Please use this thread to discuss the release of vBulletin 3.0.6 and 2.3.6.

Do not use this thread to report bugs, as it's likely they will be missed. If you believe you have found a bug, please file a report in the Bug Tracker (http://www.vbulletin.com/forum/bugs.php).

Also please do not post support requests here, these should be posted in the Support Forum or open a support ticket.

Have fun.

You're killing me here :(.

Just patched my forum with the includes file :-)

why didnt you guys also fixed this vb 2 bug in the proces: http://www.vbulletin.com/forum/showthread.php?t=99218 ?

Well, I can't download new versions since about 3 days ago and don't feel like patching dev boards and an inactive board, so eh. Nice job fixing these issues. Quite a lot of them found pretty close together, huh? ;)

why didnt you guys also fixed this vb 2 bug in the proces: http://www.vbulletin.com/forum/showthread.php?t=99218 ?
For the most part, vBulletin 2 gets just security fixes. It is no longer actively developed, as vB 3 is the main version now.

wow...wish I'd waited until tomorrow morning to upgrade instead of doing it this morning....

just my luck.....thanks...

You're killing me here :(.

argh! and I just opened my forum today! :(

this is becoming a total joke now, i am so &*(&* OFF, i upgraded to .4 installing all my patches, then the same again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never bothered now.. i am so hacked of at this moment. The time and money lost, and i'm not the only one i'm guessing...

what about 3.0.7 ?

i hope this is teh last one for a while because updating every to weeks isn't enjoyable:(

this is becoming a total joke now, i am so &*(&* OFF, i upgraded to .4 installing all my patches, then the same again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never bothered now.. i am so hacked of at this moment. The time and money lost, and i'm not the only one i'm guessing...

So just install the one patched file and you'll be secure.

this is becoming a total joke now, i am so &*(&* OFF, i upgraded to .4 installing all my patches, then the same again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never bothered now.. i am so hacked of at this moment. The time and money lost, and i'm not the only one i'm guessing...
Well, unless you have installed modifications it shouldn't be that bad. Besides, if you did install modifications, you could always patch and wait a few weeks before upgrading.

It is getting a bit annoying, but it's better than having unpatched security holes. Not that it'd bother me if the site that my license is on gets exploited at this point - it's so dead it won't be noticed for days.

this is becoming a total joke now, i am so&*(&* OFF, i upgraded to .4 installing all my patches, then thesame again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never botherednow.. i am so hacked of at this moment. The time and money lost, andi'm not the only one i'm guessing...

Anyway I prefer that vbulletin became secure and safety that not updegrade regular... it's like a windows update... :D

So just install the one patched file and you'll be secure.

Thats what was said last time.., next week .7 will be out, and at this rate before we know it we will be on .9

Hmm.
It's good that you have released the patches so quick.
N_wattam, would you rather have your forums hacked or messed up orrather have the updates ? At least it's better than some software thatdoesn't ever update except maybe twice a year.

I hope this is almost or is the last update for a while though, I'dlike to re-hack my new forums and my Members Area access is gone in Feb.
So after Feb, I won't be upgrading anymore.
If it's good enough for FAP it's good enough for me...

Does anyone know how many more updates there will be ?

this is becoming a total joke now, i am so&*(&* OFF, i upgraded to .4 installing all my patches, then thesame again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never botherednow.. i am so hacked of at this moment. The time and money lost, andi'm not the only one i'm guessing...

nobody forces you to upgrade. but every XSS issue will be exploitedsooner or later. it happens with every software (new holes in windowsfor example are found every week) and all forum software's have theseproblems. for example the big phpbb bug recently and also this weekinvisionboard released a security patch.

this is becoming a total joke now, i am so &*(&* OFF, i upgraded to .4 installing all my patches, then the same again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never bothered now.. i am so hacked of at this moment. The time and money lost, and i'm not the only one i'm guessing...
Honestly, I know how you feel. We have to put many hours into putting a release out, and that takes away significant amounts of time from future releases.

Given a choice, we wouldn't have done all these recent releases. But we were notified of an issue and felt that it was our duty to release a fix for it. I think that's much better than not releasing a patch!

It's not like we try to have security issues; things slip through (you'll discover this specific issue in other boards as well). We're looking into preventing these issues from occuring in the future, but that takes time and (often) some significant code changes.

If we upgrade to vBulletin 3.0.6
can we use the language file of the vBulletin 3.0.5 ?
coz i spent time translating the language file for arabic language,
so can it be used to the newer version vBulletin 3.0.6 ?

if it can not be used and translating is needed for the newer version, can you tell me about the changes in the file of language for the newer version, for winning time insdit of losing it searching for the changes.

Ah, come on!! What is this? 3 upgrades in 2 weeks? Is there no way to make upgrades without having to delete hacks and stuff like that? I'm going for a patch this time. Why don't make an even more secure version this time, so we don't have to upgrade each week. ;)

Dang!

Well, good thing I only JUST NOW finished uploading 3.0.5 to my other forum. :)

Thanks for the update Jelsoft.

For those moaning about having to upgrade hacked boards, just go and grab yourself a copy of Beyond Compare. I've used that for the .4, .5, and am about to use it for this update and it works a treat. No need to re-install hacks or any of that nonsense.

Thanks,
Alan.

LOL My board's down (server issues), so I stopped in... guess I have more work to do! :D
Btw, I won't gripe about the upgrades, ya'll went a while without having any... if it's safer, I'm for it... good job! :)

Bleh, more work for me...

Although, it makes me feel better knowing that vb are on the ball with security updates :)

upgrade took again only 5 minutes [file upload included]. i have nothing to complain about - see? i am not using any hacks and am happy. for anyone who is using hacks - thats the thing you need to accept. either hack your board and re-hack it every time a new release comes out or leave it unhacked. :)

Why doesn't other popular software have so many security issues likethis? I run all different types of forums and this is the only one thatI have to constantly update every week or every other week. It's notlike we're talking Microsoft to Fisher Price here. There's other VERYpopular forum software that doesn't go through this 10% as much as here.

Why doesn't other popular software have so manysecurity issues likethis? I run all different types of forums and thisis the only one thatI have to constantly update every week or everyother week. It's notlike we're talking Microsoft to Fisher Price here.There's other VERYpopular forum software that doesn't go through this10% as much as here.
It might be because vb keep testing their software for the exploits,where as most other software makers just wait untill a hole isexploited, then patch it.

Honestly, I know how you feel. We have to put many hours into putting a release out, and that takes away significant amounts of time from future releases.

Given a choice, we wouldn't have done all these recent releases. But we were notified of an issue and felt that it was our duty to release a fix for it. I think that's much better than not releasing a patch!

It's not like we try to have security issues; things slip through (you'll discover this specific issue in other boards as well). We're looking into preventing these issues from occuring in the future, but that takes time and (often) some significant code changes.

You could always release the OOP release tonight to make up to all the angry customers.

Luckily, I didn't upgrade to 3.0.5, I am just doing those single file patches until another major release.

Up with alamuae!

i got a cookie error when i changed the functions_bbcodeparse.phpfile so i went back to my old version

lol. Classic, it's too bad I don't have DL access atm.

So just install the one patched file and you'll be secure.

...exactly...

At least vB is diligently working on these issues as they arise. When it rains, it pours. I ain't mad at ya guys! :) ;)

UPDATE... Done, took me (let's see here) 2 minutes!

Can someone please explain what is meant by

Requires Revert? Yes

And specifically, what should I do after the update.

In addition, in the announcement thread, is an attachment for thevbulletin_3_patch.zip. What should we do with that? no specifics in thethread

dont think i am going to bother, i would rather backup my forum on daily basis, and wait a good month or so, to see if a new version comes out or not, before comitting hours of time yet again.

so what is it we need to do to just "patch" without the full upgrade? upload the new init.php?

Fatal error: Call to undefined function: convert_version_to_int() in /atasatforum.com/htdocs/v5/vbcp/template.php on line 95

:( :( :confused:

Come on guys. Seriously... come up with an intuitive "patching" system for security fixes.

The "security upgrade" label is cute (I'm using it myself when lettingmy community know why the site keeps going down for upgrades) but it'stired.

I appreciate that, in the meantime, your fixing small bugs andincluding them in revisions... but there is absolutely no reason youneed to package all these small changes with the MAJOR security fixes.

Granted, we can use Beyond Compare or something of the sort, but eventhen we have to guess what changes are NECESSARY and which aren't. It'sjumping through hoops to say the least.

Just tell us exactly what to change to fix the security hole, OR giveus just the files with JUST THOSE CHANGES to apply as patches. Thismeans, if there is a security hole in forumdisplay.php... give usforumdisplay.php with just that hole fixed.

Whatever. Just come up with SOMETHING! PLEASE! Otherwise I'm going tostart submitting support tickets when I need you to come over and tellmy 50,000 members why we need to go offline for a day -- again.

Reminder please start a new thread or create a support ticket if you need assistance.

digitalhome-
"Requires revert" refers to whether you need to redo your customized version of that template. If it says yes (without anything saying "if you want this", etc), then you must redo your template; if you don't, things will break. Otherwise, you need only revert to get the changes/fix.

As for what to do with the path, over write the appropriate file on your server (includes/functions_bbcodeparse.php in vB3) with the one provided in the appropriate zip.

Come on guys. Seriously... come up with an intuitive "patching" system for security fixes.

The "security upgrade" label is cute (I'm using it myself when lettingmy community know why the site keeps going down for upgrades) but it'stired.

I appreciate that, in the meantime, your fixing small bugs andincluding them in revisions... but there is absolutely no reason youneed to package all these small changes with the MAJOR security fixes.

Granted, we can use Beyond Compare or something of the sort, but eventhen we have to guess what changes are NECESSARY and which aren't. It'sjumping through hoops to say the least.

Just tell us exactly what to change to fix the security hole, OR giveus just the files with JUST THOSE CHANGES to apply as patches. Thismeans, if there is a security hole in forumdisplay.php... give usforumdisplay.php with just that hole fixed.

Whatever. Just come up with SOMETHING! PLEASE! Otherwise I'm going tostart submitting support tickets when I need you to come over and tellmy 50,000 members why we need to go offline for a day -- again.
We do tell you exactly what files are changed for each upgrade. and we tell you specificly what files you need to patch for a serrious upgrade. thats why we provide them for download by licensed members in the release thread.

Just tell us exactly what to change to fix the security hole, OR giveus just the files with JUST THOSE CHANGES to apply as patches. Thismeans, if there is a security hole in forumdisplay.php... give usforumdisplay.php with just that hole fixed.
There's patches for vBulletin 2 and 3 in the announcement. They are there for this exact reason.

Come on guys. Seriously... come up with an intuitive "patching" system for security fixes.

The "security upgrade" label is cute (I'm using it myself when lettingmy community know why the site keeps going down for upgrades) but it'stired.

I appreciate that, in the meantime, your fixing small bugs andincluding them in revisions... but there is absolutely no reason youneed to package all these small changes with the MAJOR security fixes.

Granted, we can use Beyond Compare or something of the sort, but eventhen we have to guess what changes are NECESSARY and which aren't. It'sjumping through hoops to say the least.

Just tell us exactly what to change to fix the security hole, OR giveus just the files with JUST THOSE CHANGES to apply as patches. Thismeans, if there is a security hole in forumdisplay.php... give usforumdisplay.php with just that hole fixed.

Whatever. Just come up with SOMETHING! PLEASE! Otherwise I'm going tostart submitting support tickets when I need you to come over and tellmy 50,000 members why we need to go offline for a day -- again.


I totally agree with you hear mate... it would be fine if you only supplied the files needed to solve the security hole, but to use this to fix all the other bugs at the same time, only makes our work much harder and longer at the same time.

At the moment, i am harming the site i have worked hard to build up, with having to close it down all the time.

So what about sticking to what the title says and just providing the files and info needed to fix security problem, and saves all these bugs fixs for a major release.

Why doesn't other popular software have so many security issues likethis?

maybe they have, but havent been found yet or they are trying to cover it up.

I run all different types of forums and this is the only one thatI have to constantly update every week or every other week.

Before 3.0.4 there hadnt been a release in 6 months......

Those who are complaining about having a hacked forum that is difficultto update can really only blame themselves. If you take time whenhacking your forum and comment your php code, updating is a snap withbeyond compare. I have at least 10 hacks done to my forum andthis update will take me all of 5 minutes.

When you add a hack, include new/changed code in comments like

// BEGIN WHATEVER HACK HERE

hack code;

// END WHATEVER HACK HERE

then when you need to upgrade, it's just a matter of comparing yourfiles to the newly released files and inserting/updating the sectionsof code which you have clearly marked. I've done it with the lasttwo releases with NO issues whatsoever.

There's patches for vBulletin 2 and 3 in the announcement. They are there for this exact reason.

OK -- I'm an idiot then.

Why don't you guys save yourselves (and your customers) the trouble of yet-another-release by releasing ONLY those patches?

Especially while it seems these rushed releases are cause for even more little bugs.

Of course, I just about finish the .5 upgrade when .6 comes around.

I'm washing my car today, am expecting snow all week.

Just got done updating all my sites to 3.0.5 on my dev server. Was getting ready to upload it all and came here to read the forum before doing it. I guess I'll just download 3.0.6 and upgrade to it.
Thanks for keeping up with fixing security holes. I would rather update every week then to have a hole left open. Good work guys.

Those who are complaining about having a hacked forum that is difficultto update can really only blame themselves. If you take time whenhacking your forum and comment your php code, updating is a snap withbeyond compare. I have at least 10 hacks done to my forum andthis update will take me all of 5 minutes.

When you add a hack, include new/changed code in comments like

// BEGIN WHATEVER HACK HERE

hack code;

// END WHATEVER HACK HERE

then when you need to upgrade, it's just a matter of comparing yourfiles to the newly released files and inserting/updating the sectionsof code which you have clearly marked. I've done it with the lasttwo releases with NO issues whatsoever.

But when doing an upgrade is there not an issue with the data in your database aswell, from your hacks etc..

I get annoyed about the constant upgrading as my board is modified, HOWEVER:

1) It takes me less than an hour to re-add all my hacks.

2) I'd far rather security be kept up to date whatever the cost.

I would have to say from my test board that upgrading an *unmodified* board took, umm, around 3 minutes, and 2 of those minutes were just the file uploads. So it isn't a tricky process by any means, don't be scared anyone.

But when doing an upgrade is there not an issue withthe data in your database aswell, from your hacks etc..

nope... vb is only concerned with vb related tables

But when doing an upgrade is there not an issue with the data in your database aswell, from your hacks etc..

I haven't had that happen yet..

A few hacks will want you to rebuild templates. But that's quick, easy, and painless.

BTW - I don't like having to take time to upgrade the forums every week. but things happen... If you don't like it - patch it. 1 file, come on.... sheesh...

n_wattam the longer you complain about having to upgrade the more timeit will take you to reapply your hacks, follow the instructions givenby several members already in this thread and stop complaining.

daim jelsoft,
can you slow down a bit :D nono seriously no need to apologize we customers are glad you developers fix the holes :D

Performance Hit Since PHP 4.3.10 / 5.0.3

Many people have noticed that vBulletin (any a lot of other PHPapplications) suddenly started to run significantly slowed than normalafter installing PHP 4.3.10 or 5.0.3 in order to patch the securityflaw in previous versions of PHP.Could this be the reason whymy board is slower and increasingly plagued with 500 Internal ServerErrors?

n_wattam the longer you complain about having to upgrade the more timeit will take you to reapply your hacks, follow the instructions givenby several members already in this thread and stop complaining.

lol, i'm already stressed today... you will feel the rath of my hand :p , i guess putting of installing my gallery etc back on tonight cos i was watching stargate paid of in someway...


So if i do an upgrade its just a case of moding files and putting templates back on? and hack should be ok... what about install files, as these will edit the databases wont they, and links that anyone can recomend at all on this..

Templates will not be touched.

Any hacks will be lost as a hack involves editing the php files.

Your database *should* be ok, always has been for me, but nonetheless as with all upgrades take a full backup of your DATABASE and PHP FILES prior to commencing the upgrade.

But when doing an upgrade is there not an issue with the data in your database aswell, from your hacks etc..
In most cases, no.

Take a backup first. In the event of any problems either remove the modified tables or reapply the hack, one of those will normally fix things unless you're VERY unlucky.

I've got various hacks large and small and the database has never caused any problems on upgrading.

If you don't want to upgrade, like me, then simply apply the security patches that Jelsoft provides.

I don't know why everyone is all mad because they "have to" upgrade again. All you have to do is upload one file if you don't want to upgrade.

I for one am waiting for the next "big" release. The small bugs don't affect me or our members so putting off an upgrade is just fine.

upgraded! went smooth like buttah!

Silly question here. I'm running 3.0.3. Unfortunately my accesstothemembers area expired only a week or two before all these "slew" ofupgrades known as 3.0.4, 3.0.5, and 3.0.6 came out. :mad: :(

Do I still get the ZIP file and patch then?

Thanks in advance.

If you don't want to upgrade, like me, then simply apply the security patches that Jelsoft provides.

I don't know why everyone is all mad because they "have to" upgradeagain. All you have to do is upload one file if you don't want toupgrade.

I for one am waiting for the next "big" release. The small bugs don'taffect me or our members so putting off an upgrade is just fine.

So I've applied the patch - does that mean I don't need to upgrade to3.0.6 entirely? For example I can just upgrade from 3.0.5 to 3.1.0(when it comes around)?

If so I can wait to upgrade :)

Is it possible to do a fresh install, and use my existing database?

Unfortunately my accesstothemembers area expired only a week or two before all these "slew" ofupgrades


Hmm. I never made those two typos of "accesstothemembers" and "ofupgrades". I fixed them, and they keep coming back. :confused:

Nice work Guys, shall be doing the upgrade tomorrow :cool:

Silly question here. I'm running3.0.3.Unfortunatelymyaccesstothemembers area expired only a week ortwobefore allthese"slew" ofupgrades known as 3.0.4, 3.0.5, and 3.0.6cameout. :mad: :(

Do I still get the ZIP file and patch then?

Thanks in advance.You can dl the files provided in theannoucement thread as attachement but will need to renew your dl memberaccess to be able to dl the complete list of files. ($30/year)

You can dl the files provided in theannoucement threadas attachement but will need to renew your dl memberaccess to be ableto dl the latest complete files. (30/year)

Thanks for the response. I know I can, what I was asking is should I?(Are they compatible if I have not updated to the latest 3.0.5 orwhatever). I'm assuming yes, but I'd like to be sure.

Thanks.

Since I had no changes in my functions_bbcodeparse.php, I just replaced this single file and will stay on version 3.0.5.

Thank you for closing this security hole.

So I've applied the patch - does that mean I don't need toupgrade to3.0.6 entirely? For example I can just upgrade from 3.0.5 to3.1.0(when it comes around)?

If so I can wait to upgrade :)

That's what I will do, too.
It's save to stay on 3.0.5 if you apply the patch.

Upgraded here with no problems.

Is it possible to do a fresh install, and use my existing database?Yes.

Right, this is getting ridiculous.

I am a huge fan of vB and the Jelsoft team. They do an amazing job ofproducing an enterprise product that allows my clients to run forums ontheir sites when they could never afford to pay to have a custom buildof something like this. So my hat off to them and many thanks for theirtireless efforts and ongoing support.

However, these security flaws are getting tiresome. I know that if theyknew all of the security issues then the would patch them all in onego, and I am amazed at their turn around time in fixing these issueswhen they crop up.

But ultimately, vBulletin is one of the most widely used forumsoftware's on the planet and there are a myriad of people "hacking" itto develop an even greater level of functionality. I would have thoughtthat a natural branch of Jelsoft would have been an actual group ofreal hackers who do nothing but try and access restricted parts of thesystem and cause general havoc and mayhem. Surely this would help withdiagnosing security flaws.

A frustrated, but ultimately happy customer.

I get annoyed about the constant upgrading as my board is modified, HOWEVER:

1) It takes me less than an hour to re-add all my hacks.

2) I'd far rather security be kept up to date whatever the cost.



Just quoting your words. Thank you Jelsoft.

Will be upgrading tomorrow :)

Joined the prefertohavereleaseseverydayeveniftheygivemealotof troubleupgradingiftheyfixsecutityholesthanhavemyfo rumopentoattacks club :)

Thanks for the update, The note on php slow down is a godsend, I was wondering why my site was running so slow. Thanks for the patch for the vbcode, I just got my site fully hacked up to 3.0.5 .. *blinks* anyway its all good, *backs him self into a corner to start over*

Its getting to the point I know all the hacks by heart now.

I even did the gallery without checking the directions.

As for the constant updates, I have 3 hrs a week set aside just for this kind of stuff. Its getting to the point that just about every software package I use is updating on a regular basis.

Now if only I could get paid for all this :D

I don't really mind the updates, I'd definately prefer to be up to date and secure. That isn't the frustrating part... the frustrating part is just getting 3 separate releases in such a short span. Not much can be done about it, I suppose, bt it still is (unavoidable) frustrating. :)

I already patched the forum with the file supplied but I am consideringupgrading to 3.0.6 only at the end of the week, but only and only ifthe patch fixes the secutiry issue. Can someone please confirm thatwith the patch included in the zip of the announcement my board is nologer exposed to the security issue and I can delay the upgrade untilthe end of the week?

Its very ok for Jelsoft to update the forums...That means that the guys working right there and thats good...

My only disagreement, would be with your public policy of Jelsoft.

I mean, if u guys know from now(and i think u now) that u already patching something to be released in a week or 2, tell us, so we dont "start uploading hacks" and just wait.

If the time is in 2-3 months, what the hell, lets put them inside.

This is the only thing concerns me with these updated...I had just set up a 3.0.5 forum, and i was ready to start uploading hacks...when i noticed that 3.0.6 released!!!

Anyway, now i wait for my admin to install a fresh install of the new version and start working on it at last:)

are there any update details for us with mods in our board who wishes to do the upgrade, manual?

Is it just me, or do I see a lot of posts being manipulated somehowwith the spaces being taken out of words like my posts before? Forexample:

I already patched the forum with the file supplied but I am consideringupgrading

or

Can someone please confirm thatwith the patch included

Don't know if it's a new bug or what. :confused:

We'll, I'm a bit tired and being from portugal won't help in my english but I belive I wrote my post with the spaces in it :)

I noticed that in my previous post I intentionally supressed the spacesbetween that loooong word :D but vbulletin is putting spaces in it, Ibelive it's a protection because of forum layout; in this all spacesshould be ok, let's see the result :)

Posting via quick reply in Firefox 1.0

Please use this thread to discuss the release of vBulletin 3.0.6 and 2.3.6.

Do not use this thread to report bugs, as it's likely they will be missed. If you believe you have found a bug, please file a report in the Bug Tracker (http://www.vbulletin.com/forum/bugs.php).

Also please do not post support requests here, these should be posted in the Support Forum or open a support ticket.

Have fun.

Sigh. I *just* upgraded to 3.0.5. And now, two days later, I have to do it again?? "Fun" I would not call this. :(

I just want to know one thing: if I upgrade the board, will the upgrade retain my current, customized templates?

- Mark

System Administrator Asarian-host.org


---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

Well, it's better then being unsecure. I'm beggining to get a bit anoyed with the fact that there have been 3 updates in the last few weeks that have been security and bug fixes. I guess we got what we wanted though. There was no update for months after 3.0.3 came out and now wher're all sick of them:D. Oh well, time to upgrade.

Sigh. I *just* upgraded to 3.0.5. And now, two days later, I have to do it again?? "Fun" I would not call this. :(

I just want to know one thing: if I upgrade the board, will the upgrade retain my current, customized templates?

- Mark

System Administrator Asarian-host.org


---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
As long as you do not maunely revert the templates VB will keep all your template data. However you will need to change any altered PHP files which is a given :).

I have also upgraded three versions in three weeks!!!!!!. this is way over NOT ACCEPTABLE. You charge people for a software and everyweek you find a bug?? I guess you are charging us just to develope your forum..

This is NOT fair to us.. the PHPBB eventhough not as strong as this one, has had a lot of work done on it. Its still free. I think if anyone has the face to charge someone for something, must also provide service for it.

These forums do not suffice with the way they are designed, therfore people install hacks.. I promise you spending many hours on the net trying to get the hacks right is not easy n dnot fun.


I demand an explanation on this from the mods or whoever responsibble. Just remember that I am a customer here and having to UPGRADE three times in the course of three weeks in NOT ACCEPTABLE and I dont care how much you say about security issues.

Thise HOLES as you guys call them are programmed by you guys and NOT the peopl who make the hacks or install them,.. there is something YOU Are not doing right..

now to take care of this, you need to spend the money you collect from people ON THE SOFTWARE.. HIRE PEOPLE IF YOU NEED TO.. I dont care.. bring someone who once and for all resolves this issue.. I am sure it is very easy for you to come here and answer me in a way that I will leave this thread or forum.. but be honest and a good merchant.. If you are charging for something.. it should not be a full-of-holes lemon.. Or if your forum is still NOT READY.. WHY DO YOU CHARGE FO IT THEN?

For those with modified boards, maybe its best to wait until things settle down a little before adding on more mods. I'm not convinced that these issues wont rear there head again soon. We've had patch after patch over recent weeks. That's just the way it is, and I'm glad for the patches, but those complaining about modded boards, just hanf fire for a while..

Just had a rather large issue on WHT with upgrading 2.3.6. All linkswere broken after update, after checking some of the new code forbbcode breaks all links. I have made bug report via the vB3 bug trackersince the vB2 bugs forum is closed.

http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3676

I would suggest anyone upgrading their vB2 installations to hold off until this gets resolved.

[it's resolved --Mike]

Guys, I know you're frustrated - but give the Devs a break.

It's true that there are companies who are lax in their coding practices, and that causes headaches for their customers.

But from what I've seen, the Devs at Jelsoft try to do it right. You guys complain because new security issues keep coming up, and you act as if the Devs have a list of them, but are just being lazy about implementing them all in one shot.

It's easy to say that Jelsoft should have a bunch of hackers dedicated to hacking vB, but real life isn't that simple. Aside from the fact that doing something like that costs money - the real meat of the matter is that you don't really understand hacking.

Hacking is a cycle of exploration and applied intellect. There is no final level. There is no final goal. It's a constant evolution of knowledge, learning, and thought. Even if Jelsoft had 100 hackers working for them, that doesn't mean that they will find all the possible ways that a determined person can manipulate the system - because there is no fixed answer.

It is almost impossible (if not outright impossible) to "close all the holes". And the more complicated the code, the more this statement becomes true. The Devs have shown nothing but quick and responsible behavior when it comes to security issues.

You don't like having multiple security releases. Well, what would you prefer? That they leave the holes open? That would be stupid and irresponsible of them.

It's not their fault that new exploits are found. However, it would be their fault if they didn't act quickly to nullify those exploits.


vB is not a simple piece of software. Add to that, the fact that it relies on at least four other applications (Server OS, Web Server, PHP, MySQL), and what you have is a lot of ways that exploits can be developed.


So, please understand that the Devs are doing exactly what they should be doing. If you would prefer it if they held off on the releases - even though exploits have been discovered - well, just don't install them. Honestly, what's the difference between whether vB had no intermediate releases between v3.0.3 and 3.0.6, or whether you just didn't install anything until v3.0.6?

After all, itt's not like by not releasing the fix, no one will know about the exploits in question. :)

Okay, I would like to get some clarification on the vB 3.0.6 announcement, please. In the announcement, it says:



vBulletin 3.0.6 and 2.3.6 are security and bug fix releases. They fix a recently discovered XSS issue regarding BB code parsing.

All versions of vBulletin are vulnerable. The only workaround is to disable BB code parsing in signatures and all forums where untrusted users can post.




Now, does this mean that all versions of vB including v3.0.6 are vulnerable?

Or did you mean that all versions prior to v3.0.6 were vulnerable?


The post is unclear, which is why I am asking. :)

I totally agree with you hear mate... it would be fine if you only supplied the files needed to solve the security hole, but to use this to fix all the other bugs at the same time, only makes our work much harder and longer at the same time.

At the moment, i am harming the site i have worked hard to build up, with having to close it down all the time.

So what about sticking to what the title says and just providing the files and info needed to fix security problem, and saves all these bugs fixs for a major release.
I would rather have a choice between downloading a full package with all the annoying bugs fixed with the security issue fixed too and downloading a patched file, than just a patched file. I think the system they have created is very unique and useful.

vB 3.05 > 3.06 went swell.

Applying the vbulletin_2_patch.zip functions.php patch broke images (vbcode and html), on my 2.3.5 board.

thx for the security update. i am still on 3.0.3, i only installthe security fixes ... and will not be doing a major update until my vBmembers area time is up :) hah

I for one like security releases. It's better than being stuck with a vulnerable piece of software.

Now, does this mean that all versions of vB including v3.0.6 are vulnerable?

Or did you mean that all versions prior to v3.0.6 were vulnerable?

It means all versions before 3.0.6 and 2.3.6.

Thanks for the security update! Only took me ~10 minutes with my hacks. I really like the new version of ACP Quick Stats. :D

vB 3.05 > 3.06 went swell.

Applying the vbulletin_2_patch.zip functions.php patch broke images (vbcode and html), on my 2.3.5 board.
Grab the new vbulletin_2_patch.zip. It should fix that issue.

I patched my board for now. Thanks for the fix Jelsoft. I really appreciate how you guys are on top of all these exploits. Makes me feel good about the money I spent on your product. Best $160 I ever spent. :D

Grab the new vbulletin_2_patch.zip. It should fix that issue.
I'll give it a shot.

ON EDIT: That did the trick! Patch applied and the pics are there.

I have also upgraded three versions in three weeks!!!!!!. this is way over NOT ACCEPTABLE. You charge people for a software and everyweek you find a bug?? I guess you are charging us just to develope your forum..

This is NOT fair to us.. the PHPBB eventhough not as strong as this one, has had a lot of work done on it. Its still free. I think if anyone has the face to charge someone for something, must also provide service for it.

These forums do not suffice with the way they are designed, therfore people install hacks.. I promise you spending many hours on the net trying to get the hacks right is not easy n dnot fun.


I demand an explanation on this from the mods or whoever responsibble. Just remember that I am a customer here and having to UPGRADE three times in the course of three weeks in NOT ACCEPTABLE and I dont care how much you say about security issues.

Thise HOLES as you guys call them are programmed by you guys and NOT the peopl who make the hacks or install them,.. there is something YOU Are not doing right..

now to take care of this, you need to spend the money you collect from people ON THE SOFTWARE.. HIRE PEOPLE IF YOU NEED TO.. I dont care.. bring someone who once and for all resolves this issue.. I am sure it is very easy for you to come here and answer me in a way that I will leave this thread or forum.. but be honest and a good merchant.. If you are charging for something.. it should not be a full-of-holes lemon.. Or if your forum is still NOT READY.. WHY DO YOU CHARGE FO IT THEN?


I have to agree with this.. We are all paying customers on here, and pay for a service. Yes on one note it is good they are finding these security holes and fixing them, but where does it draw the line.

Is it a case of we all upgrade to .6, and if you find a bug tomorrow, you start getting ready to bring out a .7 and tell us when its done, while you know we are all rushing around like blue arsed flys upgrading and remodding.

Take this for an example you have a business to run on here, and your server provider says downtime for 2 hours while we fix security issues. then 3 days later they do the same again, and again.. You will soon get fed up of this, as your service is being interupted and costing you money at the end of the day. But it has to be done right. But with any good host at least you get notice that this may happen.


What i think you could at least do is like the guy above mentions, as soon as you know your working on a new revision/patch because a security issue is found put a notice up out of respect to your customers, then a lot of us where its a case of just finished spending 5 hours of work know to hold back on that kind of work and we wouldn't be so p(*(ed as much.

I think this is a reasonable request and very fair, you could of done this twice, and save thousands and thousands of hours of work to all of your customers. I would far more repect your company as a hole for that.

Save me 5 hours work, or waist 5 hours work and have to repeat 5 hours work. not a hard choice...

have i read this all wrong or can't you just upload the one file that has been changed due to the security issue (it's in the main post) and then wait on doing the real update which althoug fixes some problems is not security critical?

You would think Jelsoft is holding a gun to your head to upgrade every time a patch is released.....SHEESH!!! I understand both sides, frustration at upgrading often and the appreciation of the quick response of the Devs. I plan my upgrades on the last weekend of every month and have no stress because of it. Daily backups will hold me if something happens in-between the dates.

Thanks Jelsoft!

Probably be out in a couple of days... the upgrades usually comes in twos!

what about 3.0.7 ?

have i read this all wrong or can't you just upload the one file that has been changed due to the security issue (it's in the main post) and then wait on doing the real update which althoug fixes some problems is not security critical?
You're correct.

I have two licenses.
Can I download just one file and use it on both sites?

I have two licenses.
Can I download just one file and use it on both sites?
No sorry, you can't. You need to use the zip file specific for each license. You could use the patch files on one or both thoughthough.

Many thanks to the devs for trying to keep us secure and bug free. :)

Despite what is said, I'd much rather you continue to release these patches than not. Sure it's frustrating when modifications are installed and they have to be re-installed, but that's part of the fun..

What i think you could at least do is like the guy above mentions, as soon as you know your working on a new revision/patch because a security issue is found put a notice up out of respect to your customers, then a lot of us where its a case of just finished spending 5 hours of work know to hold back on that kind of work and we wouldn't be so p(*(ed as much.

I think this is a reasonable request and very fair, you could of done this twice, and save thousands and thousands of hours of work to all of your customers. I would far more repect your company as a hole for that.

Save me 5 hours work, or waist 5 hours work and have to repeat 5 hours work. not a hard choice...

It would be irresponsible for us to issue a warning (to declare a version insecure) without releasing a patch.

ur is it me or have i noticed a bug, my post count is not increasing, its still on "1" :mad: :mad:

ur is it me or have i noticed a bug, my post count is not increasing, its still on "1" :mad: :mad:Posts do not add to your post count in the "Announcements Discussions" forum.. ;)

argh! and I just opened my forum today! :(I opened my forum just over a week ago with the 3.03 version. Just when I got all the hacks completed out comes version 3.04 and so on and so on.;)

As long as you do not maunely revert the templates VB will keep all your template data. However you will need to change any altered PHP files which is a given :).

Ok, I did it. :)

As always, I am trepidatious about such upgrades; but, also always, the Vbulletin upgrades go smoothly. All-in-all, it took no longer than the time to upload the files, and to run the 3 minute upgrade script.

Now, the new PHP 4.3.10 issue (grrr) will be an entirely different story; but that is not really the fault of the Vbulletin team.

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

Do you only have to revert a template or table if you"ve modified that particular template or table...?
:) :confused:
By the way ....Keep up the good work VBulletin Team and thanks for all you guys do...!!!:) ;) :) ;)

Three versions in 18 days... Not a good start for the new year. :( I will just upload the fix this time. Only upgraded to v3.05 last week.

2005 is a bad year so far. First the tsunami, then the earthquake in Japan today.

Howdy,

I'm still new to vBulletin and I just want to make sure i'm getting this right. Can I just upload the files that were changed in the upgrade? Or do you have to upload everysingle one that came in the tarball? If I do this and run the upgrade script will all be kosher?


Thanks,
Zach

Upgrade finished.......Thanks guys....:) ;) :) ;)

Everyone who complains, here's what you should do: Do not upgrade your board. Do not patch your board. Instead, trash vBulletin, and code your own to the level that vBulletin is. Seriously, if you know so much and complain because they have some security flaws now and then, why don't you go do better and shut up?

Howdy,

I'm still new to vBulletin and I just want to make sure i'm getting this right. Can I just upload the files that were changed in the upgrade? Or do you have to upload everysingle one that came in the tarball? If I do this and run the upgrade script will all be kosher?


Thanks,
Zach

I just did the upgrade myself. It took about 5 minutes.

Just upload everything under the 'upload' directory to your installation (why bother firguring out what files have changed?). Then run the upgrade script, and you're back online within two minutes. :)

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

For small version update like from 3.05 to 3.06 I guess backing up the DB is not essential...

As a new vBulletin user, I really appreciate how simple the upgrade process is (having done it twice now!). The upgrade script guides you through it and as others have said, it takes only a couple of minutes. Thanks to the devs :)

Simple as long as you dont have hacks installed :(

I have completed my upgrade including hacks, took about two hours.

As regards the php unserialize bug, I seem to have been fortunate as I have not noticed any performance issues surrounding this, similar to the poster earlier in this thread.

This is a bit ridiculous. I don't really have much more to say then that.

I'd rather get fixes myself then sit dead in the water for 2 months waiting for an attacker

One of the best features about vBulletin is the user's ability to alter it to do what that user needs it to do.

When I spend hours of my time as well as hours of my site being down updating each and everything that changed and my customizations, it becomes quite a hassle.

Took me all of 15 minutes to upgrade, including getting hacks re-done.

Thanks!

One of the best features about vBulletin is the user's ability to alter it to do what that user needs it to do.

When I spend hours of my time as well as hours of my site being down updating each and everything that changed and my customizations, it becomes quite a hassle.
Then use the one file patch. It fixes the security hole and if you don't need the other little bug fixes, then don't worry about it.

The point that I'm trying to make, as a lot of other people are, is that this is really getting redundant.

One of the best features about vBulletin is the user's ability to alter it to do what that user needs it to do.

When I spend hours of my time as well as hours of my site being down updating each and everything that changed and my customizations, it becomes quite a hassle.
Why would it be down for any length of time?

I make my edits.
Turn the board off if there are people online.
Upload all files.

Then I revert edited templates and reapply edits.

I also agree with that when jelsoft starts an urgent update that we would be notified in advance that a new patch will be out shortly. So we wouldnt apply any hacks while the patch was being made.

Well, better safe than sorry.

I just went through the upgrade to 305, lots of hacks installed, so I just patched.

All sites updated on dev server without a hitch. Going to upload them to the live sites tommorrow.

Thanks guys.. I don't see why people complain.. I mean, yeah it's a little frustruating and all, but it only takes an hour (at the most) for me to reinstall all my hacks and I have a lot of them.

I'd much rather have a secure board, so thank you for updating. :)

The point that I'm trying to make, as a lot of other people are, is that this is really getting redundant.
Don't blame Jelsoft - blame the hackers who find these obscure XSS holes in the code. :)

One question, the "MySQL backup produce invalid files", would it still do that if only patching with the bbcodeparse.php file ? and how serious is it `?

One question, the "MySQL backup produce invalid files", would it still do that if only patching with the bbcodeparse.php file ? and how serious is it `?
Yes it would still do that. If you simply upload the patch files you do not get any of the other bug fixes.

One question, the "MySQL backup produce invalid files", would it still do that if only patching with the bbcodeparse.php file ? and how serious is it `?
Yes, it would still exist if you only patch functions_bbcodeparse.php.

It's not very serious if you only use vB in your vB database. The issue arose because in a non-vB table, someone used a reserved word for a column name and our backup script didn't escape the name.

Yes, it would still exist if you only patch functions_bbcodeparse.php.

It's not very serious if you only use vB in your vB database. The issue arose because in a non-vB table, someone used a reserved word for a column name and our backup script didn't escape the name.

Ahh, cool, thanks for answering, ill just patch then.

AWS has the right idea. With your vBuletin license, you can have a second installation STRICTLY FOR TESTING PURPOSES. This test install cannot be accessible to anyone but you to be legit. This comes from vBulletin to me via e-mail. If you are that concerned about being down, update the test installation, test it, put your live forums offline, make a backup, copy the test files over, and put them back online. Sounds logical to me!

I want to chime in as well in thanking those who write and support vB for doing so and releasing patches when they are needed.

Thank you, well done.

You know, a thank you is indeed deserved.


Thank you to all involved in the support and updating of vBulletin!

This is a bit ridiculous. I don't really have much more to say then that.Why, because it takes 5 minutes to upgrade? Or because you have hacks installed? I have a couple hacks, and it only takes me an hour. They're looking out for THEIR product, not anyone elses. I for one thank them for that.

When you add a hack, include new/changed code in comments like

// BEGIN WHATEVER HACK HERE

hack code;

// END WHATEVER HACK HERE

.

thanks. I had no idea how to do this, and I am definately an novice when it comes to doing anything with these files. I just recently added my first couple hacks to Vb, so this will definately help me in the upgrades process.

I think it's funny when people start complaining about a new release of bug fixes when there is a single file patch. Damn people, if you don't want to upgrade then upload the single patch.

So let's list the facts:
There is is single file patch
This patch will make your board secure
You do not have to upgrade

Sorry if I come across as rude, but it's starting to get annoying. I don't see the logic; Jelsoft releases fixes to problems in a product you buy, as well as a quick fix for a security issue -- why are you mad?

I look at all these updates as a learning experience. I started with 3.0.3, and knew absolutely nothing about what I was doing. Now, I am about to make my 3rd upgrade, the second with hacks involve, and I now know just slightly more than nothing about this stuff. :)

By the time Vb gets to 5.0.0, I will be an absolute genius.

Thanks for this latest update, always good to know those who develop the product you use are constantly on top of trying to keep it the best on the market.

Don't blame Jelsoft - blame the hackers who find these obscure XSS holes in the code. :)




Actually, don't blame the hackers either. That's rather akin to shooting the messenger.

After all, if they don't discover the hole - that doesn't mean that the hole doesn't exist. :)

Need a clarification here:

I've read the thread. So, it looks like I can either replace one file to do the patch, or I can upgrade vBulletin to the next version.

I'm going to start by only applying the patch. Is there any way I can tell in advance if I'll need to do a revert. I've never modified the functions_bbcodeparse.php I have now. But I have modified some bbcodes via the control panel.

I have absolutely no issue with upgrades, even upgrades that are released a few days after one. Its a much easier job to apply a simple patch than to recover a forum that has been compromised.

I tend to shrug off comments and complaints about how hard it is, and the developers have to be kidding, etc. Some people here know me from other sites that use vBulletin. I maintain some rather huge forums, I pulled some stats, these are non-peak stats so users online is rather low:

Total Members: 430,169
Total Threads: 1,804,717
Total Posts: 10,564,782
Total Users Online: 2,380
Total Number of Sites: 9

As you can tell this list of sites has very unique requirements to keep updated. I can't just run a normal upgrade.php without risks of timeouts on tables around 4gb in size. So I have to break down each upgrade script into a list of very basic queries to run manually, or otherwise script them.

I can offer everyone a few tips on updating heavily hacked forums, the patches that Jelsoft offer help but general they are an entire file, which on most of our sites are hacked. In my home directory I have a compare directory with sub-directories (new/) and (old/). I then place the old original vB release in old and the new original release, this is pre-hacked. I then run a diff on the directories and output the changes to a patch file. Normally a patch cannot be directly applied but for smaller forums that have fewer hacks they will work just fine. 3.0.5 -> 3.0.6 had just a handful of changes compared to other releases.

Another tip, backup, backup, and backup some more :) If for some reason an upgrade script fails, it could leave you looking for data and how to fix it, backups can save you when you least expect it.

Comment your hacks. I can't stress this enough, if you know where your hacks are, you can always re-apply them if you must.

Know PHP before hacking.. Hacks are so easy to do, but when upgrades come, if you don't know PHP, you can be left in the dust waiting on the author to help. If you know what changed in a certain query you have hacked you can apply the fixes yourself directly..

Its 11:35pm and I have worked a full day, and yes that includes security patching our vB2 and vB3 installations. Just the life of a sysadmin :)

Another upgrade, I just upgraded mine 2 days ago....

Okay, I appeicate the service here as much as the next person, but maybe if the VB staff are gonna release a update, how about if you guys tell us before hand, something like, "we are working on a new update, should be out in a couple days" type of thing.

About the hacks, I think the vast majority uses some sort of hack/mod/program, got to be at least 90% plus. I know VB always states that it's not their problem if issues are caused by a modification like VBa CMPS, but everyone uses these, and since we are all your customers,why can't something be worked out to make everyone's life a bit easier? I remember YABBse (I believe) had a system for modifications, and sure would cut down on the complaining threads as well.

It's just so much work, I have VBa, arcade, and articles, plus some minor hacks, but it's still a lot of work everytime a update comes out, especially with such little notice.

I just reupped my license, so at the very least, I can say I am getting my money's worth. :)

About the hacks, I think the vast majority uses some sort of hack/mod/program, got to be at least 90% plus.
Actually it's the opposite. About 90-95% of our customers never modify the code at all. Relatively very few people are coders and even fewer want to mess with the code of the software they are using.

The truth is the hackers are more visible and vocal because they are constantly making changes and looking for new this to do with vB. This is not good or bad. I just wanted to point out that the hackers are a small - but nonetheless important - minority of our overall customer base.

I just wanted to say "Thank you!" to the developers who have worked hard in getting out this patch (and the recent updates as well).

I personally don't understand how people here can complain about their software being updated in a timely fashion. I, for one, would rather have the option of upgrading my forums system (or just applying a one file "patch" to get around the security hole) than to leave these security holes open. Would people rather that the developers find a hole and not do anything about it until they have enough holes to fix so as to minimize the "inconvenience" that we users have to face in upgrading our systems? I wouldn't. Sure, there may be downtime for us to upgrade our forums, but it's better than having security issues. Have people already forgotten the recent phpBB worm that went and defaced a bunch of phpBB installations? I'd like that from happening on my forums myself...

If people think it's a piece of cake to just look through the code and figure out where the security holes are, then please go ahead and do so. The source is right there in front of you. I've looked through the code in the past and have sent in code suggestions myself.

I'm happy to have paid my initial payment for vBulletin way back in April of 2000, and I'm happy to have paid the annual charge to pay for updates. I'm quite happy to go through some inconvenience to make sure that my system remains secure. Being secure is worth the money I paid and it's worth the time and "inconvenience" I've put in.

So, developers: Thanks!

What i think you could at least do is like the guy above mentions, as soon as you know your working on a new revision/patch because a security issue is found put a notice up out of respect to your customers, then a lot of us where its a case of just finished spending 5 hours of work know to hold back on that kind of work and we wouldn't be so p(*(ed as much.

I think this is a reasonable request and very fair, you could of done this twice, and save thousands and thousands of hours of work to all of your customers. I would far more repect your company as a hole for that.

Save me 5 hours work, or waist 5 hours work and have to repeat 5 hours work. not a hard choice...

Although your post makes some what sence, it would be unethical for Jellsoft to make such an announcement. I mean you want them to come out say" hey guys, we found a security hole, so hold all your hacks modifications so we can release an upgade " So now say that upgrade takes 2-3 days for whatever reason, during that time you are thinking "hmmm, should i close my forums to avoid being hacked?what if other people know about this hole? maybe I am getting hacked right now and don't even know it??" The way i look at it is why claim a release is coming when it is not finalized.

Now i know upgrading modified boards is a pain, but the truth is that VB doesn't support modified boards and if you modify it then it is your problem not theirs. On a non modified board the upgrade would take about 5 minutes and that is including the uploading of the new files. I believe that is fair and that is all jellsoft should really care about. If you modified your board then your problem. Deal with it. Do you buy a car, install a turbo kit, port and polish the engine, blow it up and then expect the dealer who sold it to you to fix it ??

Anyways, my tip to those of you who run highly modified boards is to simply just patch the problem file and keep your board at whateever version it is at. When a major release such as say vb 3.1 comes out then consider doing the upgrade and all the hacks. Get familiar with a tool called Beyond Compare as it will save you hours of work.

I upgraded boards that have had over 25 hacks in total in less then an hour. :)

Deal with it. Do you buy a car, install a turbo kit, port and polish the engine, blow it up and then expect the dealer who sold it to you to fix it ??

Exactly :)

If we upgrade to vBulletin 3.0.6
can we use the language file of the vBulletin 3.0.5 ?
coz i spent time translating the language file for arabic language,
so can it be used to the newer version vBulletin 3.0.6 ?

if it can not be used and translating is needed for the newer version, can you tell me about the changes in the file of language for the newer version, for winning time insdit of losing it searching for the changes.
Yes, any 3.0.x language file works with any 3.0.x version. If you have 3.0.0 it will work with 3.0.6.


Silly question here. I'm running 3.0.3. Unfortunately my accesstothemembers area expired only a week or two before all these "slew" ofupgrades known as 3.0.4, 3.0.5, and 3.0.6 came out. :mad: :(

Do I still get the ZIP file and patch then?

Thanks in advance.
If you're past your expiry date you won't have access anymore to the latest version. But we give our customers a free patch file in the announcements which you can download. Make sure your 3.0.3 gets patched with the init.php, private.php (3.0.5 announcement) and includes/functions_bbcode.php (3.0.6 announcement).


So I've applied the patch - does that mean I don't need to upgrade to3.0.6 entirely? For example I can just upgrade from 3.0.5 to 3.1.0(when it comes around)?

If so I can wait to upgrade :)

You do not have to upgrade from 3.0.5 to 3.0.6 if you have patched it, but it doesn't mean you are actually running 3.0.6 - you've only patched the security hole - the full upgrade will also fix the bugs as listed in the announcement - and you won't get the latest templates. Yes, my guess is you can upgrade from 3.0.5 to 3.x when it gets released.

Exactly :)
I dont mind redoing my hacks, hack by hack. I take pride in my site and want it to have the best there is and I take time to make sure it is done right. If there is a release that fixes bugs and security problems I will install it. That is part of the responsibility you have as a webmaster. You got to find time to provide the best that you can for your members. The least you can do is patch the security holes!!!! I myself like to do it the correct way and upgrade fully to take advantage of new features(however small they are), bug fixes, optimized code, and better security. Some of you that are complaining would never do this to these developers faces, you hide behind your computer screen and criticize the time and effor that vBulletin puts into selling you this product and making sure the product that they sell you is top quality. They arent perfect however and coding something like this in todays age is a very stressful job. So many people out there waiting to break the code apart and find whatever hole they can.

vBulletin is the best there is and they have amazing support. They have a site just for hacking should you need something more than what vbulletin sells you "out of the box". But they dont support this. Period. You hack your bored and they release a update its not their fault. It doesnt take but 5 minutes like someone siad to upgrade a stock board. If you dont have the time to redo all the hacks then dont put them in!! Something has to give here. You either find time to do both or figure something else out!

Please take into consideration these things before you post. They are only doing the responsible thing in keeping your site updated!

Do I have to upgrade if my users cant use signatures ?

TIA

This has probably been asked already but if I just install the functions_bbcodeparse.php file will that fix the vulnerability or do i need to do a complete upgrade?

Do not upgrade!!! Wait for version 3.0.8! it's coming out soon... sometimes this week, by latest, this month! :) ;)

Do not upgrade!!! Wait for version 3.0.8! it's coming out soon... sometimes this week, by latest, this month! :) ;)

With the php security holes, looking that almost every php based site around
is vulnerable if not for SQL injection than for XSS, Im really impressed by the support here and fast upgrades... It makes me feel that it was a well spent cash.

Great job vb

<< waiting for 3.0.7

i love upgrading :D

Three releases in 2 weeks, it's better than before (6 months from vB 3.0.3 to 3.0.4) ^^

Good job ;)

I'm happy to have paid my initial payment for vBulletin way back in April of 2000, and I'm happy to have paid the annual charge to pay for updates. I'm quite happy to go through some inconvenience to make sure that my system remains secure. Being secure is worth the money I paid and it's worth the time and "inconvenience" I've put in.

So, developers: Thanks!
I fully agree with you. Thank you to all the team at vBulletin! It was so easy to patch, as usual.

Uh...oh... I just only download patch and overwrite all? Or I need upgrades full version?

hi I just updegrade to 3.0.6 but i've got a problem... In I.E says that there's a problem with the page and then I can't post, because I can't writte on the BOX. In mozilla happen de same... I can't reply to any post... what can I do???

Like mentioned various times:

If you only want to patch your current 3.0.5 and not upgrade to 3.0.6: Upload the file attached to the announcement. This will fix the security issue, but won't upgrade your forum to 3.0.6 and won't fix bugs or give you the latest templates or give you the new feature.

If you want to not only patch the security issue, upgrade fully.

If you have hacks installed, re-apply the code changes after the 3.0.6 upgrade.

Users with 3.0.3 who only want to patch .. don't forget to patch init.php & private.php too (from 3.0.5 announcement), besides the file from the 3.0.6 attachment.

Users who run into issues, request support, etc .. post a new thread in the appropiate forum.

Everybody else who comments here on this release, thank you for your feedback: We value it and learn from it. It helps us find out what our customers think and feel and we use that feedback to improve our customer service and our products.

Open a seperate support thread, though first ensure that you uploaded the clientscript folder in ASCII mode.

Regarding complaints: We fully agree that its not acceptable that these codes exist, though the choices are halt current development and spend a few weeks doing a security audit. The problem being that it would not be likely that this XSS would have been discovered as it involved badly nesting tags and using backticks which only IE supports.
The SQL injection well that was a result of a PHP bug again that we would have not anticipated being a problem since the code would have worked on our development box running PHP 5 so would have never been found if we'd even considered it a possibility.
Before you start ranting about other boards, note that IPB was vulnerable to this same problem and you'll probably find patches for other boards appearing shortly.

Open a seperate support thread, though first ensure that you uploaded the clientscript folder in ASCII mode.

Regarding complaints: We fully agree that its not acceptable that these codes exist, though the choices are halt current development and spend a few weeks doing a security audit. The problem being that it would not be likely that this XSS would have been discovered as it involved badly nesting tags and using backticks which only IE supports.
The SQL injection well that was a result of a PHP bug again that we would have not anticipated being a problem since the code would have worked on our development box running PHP 5 so would have never been found if we'd even considered it a possibility.
Before you start ranting about other boards, note that IPB was vulnerable to this same problem and you'll probably find patches for other boards appearing shortly.
I've noticed IPB sometimes don't even provide patches to some issues that arise and sometimes they don't address them until they see fit to release a new version.

upgrade to vBulletin 3.0.6

i have some problems

http://www.alamuae.com/vb/showthread.php?t=110529

Warning: sprintf(): Too few arguments in /includes/functions_bbcodeparse.php on line 326

This is getting to be a long list of moans and denials so I though I would add my little contribution :)

I also am well and truely ****** off with all these security updates and I am only going to do the init files route for now.

But it is not VB that I am ****** off at. It is these ****** kids that are finding these holes to exploit. That takes a good deal of intelligence, perserverance and dedication. Just think what could be achieved if these idiots put all that energy to a constructive use.

Graham

upgrade to vBulletin 3.0.6

i have some problems

http://www.alamuae.com/vb/showthread.php?t=110529

Warning: sprintf(): Too few arguments in /includes/functions_bbcodeparse.php on line 326
I am having that issue too but I think I have traced it to a rather peculiar hack I tried to adapt late last night.

I think I know how to fix my issue but cannot do it til tonight when I can get at the ftp.

it would be nice if Vbulletin extended everyones lease by 2 or 3 weeks b/c of all the updates... Game dev's do this with massive online games.... for instance World of Warcraft...

just a thought for the dev team to think over... would make people a bit more happy....

There is a bug in the 3.0.6 /includes/functions_bbcodeparse.php file.

This causes this error:


Warning: sprintf(): Too few arguments in /includes/functions_bbcodeparse.php on line 327

Unable to add cookies, header already sent.
File: /includes/init.php
Line: 27
This happens when you are trying to view a thread with custom bbcode.

To fix this, do this:

In functions_bbcodeparse.php, find:

return sprintf($return, $param, $option);

ABOVE IT, ADD:

$return = preg_replace('#%(?!\d+\$s)#', '%%', $return);

Bug description and fix located here:
http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678 (http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678)

I'm not sure whether the latest 3.0.6 release has this fix in it so I'm posting this manual fix just in case.

Regarding complaints: We fully agree that its not acceptable that these codes exist, though the choices are halt current development and spend a few weeks doing a security audit.


You will get no complaints from me. Yes, there has been a need to upgrade quite a few times of late; but the other side of the coin is that Vbulletin upgrades are amongst the most professional in the industry.

Regarding PHP, one minor comment, though. I really think you guys should run PHP 4.x too; at least in your test-environment. I do not think it suffices to say, "We run PHP 5, so we did not see the PHP 4 problem." Other than that, keep up the good work!

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

There is a bug in the 3.0.6 /includes/functions_bbcodeparse.php file.

This causes this error:

This happens when you are trying to view a thread with custom bbcode.

To fix this, do this:

In functions_bbcodeparse.php, find:

return sprintf($return, $param, $option);

ABOVE IT, ADD:

$return = preg_replace('#%(?!\d+\$s)#', '%%', $return);

Bug description and fix located here:
http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678 (http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678)

I'm not sure whether the latest 3.0.6 release has this fix in it so I'm posting this manual fix just in case.


Erwin
thank you thes solution you gave solve thes problems
and i really appreacte it


In functions_bbcodeparse.php, find:

return sprintf($return, $param, $option);

ABOVE IT, ADD:

$return = preg_replace('#%(?!\d+\$s)#', '%%', $return);

But it is not VB that I am ****** off at. It is these ****** kids that are finding these holes to exploit. That takes a good deal of intelligence, perserverance and dedication. Just think what could be achieved if these idiots put all that energy to a constructive use.




Well, to some degree, they are. They're learning and honing problem-solving skills as well as gaining further insight into security coding and ways to bypass it.

Script kiddies are a different story - but true hackers are all about learning, and that - by itself - is not a bad thing.


When our Armed Forces and Intelligence Agencies are looking for someone to break into enemy machines, what kind of skillset do you think they're looking for? McDonald's experience? <grin>

Does Erwin's comment mean that I will need to repatch the 5 vbulletins I just patched?

3.0.5 upgraded to 3.0.6 and V3arcade mod code reinstalled no problem.

Just got done updating all my sites to 3.0.5 on my dev server. Was getting ready to upload it all and came here to read the forum before doing it. I guess I'll just download 3.0.6 and upgrade to it.
Thanks for keeping up with fixing security holes. I would rather update every week then to have a hole left open. Good work guys.

Exactly. The people who bitch about minor the minor inconveniences of upgrading are the same ones who would raise holy hell here if their board was hacked because of a security hole that Jelsoft was slow to address.

Kee up the good work, devs!

what do i do wrong
When I have upload all the files that a change have been maid

Is it right to do the upgrade in the install/upgrade.php to do it.
I have tried this and just get to the admin panel again.

For those who have problems upgrading due to the hacks you have installed, A) Keep a list of all hacked files, and B) Before uploading anything, use a file comparitor along with your list to alter files as necessary. It's all in the prep. Just do these two things and your upgrade should take a half hour or less.

Just :(

I have vB 3.0.4 installed. Do I need to update to 3.0.5 first before updating to 3.0.6?

Fatal error: Call to undefined function: preg_replace() in /usr/home/htdocs/data/forums/includes/init.php on line 285


No hacks installed... Please advise.

Edit: Move this to general troubleshooting as it appears to affect other forums I have that I did not upgrade to 3.0.6. I did portupgrade to 4.3.10 yesterday... I jut did a make deinstall and make reinstall with pcre support...

Help

perhaps instead of say to users that it's important to upgrade to new version, say only to patch and then when three or four important bugs appeared then,say to them to updegrade.

Like windows with the Service Packs (windows is a trademark of his legitims.... :D:D:D)

I say this becase people will not be ungry to upgrade his forums...

anyway I give thanks for this support

Thats what was said last time.., next week .7 will be out, and at this rate before we know it we will be on .9
I'm thinking about the same thing...

Will there be any other patches soon?
I'm running a heavily hacked board, and a webmaster at another, so I can't afford to upgrade now, and then see that a few weeks later a new version is out again!

is vb3.07 coming out soon????

so patch only to fix the bug and when 3.1.0 be released then updegrade ;)

I have vB 3.0.4 installed. Do I need to update to 3.0.5 first before updating to 3.0.6?
No, you don't need to.

I just upgraded from 3.0.5 to 3.0.6.
The whole process took less than 2 minutes and went without a hitch.
I'm glad I don't have any mods.

I'd rather get fixes myself then sit dead in the water for 2 months waiting for an attacker

I'm with ya bro.......:cool: :)

While its a PITA to have to sort out the installed hacks again the alternative is far worse, I was slow to patch / update between 3.04 and 3.05 and got hacked as a result - Thanks guys, for keeping the hackers at bay with these prompt updates, your efforts are much appreciated :)

As other sane people have mentioned, thanks for the update

I seriously doubt anyone did this on purpose

No, you don't need to.

Thanks.

There is a bug in the 3.0.6 /includes/functions_bbcodeparse.php file.

This causes this error:

This happens when you are trying to view a thread with custom bbcode.

To fix this, do this:

In functions_bbcodeparse.php, find:

return sprintf($return, $param, $option);

ABOVE IT, ADD:

$return = preg_replace('#%(?!\d+\$s)#', '%%', $return);

Bug description and fix located here:
http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678 (http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678)

I'm not sure whether the latest 3.0.6 release has this fix in it so I'm posting this manual fix just in case.
CVS version 1.186.2.6 fixes this bug. (The package and the patch contain this fix, though the patch will not show that version.)

CVS version 1.186.2.6 fixes this bug. (The package and the patch contain this fix.)

damn.

How bad is it to not have that fix?

CVS version 1.186.2.6 fixes this bug. (The package and the patch contain this fix.)The version i just downloaded in the 3.0.6 zip package is 1.186.2.5 (vBulletin 3 package last updated: 2:35pm, Tue Jan 18th)


when was the CVS updated to 1.186.2.6 ???

Is that bug present in the vb 2 series?

damn.

How bad is it to not have that fix?
It will only affect you if you have a custom BB code with a % in it.

Is that bug present in the vb 2 series?
No.

this is becoming a total joke now, i am so &*(&* OFF, i upgraded to .4 installing all my patches, then the same again to .5 and now you saying i have to do it a 3rd time..

I only purchased this software 2 months ago, and wish i never bothered now.. i am so hacked of at this moment. The time and money lost, and i'm not the only one i'm guessing...

join the club m8 . . what a waste of time and money why not get it right then release it. . who owns this place bill gates???

We fix the issues when we get a report in, tell the people who are spending hours apon hours to find these holes all at once :)

So don't upgrade. It's that simple.

Three releases in 2 weeks, it's better than before (6 months from vB 3.0.3 to 3.0.4) ^^

Good job ;)
Hahahahahahahah :D

It would be irresponsible for us to issue a warning (to declare a version insecure) without releasing a patch.

Is this what they call Security through Obscurity? Wouldn't the attackers already KNOW what to exploit? You're just keeping this information from the people who pay your salary and suffer because of the flaws in your software.


I agree with some unhappy customers. Seems we're paying for you to develop this software rather then paying for correctly working software.

I'm not happy either.

Is this what they call Security through Obscurity? Wouldn't the attackers already KNOW what to exploit? You're just keeping this information from the people who pay your salary and suffer because of the flaws in your software.
i bet i am not the only one who thinks you are just talking nonsense. since the vbulletin developers release an upgrade as fast as possible there is no information to keep away from us. its only you people with highly modded boards who complain. just don't mod it and be happy!

Upgraded to 3.0.6. No problems.

for those who have a hacked board: next time just keep track of all your hacks that you installed, and after upgrading to next version, just do the file changes. It took me less than 1 hour to get my board up back, hacked, and ready to go

good luck

Well to those who have problems I'm not sure what you expect us to do. These are obscure exploits that people have probably spent weeks looking at to try and create, 3.0.4 was a PHP issue that we had thought we wouldn't be vulnerable too but PHP behaved unexpectedly. 3.0.5 we had workarounds which we thought would protect us, but no IE behaves unexpectedly (that is not documented anywhere).

We are willing to listen to complaints but please get your facts right before making any allegations.

join the club m8 . . what a waste of time and money why not get it right then release it. . who owns this place bill gates???Hmm. This takes the cake for the most ignorant thing said in this thread.. Never once has there been a script that "gets it right".. there will always be updates for everything..

Anyways, I just upgraded to 3.0.6 from 3.0.5, upgrade took about 2 minutes (including uploading the files) and reinstalling my hacks (15+) took about 35 minutes.

Who can't spare 40 minutes of their day doing this to their site?

vb 3.0.5 forum

well put up the patch worked great it killed all the smiley's :eek:

so took it off and all the smiley'd came back :confused:

so guess I will wait a bit :rolleyes:

for those people how says that's it's stupid to pay for this software I'm sure that they haven't used other forums... I'm my opinion this forum it's on the top of this kind of software

I became from other forums and I gree paying for this software. I really apreciate it :)

i bet i am not the only one who thinks you are just talking nonsense. since the vbulletin developers release an upgrade as fast as possible there is no information to keep away from us. its only you people with highly modded boards who complain. just don't mod it and be happy!
I don't know whether mine classes as highly modded or not. It's certainly modded. However, it takes me a couple of hours to rehack a test board and then about 10 minutes to upgrade the live site. It's frustrating to have to do it three times in three weeks, but not half as frustrating as someone exploiting a security issue, so I'll take the upgrades please! If there's a security exploit found every week I'll upgrade every week. I'd rather that than have the developers brush it under the carpet and pretend it doesn't exist, as some board developers do. Jelsoft's approach is proactive at all times, and that's what I pay my licence money for (which I shall be doing again on 1st Feb!).

The fact that there's a major bug in the latest upgrade is hardly ideal, but that's a different matter.

Hmm. This takes the cake for the most ignorant thing said in this thread.. Never once has there been a script that "gets it right".. there will always be updates for everything..

Anyways, I just upgraded to 3.0.6 from 3.0.5, upgrade took about 2 minutes (including uploading the files) and reinstalling my hacks (15+) took about 35 minutes.

Who can't spare 40 minutes of their day doing this to their site?
Damn you beat me, took me two hours. Rats!

I have VBulletin 3.0.5 so to make sure I'm doing this right. I just have to update one file right?

Upload includes/functions_bbcodeparse.php and over write the old file.

I did this but it still says that I'm running version 3.0.5. Do I have to do something else?

Thanks, I'm pretty new at this.

I have VBulletin 3.0.5 so to make sure I'm doing this right. I just have to update one file right?

Upload includes/functions_bbcodeparse.php and over write the old file.

I did this but it still says that I'm running version 3.0.5. Do I have to do something else?

Thanks, I'm pretty new at this.

Patching the file fixes the security hole but will not change your version.
You'll need to upload all the files to upgrade to the newer version.


BTW Thx for the update, At this rate I'll be a pro in no time.
Pours another cup of coffee, time to update.:p

Hope someone will answer this, as reading through the thread some good points are not being answered!

Could Jelsoft not review the update policy, and instead of producing a "full" vb package, just include those files etc that "have" changed. So in members you would have two versions - Full & latest upgrade.

This would save lots of people (like me) would prefer only to work with what "needs" replacing rather than the complete package. This can not be too hard - Can it ?

The version i just downloaded in the 3.0.6 zip package is 1.186.2.5 (vBulletin 3 package last updated: 2:35pm, Tue Jan 18th)


when was the CVS updated to 1.186.2.6 ???
Anyone ??

Anyone ??I downloaded the Zip last night and haven't noticed any errors.

If you run into them, the fix is posted in this thread, isn't it?

Hope someone will answer this, as reading through the thread some good points are not being answered!

Could Jelsoft not review the update policy, and instead of producing a "full" vb package, just include those files etc that "have" changed. So in members you would have two versions - Full & latest upgrade.

This would save lots of people (like me) would prefer only to work with what "needs" replacing rather than the complete package. This can not be too hard - Can it ?We do provide a list of files that have changed since the last version, its in the announcment thread.

Anyone ??Did you try just downloading a fresh copy and getting that file?

Did you try just downloading a fresh copy and getting that file?Just re-downloaded and it does indeed contain the newer functions_bbcodeparse.php . Thanks.

So why does it still say "vBulletin 3 package last updated:2:35pm, Tue Jan 18th" on the download page. I first downloaded it earlier today (19th) and the functions_bbcodeparse.php had not been fixed.