vbulletin staff. It makes using vb a lot less stressful than similar products (and many, many other not similar products). And I really appreciate the quick heads up given when a problem is detected.

However, is there any way to sort your mailing list so that those who already ran the upgrade to be filtered out from the alert mailing?

Today when I checked my mail and received the email dated today, I ended up having to take a deep breath and keep the not so nice muttering under my breath at the prospect of installing yet another upgrade. Once I read the email, I realized that it was redundant to an earlier one and calmed down. I'm too old for scares like that!

Thanks.

The only reason i switched 2 months ago from another (also popular) board software to VBulletin, is security. You see, there are those rumors about VBulletin to be the most secure of all

question: Are we secure NOW? LOL :D


PS Seriously, i prefere security rather than just ...public relations company policy hehehe Meaning i prefere weekly security updates rater than no fixes when there is an issue, in order not to "worry" the custommers ;)


PS2 Still running 0.3 patched ...just a couple of files replaced.. no big deal ;)

when we see vBulletin Version 3.0.6
i think next week:)

thanks alot

Don't blame Jelsoft - blame the hackers who find these obscure XSS holes in the code. :)

If hackers can, why can't Jelsoft?

when we see vBulletin Version 3.0.6
i think next week:)

thanks alot
Err...it was out a few days ago.

this is what I paid vbulletin to do. Honestly if I didn't care about security I would go with phpbb. It's got the same graphical doo dads that vbulletin has however it is not nearly as secure.

In my opinion they have done a stellar job patching things up. I feel much safer with constant releases especially because I'm worked as a coder myself. security updates are a never-ending cycle.

Finished the upgrade this evening. All seemed to go well. Nice work :)

sorry I am kinda slow,I'm already upgrade to 3.0.5, you guys are saying I don't have to upgrade? just use the The patc??

I don't have a major problem with a security update - it is a little annoying but necessary.

I did find the procedure to actually download the patch file very tedious. I had to do the following steps:

0. Loaded up members area, couldn't find link to patch.
1. Tried to download patch from forum msg. Received "you cannot access..." error. Registered for the forums.
2. Clicked on the email verification link.
2a. Still no download access to the patch.
3. Replied to announcement email asking how to access this file.
4. Clicked on the verification to allow my email to go through.
5. Received a reply telling me to register for Priority Forum Support. Did so.
6. Finally, I'm able to download the attachment...

I understand that attachments need to be protected, but why can't the patches just be posted into the member area? My board is simple, I'm happy with it being functional rather than heavily modified and configured, so all I need from vbulletin is updates. This is the first time I've had to email support, and the only time I access the forum is to read the security update messages. This is my first post here since I had to register this time.

It's a very tedious process just to download a small patch. Hopefully I won't have to do this next time.

This is surely alienating a large degree of your users. If there's going to be a constant barrage of patches can you please create some form of auto-update?

Plus could you also answer why your alerting email gives different advice to the main 3.0.6 thread?

In the email is says do this:

Board is running vBulletin 3.0.4 or earlier
- Download patches for 3.0.5 and 3.0.6
- Overwrite includes/init.php
- Overwrite includes/functions_bbcodeparse.php
- Overwrite private.php

Yet in the 3.0.6 download patch there's only one file - functions_bbcodeparse.php. Where am i supposed to get private.php from? I'm guessing i've got to download the whole of 3.0.6???????????????

Just as well i didn't pay a company over £80 to upgrade my message board to 3.0.5 last week :mad:

Thats what was said last time.., next week .7 will be out, and at this rate before we know it we will be on .9

Get a life. We are human, we make mistakes, we do not see everything perfectly.
Nobody is forcing you to upgrade.

Jesus.

If hackers can, why can't Jelsoft?
Because hackers spend hours looking at existent code trying different techniques, some of which are browser-dependent and new, whereas Jelsoft is also trying to provide us with the latest version of vB - you can't expect the developers to find EVERYTHING. :)

This is surely alienating a large degree of your users. If there's going to be a constant barrage of patches can you please create some form of auto-update?

Plus could you also answer why your alerting email gives different advice to the main 3.0.6 thread?

In the email is says do this:


Yet in the 3.0.6 download patch there's only one file - functions_bbcodeparse.php. Where am i supposed to get private.php from? I'm guessing i've got to download the whole of 3.0.6???????????????

Just as well i didn't pay a company over £80 to upgrade my message board to 3.0.5 last week :mad:


You can get private.php from the 3.0.5 announcements thread.

I really cannot see where the problem is here. If someone is running a non-modified version of vBulletin (that is to say, no php file changes, only template and style changes) then this upgrade will take literally about 5 minutes. It is constrained only by the speed of your internet connection and ftp server. If you're on 3.0.5 you have to click about 5 or 6 'next step' buttons, that is it, it really couldn't be simpler. If you're on an earlier version the number of buttons to click increases by about 6 for each missing version, but it's still hardly time consuming or complex. I've never known php/mysql - based software that's as easy to upgrade.

Yes if your board is modified (as mine is) it will take a while longer, but I still did it in less than an evening.

Yes it's tedious doing it over and over and I don't like having to do it, but I'd rather that than have security vulnerabilities.

I cannot see there being a 3.0.7 any time soon - especially as the eBulletin has just gone out - but if something comes to light then I'd expect Jelsoft to patch it, that's one of the things I pay the licence money for.

I just wish the instructions were in laymans terms for us people that aren't techy php wizards. The upgrade instructions put me off because it constantly tangents off in different directions.
Before you do this do that, before you do that do this, this and this. Do this, this and this like that, that, that and that. And then there's loads of different backup'ing methods just to freak you out before you've even got anywhere.
/me cries :(

Actually I am HOPING that more is discovered rather than less!! Sometimes, due to customer whining, there is less motivation to make a release, or a release is made only when someone feels it's big enough to support a number change. This is what is currently happening with php 4.3.10. They currently have a fix for the slowdown issue with vb, however many hosts do not feel it is an issue until 4.3.11 comes out. I'm a little frustrated at php.net for not releasing this fix or at least announcing it publicly so that hosts can realize they need to update their version. But perhaps they were also convinced by the audience not to release so much within such a short period of time. And also to HIDE fixes unless it is an unavoidably huge security issue. In my opinion, when there is a significant performance hit, or ANY security issue I don't care what number they'll get up to, and I don't care if it means I have to update weekly for some time, they should patch it up and link an announcement on the front page.

It does get annoying. Vb requires a bit of work to get it going and while I dislike referring vb customers to other forums, if you want easy breezy instantaneous setup and autopatching along with a hosted server then you should sacrifice customizability and go with another solution.

If that isn't an opinion I truly wonder why some are still using vb when they're not using the plethora of options provided to fix this issue. If you are not willing to spend the money for custom editing OR not tech savvy enough to follow the instructions OR not willing to change one file then I truly wonder why you chose vb.

The instructions are not "fun" (are they supposed to be?) but anyone can edit the scripts.

As for autopatching, i think the security issues involved would make it a moot point (writing to php files live on the server?? err no thanks).

Question:

If I only upload the files mentioned in this post (http://www.vbulletin.com/forum/showpost.php?p=800226&postcount=3), will the upgrade work the same way?

I must've missed the bit on the sales spiel for vBulletin which said: "If you're not tech savvy don't get vBulletin".

Ox, try reading this http://www.vbulletin.com/forum/showthread.php?t=124989

If there are still any other questions you have about the upgrade process start a thread in the upgrades forum or a ticket in the members area :)

private.php is available attached to one of the posts in the 3.0.5 announcement here:

http://www.vbulletin.com/forum/showthread.php?t=125480

Question:

If I only upload the files mentioned in this post (http://www.vbulletin.com/forum/showpost.php?p=800226&postcount=3), will the upgrade work the same way?
No help? :(

This is not a thread for support, you should always upload all of the files from the new version.

If you have questions about upgrading please start a thread in the proper forum.

This is not a thread for support, you should always upload all of the files from the new version.

If you have questions about upgrading please start a thread in the proper forum.
Ok. I apologize as I was not aware of this. Thanks for letting me know. :)

I just wish the instructions were in laymans terms for us people that aren't techy php wizards. The upgrade instructions put me off because it constantly tangents off in different directions.
Before you do this do that, before you do that do this, this and this. Do this, this and this like that, that, that and that. And then there's loads of different backup'ing methods just to freak you out before you've even got anywhere.
/me cries :(
In very basic terms:

1) Backup your database
2) Backup your php files
3) Close your board
4) Upload the new php files, overwriting all the old ones. Don't touch the images.
5) Go to www/yoursite.com/forum/install/upgrade.php
6) Follow the instructions, which involve entering your customer number and pressing the 'next step' buttons.
7) Reopen your board!

In step 5 yoursite.com is your website address and /forum/ is the folder in which you have your forums, eg /forum/, /board/, or similar.

For a standard board that really is it in a nutshell. Some minor template edits may be required afterwards but these are documented in the relevant announcement thread.

I just wish the instructions were in laymans terms for us people that aren't techy php wizards. The upgrade instructions put me off because it constantly tangents off in different directions.
Before you do this do that, before you do that do this, this and this. Do this, this and this like that, that, that and that. And then there's loads of different backup'ing methods just to freak you out before you've even got anywhere.
/me cries :(

It's not for PHP wizards, just use a simple file comparing program to re edit all of your files if you have modifications(ie: WinMerge) or if you do not have any modifications, just upload all the files and then go to (http://www.yourdomain.extension/yourforums/install/upgrade.php :D

To backup, either read the tutorial http://www.vbulletin.org/forum/showthread.php?t=39558&highlight=backup

if you have a smaller database, backup using the backup tool via the vBulletin admin control panel

...

Amidst all of the naysayers, I'd like to throw in a kudos...

We got hit pretty hard last night...I posted a global announcement about the pending upgrade to 3.0.6, and all hell broke loose - it's as if the sharks were circling, looking for an opportunity...

Before I could lock down, we had several crashes, several corrupted tables...

So, I spent the better part of the night uninstalling the Arcade, getting rid of the custom styles, and upgrading to 3.0.6...

Everything went smooth as silk - we're up and running fine...

Thanks for the easy upgrade, guys! ;)

...

Regarding the "untrusted user" in the original announcement, what does it mean actually? Does it mean that if I disable BB code in signature and prevent guest and banned users from posting will make my board secure?

My board is heavily modified and I just cannot afford to upgrade in such a frequency.

Thanks

I'd like to ask a question.
Last time I got blasted for asking, so I just want everyone to know ahead of time...
This is directed at the vB team. (which btw does a great job)
and
I will not be responding to any other responses to the question.
I need a simple yes or no.
The reason I'm posting here is because I currently am running a patched 3.0.5,
and am thinking of upgrading "Now" to 3.0.6.

I have read in this forum thread where someone had said it would be nice if vB
would let people know a little ahead of time when a new release might be coming.
I understand that the vB team doesn't like to put dates out there for speculation.
I do understand why.
I also understand that there are certain circumstances that require an immediate
release for security, and vB doesn't have time to say there's going to be one.
I try to wait a week or so after an update/upgrade comes out just to see if
there are any farther updates.

When I upgraded to 3.0.5, in was only like 5 hours when 3.0.6 was released.
That seems to be my luck.

anyway, my question.....

Does vB foresee another release in the next 24 hours, before I upgrade?

My board is heavily modified and I just cannot afford to upgrade in such a frequency.

Thanks

Don't you think it's irresponsible as a forum administrator to put modifications above security? If a mod/hack is going to cripple your ability to maintain your copy of vb, I don't think you should bother with it.

From a technical point of view, you are absolutely right.

But from a practical point of view, if a board cannot do what we need (or what the boss wants), no matter how secure it is, what's the point of using it?

When it comes to real life, we have to compromise between what we can do and what we want to do.

I personally think mod/hack authors are the ones who need to change their ways. Mods/Hacks should be coded so they can be easily worked with come upgrade time!

I personally think mod/hack authors are the ones who need to change their ways. Mods/Hacks should be coded so they can be easily worked with come upgrade time!

I cannot agree more with you on this:cool:

I didn't do any of the mod/hack myself, but since there are such mods out there, I was often asked to add such kind of features/functionalities.

The download access helps pay the bills and keeps us developing :)

Couldnt you do support instead? ;)

whats the big deal...takes about 30 seconds to do the upgrade. If you don't want to do the full upgrade, patch the board and that should take you about 5 seconds. Some people aint happy if they aint complainin eh?

anyway, my question.....

Does vB foresee another release in the next 24 hours, before I upgrade?
I have small idea to vBulletin team:
Please inform us 7 days before new upgrade!
For example: Small counter in home page:
Next release 7 days
Next release 6 days
Next release 5 days
Next release 4 days
Next release 3 days
Next release 2 days
Next release 1 day!

Or in Admin control panel

Best regards :)
alkahf

:confused:

what difference does it make if you know an update is coming?

I have small idea to vBulletin team:
Please inform us 7 days before new upgrade!
For example: Small counter in home page:
Next release 7 days
Next release 6 days
Next release 5 days
Next release 4 days
Next release 3 days
Next release 2 days
Next release 1 day!

Or in Admin control panel

Best regards :)
alkahf
Well that means we would have to notify you 6 days before we knew about a problem

Well that means we would have to notify you 6 days before we knew about a problem
I don't mean about Taht update after problem example:
version 3.02 >> 3.0.3 Or 3.0.4 >> 3.0.5
I mean for normal update like: 3.03 >> 3.0.4

Regards

I don't mean about Taht update after problem example:
version 3.02 >> 3.0.3 Or 3.0.4 >> 3.0.5
I mean for normal update like: 3.03 >> 3.0.4

Regards

I was thinking something along the lines of...
"we've found a security risk and will be releasing something in a day or 2..."

Like as soon as you figure it out, and start recoding....
Or does it only take you an hour or to to recode everything
when you find a vulnerability?

Any way I guess I'll go ahead and take a chance and upgrade now... :confused:

For fun, I just did a quick calculation of the number of posts by the entire Jelsoft support team on the first page of the members list, ranked by number of posts. The Jelsoft vB team has almost 200,000 posts (rough calculation was 193,633) , that means interaction with customers on support problems.

Incredible.

Great job Jelsoft!

Thanks Jelsoft and good job. The quality you offer on this package for the money is excellent. Thanks for making patches available too. They are a reasonable alternative to the full upgrades which are obviously very frustrating to admins here with numerous hacks. I use development servers where I apply the upgrade and reinstall the hacks first. That limits downtime on the production servers as the hacked files can simply be copied over after upgrade.php is run. Re-hacking the files is a chore, whether you have simply have the hack code commented or use a diff utility... it is a hassle, no doubt, but security should be the top priority for any professional system admin, period. If you are not getting paid for your time, that's probably what you should be complaining about, not hassling this team for providing security discovery and fixes.

I do have a quick question though... after an upgrade, what files can be deleted from the install directory? I don't like keeping anything around that I don't really need. Thanks

I do have a quick question though... after an upgrade, what files can be deleted from the install directory? I don't like keeping anything around that I don't really need. Thanks
All of them. I do believe that is what the install/upgrade script says to do. ;)

I do have a quick question though... after an upgrade, what files can be deleted from the install directory? I don't like keeping anything around that I don't really need. Thanks
You can delete everything, but I'd keep the *.xml files. They could be useful later.

I have a modified 3.0.1 and I used your init patch. Now I see the 3.0.6 upgrade, Do I stil have a security issue? Should I upgrade to 3.0.6 now or wait for another upgrade or am I fine the way I am? I just don't want to have to reapply al my hacks and then upgrade again in a week or so.

Thanks,
Miguel

I was thinking something along the lines of...
"we've found a security risk and will be releasing something in a day or 2..."

Like as soon as you figure it out, and start recoding....
Or does it only take you an hour or to to recode everything
when you find a vulnerability?

Any way I guess I'll go ahead and take a chance and upgrade now... :confused:

Upgraded!
Time 2:30 hrs w/5hacks :D

Very smooth this time around.
Great job there vB team. :)

To be honest, I am not sure any type of advanced notification is a good idea.

There could be ONE vB owner out there that is also up to no good.
So, say Jan 1 vB says we have found a vulnerability & you can look forward to a patch soon.... Now this one person says, who hoo a crack I can try to exploit. Then if he/she gets it figured out, they could cause problems.

There's my 2 cents.....

(Kinda chilly in here, I might get warmed by the FLAMES) :D

I'm not sure if this is a bug, but if I place a blank space, (alt-255, not 20hex = space), or pretty much any character for that matter at the end of my includes/functions.php file, the forum looks a lot cleaner and tighter in Firefox, there's no lines of dead space at the bottom and my javascript menus at the top of the screen appear at the top as they should, (all is fine in MSIE)
but on style changes or hard refresh the char at the end of the file appears to cause a cookie, "header already sent" error.

some people may be using flaky UNIX - MSDOS CR+LF text file converters, I know that the one which comes with Brutus adds several equals signs at the end of the file for example.
Is there anything I can do for functions.php to make things tidier in firefox?

I have small idea to vBulletin team:
Please inform us 7 days before new upgrade!
For example: Small counter in home page:
Next release 7 days
Next release 6 days
Next release 5 days
Next release 4 days
Next release 3 days
Next release 2 days
Next release 1 day!
alkahf


:) hehe, this would also mean that you have the release in stock, and keep it there for ... 7 days, it would make alkahf happy (joke)


I love every single release, even if they are few days apart and I have about 50 hacks installed (automatically)

any new release is a better one. Keep up good work =D>

I can't believe that we need another patch so soon - please try to release things at the same time :(

On my forums Increase/Decrease Size in the Editor doesn't appear to work in Mozilla Firefox but works on this VBulletin.com forum in Mozilla Firefox. But it works in Internet Explorer 6 on my forums. The relevant templates are not customised.

If hackers can, why can't Jelsoft?




Because hacking is very much about imagination, as much as it is about intellect.

If you were talking about the general concept of "coming up with ideas" and/or problem solving for any topic you could name - how many ideas could you, personally, come up with compared to what a group of a thousand people could come up with?

Do you see the issue?

I must've missed the bit on the sales spiel for vBulletin which said: "If you're not tech savvy don't get vBulletin".




Anyone who did their homework before making the purchase would see that you have to have some "tech savvy" in order to get involved with running a board.

If you have trouble programming a VCR, and choose to get a computer - just to complain about how complicated you didn't know it would be, I have very little sympathy for you.

I think the most frustrating thing for me, is that we paid quite a lot of money for the vbulletin - yet we've suddenly got all these emails saying "Quick, quick, upgrade your board, not secure". Get it right first time vbulletin.....spend more time researching your work really.....then these problems wont happen again.

I think the most frustrating thing for me, is that we paid quite a lot of money for the vbulletin - yet we've suddenly got all these emails saying "Quick, quick, upgrade your board, not secure". Get it right first time vbulletin.....spend more time researching your work really.....then these problems wont happen again.


PEOPLE. Get your facts straight! These releases were not due to developer errors, they were due to new, previously unknown exploits, discovered by hackers. If you don't like it, run phpBB.

Ive already paid for the vbulletin - so Im hardly run off to another board. I think eveyone can be frustrated for not having the proper security for our money.

Unless you want to give me my money back, little man (or whoever conqsoft is!)?

Im happy to keep running the vbulletin ATM, the member area is good, the vbulletin guys themselves have always been quick in response - but surely I'm fair enough to be frustrated by constant security holes.

Then you SHOULD be frustrated at the no-lifers that sit around looking for exploits all the time, and PRAISING Jelsoft for keeping on top of it and releasing security patches, "little man". :rolleyes: (Are you 10, or 12 years old?)

I think the most frustrating thing for me, is that we paid quite a lot of money for the vbulletin - yet we've suddenly got all these emails saying "Quick, quick, upgrade your board, not secure". Get it right first time vbulletin.....spend more time researching your work really.....then these problems wont happen again.




With all dues respect, Rich99, you don't have a clue what you're talking about.

Any lock devised by man, can be bypassed by man. It's not about "researching your work" - obviously, there is a standard for making sure you do a good job, as opposed to a sloppy one. But no matter how good a job you do, someone else who is determined and smart can always find a way around it.

Before you start complaining and running your mouth, make sure you have the facts and know what you're talking about.

Im not interested in making some sort of flame agaist whoever you are - got much better things to do. In a final note though, Jelsoft Enterprises Ltd - lets just make sure this is the last security hole, please, at least for some time. thank you.

Im not interested in making some sort of flame agaist whoever you are - got much better things to do. In a final note though, Jelsoft Enterprises Ltd - lets just make sure this is the last security hole, please, at least for some time. thank you.

Hey, you started with the name calling. I'm just stating the facts.

Do you realize how ignorant it is to tell Jelsoft to "make sure this is the last security hole for a while"? I guess not, otherwise you wouldn't have said that.

From looking at your site, it looks completely stock anyway, so it should take you all of 10 minutes to do a full upgrade. What exactly is the problem anyway?

:)) that's why you have to PAY for a product (here is vBulletin), so that they (the developers) WORK their @$$ off to FIND as many bugs/problems as they can, and surely they will TELL you what they've found.

be happy :D


btw, security holes are in the product itself until when someone see it. not something that someone put it in, and try not to "add" some more :D. peace out

lol, yeah they cant prepatch for some of the php bugs that are found in the actual php code and force all kinds of updates, not everything is just a security bug in the vb code

that and the vb code has to be some of the tightest php based forum codes out there

MY word! I certainly hope these threats and so forth are not disuading jelsoft from making more updates. Frankly I know that I and many others appreciate the work that's going on to stay on top of things. PLEASE keep it up jelsoft. I would like more to be discovered! Certainly not less!

Ive already paid for the vbulletin - so Im hardly run off to another board. I think eveyone can be frustrated for not having the proper security for our money.

Unless you want to give me my money back, little man (or whoever conqsoft is!)?

Im happy to keep running the vbulletin ATM, the member area is good, the vbulletin guys themselves have always been quick in response - but surely I'm fair enough to be frustrated by constant security holes.
Just stop posting in this thread and go upgrade your board. You have no idea what your talking about.

If everyone would stop flaming vbulletin and each other, perhaps we can get back to the topic - upgrading to 3.0.6.

Anyway in addition to the problem of using incease/decrease in Mozilla Firefox, in the AdminCP there is the heading of vBulletin Developers & Contributers but none are listed below the heading.

Please cancel that last one about Developers & Contributers. After logging out and logging back in again they are listed. But when the "Control Panel Home" link is clicked they disappear.

I was just noticing the last 2 posts by andiez.
the post count still shows 0.
Whats up with that?

I was just noticing the last 2 posts by andiez.
the post count still shows 0.
Whats up with that?

Threads in this discussion do not count towards post counts

I can't believe that we need another patch so soon - please try to release things at the same time :(

Your a clever **** arnt you?

On my forums Increase/Decrease Size in the Editor doesn't appear to work in Mozilla Firefox but works on this VBulletin.com forum in Mozilla Firefox. But it works in Internet Explorer 6 on my forums. The relevant templates are not customised.

I have the same problem, can anyone help with this? It really is quite annoying.

Because hacking is very much about imagination, as much as it is about intellect.

If you were talking about the general concept of "coming up with ideas" and/or problem solving for any topic you could name - how many ideas could you, personally, come up with compared to what a group of a thousand people could come up with?

Do you see the issue?

Very well said, and sorry for the Off Topic everyone, but I do Ethical Hacking for a living and constantly have to fight the subjectivity battle, or answer questions regarding my certifications, when the real issue is the capability for a fnie mixture of nit picking, understanding of the subject matter and most importantly conceptual thought process.

Hi,
I just went through the email about patching our forums.

I'm running 3.03, and because of some of the hacks I have installed. I've decided to patch my forum.

Now reading the email that was sent out, I needed to download patches for 3.05 and 3.06. Which I did.

The email then says to overwrite includes/init.php Which I just did.
The it says to overwite includes/functions_bbcodeparse.php Which I did.

But then it says too also overwrite Private.php? I don't see this file in the 3.06 zip file, and I don't see it listed anywhere to download with the init.php file in the 3.05 thread? Where do I download this file?
Thanks
Chris.

First, i want to thank the VB team for rapidly addressing security issues.

Second, I want to thank you all in advance for your assistance in answering this Q:

I have a VERY VERY hacked version of 2.2.5 in which i usually do manual patches whenever a security issue arises... can you tell me which part of the code the the function.php file contains the security fix?

Is 'the fix' only in the section labeled ###start bbcodeparse###?

Thanks again for all your hard work!

Please excuse me if this has been discussed but I can't read all 28 pages! :o

If I run the upgrade on my test board, re-install all my hacks, can I just copy over all the testboard files to the live board (changing the config file of course)?

I have the same problem, can anyone help with this? It really is quite annoying.

I had this problem also but I reverted editor_clientscript and it fixed it :cool:

On an even happier note, I completed the 3.0.6 upgrade this morning. It took about 2 hours of diff/merging but it was worth it :)

I highly recommend to any of you out there that have hacked boards to use WinMerge (http://winmerge.sourceforge.net/) Its free and open source.

2 hours! :eek:

Keep track of which files you've hacked, and only compare the ones Jelsoft has changed. You'll find that you're only comparing a minority of files, not all of them. :)

who knows the advantages of 3.0.6?

tell us about that so we know it is good to upgrade or No?

who knows the advantages of 3.0.6?

tell us about that so we know it is good to upgrade or No?

It contains very important security fixes. You would know this if you read the announcement regarding 3.0.6.

2 hours! :eek:

Keep track of which files you've hacked, and only compare the ones Jelsoft has changed. You'll find that you're only comparing a minority of files, not all of them. :)

yeah I got to thinking myself after my last post, when I said "2-1/2hrs.
I went from the time of the previous post, but in actuality, it really only
took me 45mins-1hr at the most w/5 hacks.

I was really expecting way more of a challenge, but there just wasn't
that much to it. :cool:

1. I run VB 3.0.5 and would like to update to 3.0.6
2. I uploaded functions_bbcodeparse to the includes folder via FTP
3. In the Admin Control Panel I can not see that it is now 3.0.6....

Maybe I am to stupid to patch ;-) - help.


Help a Newbie please.

Trixi, all you did was patch, not upgrade, if you need help please start a support thread in the proper forum. Thanks

If everyone would stop flaming vbulletin and each other, perhaps we can get back to the topic - upgrading to 3.0.6.






Please cancel that last one about Developers & Contributers. After logging out and logging back in again they are listed. But when the "Control Panel Home" link is clicked they disappear.




It's interesting that you want to "get back to the topic", and then you post off topic. It's been stated a dozen times - if you have a problem, don't post it here. Post it in the correct forum.

Please excuse me if this has been discussed but I can't read all 28 pages! :o

If I run the upgrade on my test board, re-install all my hacks, can I just copy over all the testboard files to the live board (changing the config file of course)?

Can anyone answer this? Please?

once you have the hacked files working on your test board do this.

Close you live board
Back up the database and all the files on it
Upload the default 3.0.6 files
Run /install/upgrade.php
Once this has finished upload your hacked files
Check everything is working and then open your site again.

Depending on the size of your database and the speed of your net connection this shouldn't take long. I always do it this way and it normally is done within 30 mins.

Thanks. :)

Patched, easy peasy. Will wait for next major release to upgrade again. Thanks! :)

First, i want to thank the VB team for rapidly addressing security issues.

Second, I want to thank you all in advance for your assistance in answering this Q:

I have a VERY VERY hacked version of 2.2.5 in which i usually do manual patches whenever a security issue arises... can you tell me which part of the code the the function.php file contains the security fix?

Is 'the fix' only in the section labeled ###start bbcodeparse###?

Thanks again for all your hard work!

Anyone mind helping me identify the area of the function.php file that contains the fix so I can incorporate it into my hacked up 2.2.5? ive tried using the file by itself and i get errors...

Please?

just because it is late and I am already tired somebody help me out here, if i upgrade again to 3.06 do I still need to do the patch? and conversly(sp?) if I do the patch do I not need to upgrade to 3.06 to be secure again.

thanks

just because it is late and I am already tired somebody help me out here, if i upgrade again to 3.06 do I still need to do the patch? and conversly(sp?) if I do the patch do I not need to upgrade to 3.06 to be secure again.
You can either upgrade, or apply the security patch. In regard s to this explout, either way will plug this hole.

Anyone mind helping me identify the area of the function.php file that contains the fix so I can incorporate it into my hacked up 2.2.5? ive tried using the file by itself and i get errors...No. There are more holes in 2.2.5 than this one and the code has changed rather substantially since that version. The only way to ensure you are running a version with no known security holes is to upgrade to 2.3.6 at the very least.

No. There are more holes in 2.2.5 than this one and the code has changed rather substantially since that version. The only way to ensure you are running a version with no known security holes is to upgrade to 2.3.6 at the very least.

Fair enough... thanks for the reply. Ill see what I can do.

thanks vB for staying on top of security, I have patched since 3.0.1 because of a certain hack, decided to upgrade from 3.0.1 to 3.0.6 and upgrade the hack(s), all went well and the forum is running great, thank you

I upgrade to 3.0.5 with no problem at all. Unfortunately, wasn't as lucky this time. My forum is very lightly hacked with FlashChat being about the only thing added. This time, when I tried to run the upgrade.php file and entered my password, I get a fatal error screen. Something to do with Flashchat. I guess I will have to untinstall FlashChat first but have to figure out how to do that. I got it restored to the 3.0.5 version and installed the includes patch for now.

Don

Okay folks...maybe when I uploaded the 3.0.6 files I got a bad upload or something. I uploaded everything again and this time it worked just fine. Sorry about the false alarm.

Don

Anyone mind helping me identify the area of the function.php file that contains the fix so I can incorporate it into my hacked up 2.2.5? ive tried using the file by itself and i get errors...

Please?Hi there,

In order to get support you must have a valid vBulletin license. Once you purchase one you will receive your customer details in an email. With those customer details you can login to the Members' Area and click on the 'Priority Support (http://www.vbulletin.com/members/membersupport_priority.php)' link in the left menu. On the page that loads you must enter the email address you registered with on this support forum. When done correctly you will show up as a licensed members and you will receive priority support.

If you do have a valid vBulletin license, I kindly request you to update (http://www.vbulletin.com/members/membersupport_priority.php) your information.

If you do not have a vBulletin license yet, I invite you to go through our Sales F.A.Q. (http://www.vbulletin.com/contact_sales.php), ask for more information in our Pre-Sales Forum (http://www.vbulletin.com/forum/forumdisplay.php?forumid=47) and visit our vBulletin Order Page (http://www.vbulletin.com/order/).

If you have no vBulletin license, but run the vBulletin forum software, I kindly request you to remove the data from your web server and purchase a license before you continue. We do not have a free version, lite version or downloadable version to 'test' out before purchase. If you want to 'test' vBulletin prior to purchase you can request an Live Admin Demo (http://www.vbulletin.com/admindemo.php) to play around with. For obvious reasons we can't provide support to unlicensed members.


Thank you.

Fatal error: Call to undefined function: preg_replace() in /usr/home/htdocs/data/forums/includes/init.php on line 285


No hacks installed... Please advise.

Edit: Move this to general troubleshooting as it appears to affect other forums I have that I did not upgrade to 3.0.6. I did portupgrade to 4.3.10 yesterday... I jut did a make deinstall and make reinstall with pcre support...

Help

I never did find an answer to this and my forums started doing this tonight. I upgraded from .5 last night (everything but images). I don't have any hacks or anything like that.

FYI, I had modified both

editor_toolbar_standard
and
editor_toolbar_wysiwyg

in 3.05 but they didn't show up after upgrade when I did a find updated templates. Don't know why.

I made the changes anyway, but I wonder what went wrong and if this happens other times too.

Hope they release a stable PHP install soon, most web hosts are not aware of the unserialze problem and vB has been slow as hell since .10 was installed during the start of January 2005. At peak times it almost takes the whole site down.

Fatal error: Call to undefined function: preg_replace() in /usr/home/htdocs/data/forums/includes/init.php on line 285


No hacks installed... Please advise.

Edit: Move this to general troubleshooting as it appears to affect other forums I have that I did not upgrade to 3.0.6. I did portupgrade to 4.3.10 yesterday... I jut did a make deinstall and make reinstall with pcre support...

Help
Are you sure you compiled PCRE into your PHP? Does it say so in phpinfo()?

http://bugs.php.net/bug.php?id=29303&edit=2

I take it you're on FreeBSD? As you know, you need to recompile ports/lang/php4-extensions too! Otherwise you wind up with a new PHP with old 'plugins'. That could certainly account for an undefined function call.

- Mark

System Administrator Asarian-host.org


---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

Thanks for the upgrade! It means a lot to have a secure feeling inside about my board when I walk away from my PC here at home.

I must say that Beyond Compare rocks my world! It made preparing the new files with my hacks prior to uploading them a breeze. I have the trial version of that right now, but it has proved it's worth 10 fold.

Thanks again for everything vbulletin team, your efforts are greatly appreciated by me.

Upgraded today, with no hacks installed. Upgrade went smooth!

Waiting for 3.0.7 now. :D

Noticed that the following files were not modified but was listed in the 3.0.5 to 3.0.6 modified files list:

admin/
forum.php
forumpermission.php

clientscript/
vbulletin_templatemgr.js

FYI.

Upgraded today, with no hacks installed. Upgrade went smooth!

Waiting for 3.0.7 now. :D
Every time I log onto vB.com I am afraid to look to see what version we are up to.:eek:
I know it is all necessary.

Upgraded today, with no hacks installed. Upgrade went smooth!

Waiting for 3.0.7 now. :D

No... no. Waiting for a new 3.x.0 version :p

do we have to make the templates alterations manually? or the upgrade script will take care of it?

well,

the upgrade script will just upgrade vbulletin if you have hacks installed you need todo all modofications again ... i've heared some rumours jelsoft is working on a "mods system" for the next release of vb don't know if it's really true

well,

the upgrade script will just upgrade vbulletin if you have hacks installed you need todo all modofications again ... i've heared some rumours jelsoft is working on a "mods system" for the next release of vb don't know if it's really true
I think I remember reading that it was more of a module system, which will allow for much easier integration of things such as a gallery, blogs, etc. I also read that they will provide their bug tracker as the first of these such modules as an example to its use.

Just what I remember reading, nothing offical.

So what was actually changed in the vb2 functions.php file?

I'm still on 2.3.0 I wont update. (Usually manually patch everything.)

I can't just change the functions file itself, because I lost my hacks info file on a hdd crash.

If someone could pm it to me or post it here that would be great.

Thanks

You can use WinMerge (http://winmerge.sourceforge.net/) to look at the differences between your old functions.php and the new, then apply the changes accordingly. WinMerge is free.

Is there an estimated time period before 3.1.x is out?

Yes, When It's Done™.

Yes, When It's Done™.




I hate that answer, but I love the Trademark symbol you added to it. :)

Since I upgraded from 3.0.3 to 3.0.6 I am missing Todays Birthdays on my main forum page. I checked the Usergroup Manager and "Display Today's Birthdays?" in VB Options. Everything is set to yes.


Any idea why this is happening?

John this is not a support thread, however try reverting the forumhome template, if that does not work please start your own thread in the support forum.

Yes, When It's Done™.
What is it about electronics and software that it's always kept under wraps until just the last minute? You can pre-plan your summer vacation. You pretty much know when the new models of cars are coming out. But camera and computer manufacturers will dump on you every time, by holding back the new model until just after you buy yours. Software updates are like a bad case of diarrhea because you have to quick-like get the job done or else! OK, I can understand the virus caused upsets - they happen to everyone at any time. But, the MAJOR overhaul - why can't we plan for that just a bit better? I'd prefer that it didn't happen on the day before I leave for my summer vacation.

vBulletin and other software updates are kept "under wraps" because competitors can easily come in and whip out the new features and steal some customers. Plus, it makes vBulletin look bad if a competitor comes out with a state of the art feature before they do. :) Im not complaining, I heard enough about the next release to be happy.

They probably could give a release date if they added a year on to their estimate to be safe,
and held back the d/l until that date, but I'd rather be able to d/l it as soon as
it's ready myself, and just not know the release date.

vB team, most of us know and understand all the reasoning, and know you
guyz are doing a fantastic job.
Keep up the great works.,,, ;)
and keep down the price. :D

Thanks for the update Jelsoft.

For those moaning about having to upgrade hacked boards, just go and grab yourself a copy of Beyond Compare. I've used that for the .4, .5, and am about to use it for this update and it works a treat. No need to re-install hacks or any of that nonsense.

Thanks,
Alan.
Beyond Compare?
What is this and where do I get a copy? :)

Beyond Compare?
What is this and where do I get a copy? :)
Beyond Compare®, the advanced file and folder comparison utility for Windows, helps you visualize changes in your code, keeps your directories in sync, and validates copies of your data.
http://www.scootersoftware.com/

nice... ty

Lots of comments about upgrading hassle.... I also think it's quite annoying to go into directories and replace files, feels scary... so why not provide an EXE tool that does the job? Just let it ask for "here is my current vbulletin installation", and "here is my database" and voila, it is fixed. And all necessary checks are done to ensure that everything is smooth. I'd feel better to use such a tool even if the job was only to replace one file, honestly.

The list of files to replace is provided for people hacking/modifying their vBulletin. If you are using vB3 as it comes out-of-the-box, simply upload/replace all files. Ignore the advanced template/file lists.

If you need an "EXE" or shell script, then shouldn't be using hacks/modifications. :)

The reason there is no executable is that vBulletin works on almost any computer platform. It is not restricted to Windows or Linux. To maintain an executable installer for every platform our customers use is well beyond our resource limits at this time and would incur a dramatic increase in prices, probably double or triple what they are today.

Thanks for the scootersoftware.


You made my day
Robbie
http://www.ratemyprofessor.com/ShowRatings.jsp?tid=37724

I'm still expecting to see a 3.0.7 release whenever I log on these days, it's scary.. ;)

I'm still expecting to see a 3.0.7 release whenever I log on these days, it's scary.. ;)
Every time I log onto vB my eyes glance at the top right of the screen.
No, I don't want to upgrade tonight. :eek:
Then I breathe a sigh of relief. :)

To be sure that I understand this fully --

If I am updating from 3.0.0 I need to install the patched init.php file from 3.0.5 then I should be able to upgrade to 3.0.6?

You do not need to installl any patches to upgrade. Here are the upgrade instructions:

http://www.vbulletin.com/docs/html/upgrade/

Also please read the Upgrade FAQ here:

http://www.vbulletin.com/forum/showthread.php?t=124989

Thanks for the update Jelsoft.

For those moaning about having to upgrade hacked boards, just go and grab yourself a copy of Beyond Compare. I've used that for the .4, .5, and am about to use it for this update and it works a treat. No need to re-install hacks or any of that nonsense.

Thanks,
Alan.

Thank you plenty! You've just made my day.

Thanks

This version is very good. works perefctly wihout any problems. Thanks a lot... :)