This thread is for discussing the release of vBulletin 3.5.5.

Please use this thread to talk about things you like or installation experiences etc., but please do not use this thread to post troubleshooting queries or bug reports. These threads tend to grow very large and bug reports etc. tend to become lost and will not get attention from the support or development teams.

For troubleshooting and bug reporting, please use either the vBulletin 3.5 Bug Tracker (http://www.vbulletin.com/forum/bugs35.php?) for reporting and tracking bugs, or the vBulletin 3.5.0 forums (http://www.vbulletin.com/forum/forumdisplay.php?f=100) for general queries and troubleshooting.

I'm getting this error since the patch.


Database error in vBulletin 3.5.2:
Invalid SQL:
SELECT IF(visible = 2, 1, 0) AS isdeleted,

NOT ISNULL(subscribethread.subscribethreadid) AS issubscribed, emailupdate, folderid,threadread.readtime AS threadread, forumread.readtime AS forumread,
thread.*
FROM vbthread AS thread

LEFT JOIN vbsubscribethread AS subscribethread ON (subscribethread.threadid = thread.threadid AND subscribethread.userid = 3 AND canview = 1)


LEFT JOIN vbthreadread AS threadread ON (threadread.threadid = thread.threadid AND threadread.userid = 3)
LEFT JOIN vbforumread AS forumread ON (forumread.forumid = thread.forumid AND forumread.userid = 3)

WHERE thread.threadid = 3669;
MySQL Error : Unknown column 'canview' in 'on clause'
Error Number : 1054
Date : Thursday, August 3rd 2006 @ 12:22:38 PM
Script : http://www.dmctalk.com/showthread.php?t=3669
Referrer : http://www.dmctalk.com/forumdisplay.php?f=10
IP Address : 67.184.9.197
Username : Ilan
Classname : vb_database

Please post support questions in the appropiate forum, this forum is for discussing the release. Thank you :)

This thread is for discussing the release of vBulletin 3.5.4.requires edit to 3.5.5 :-)

requires edit to 3.5.5 :-)
Fixed.

I'm getting this error since the patch.


Database error in vBulletin 3.5.2:
Invalid SQL:
SELECT IF(visible = 2, 1, 0) AS isdeleted,

NOT ISNULL(subscribethread.subscribethreadid) AS issubscribed, emailupdate, folderid,threadread.readtime AS threadread, forumread.readtime AS forumread,
thread.*
FROM vbthread AS thread

LEFT JOIN vbsubscribethread AS subscribethread ON (subscribethread.threadid = thread.threadid AND subscribethread.userid = 3 AND canview = 1)


LEFT JOIN vbthreadread AS threadread ON (threadread.threadid = thread.threadid AND threadread.userid = 3)
LEFT JOIN vbforumread AS forumread ON (forumread.forumid = thread.forumid AND forumread.userid = 3)

WHERE thread.threadid = 3669;
MySQL Error : Unknown column 'canview' in 'on clause'
Error Number : 1054
Date : Thursday, August 3rd 2006 @ 12:22:38 PM
Script : http://www.dmctalk.com/showthread.php?t=3669
Referrer : http://www.dmctalk.com/forumdisplay.php?f=10
IP Address : 67.184.9.197
Username : Ilan
Classname : vb_database

The patch is for 3.5.4 only.

So, 3.5.2 is safe?

No, 3.5.2 is not safe.

http://www.vbulletin.com/forum/showpost.php?p=1177754&postcount=2

Hmmm, I've patched before with no problems. I'll go to private support route not to mess up this forum as I'm a bit confused.

I've edited the announcement to be clearer. You can not use the patch unless you are running 3.5.4 already. You must either upgrade or use the plugin to fix the issue.

Each patch is different, this one can only work for 3.5.4 - for those who don't want to upgrade to 3.5.5 yet.

You're on an outdated and more insecure version. I recommend to upgrade to 3.5.5 if possible.

Plugin worked like a charm, btw. I plugged 'til I get 3.6 in. :)

Thanks for the update! :D

Thank you for this security release ;)

Look im a bit p*ssed off. You only seem to release these security fixes when you release the next version of vb.

Do you understand why I am angry? Just exactly how long has this hole been a problem? How long have our boards been at risk?

What exactly is the risk if we don't patch?

Look im a bit p*ssed off. You only seem to release these security fixes when you release the next version of vb.

Do you understand why I am angry? Just exactly how long has this hole been a problem? How long have our boards been at risk?

What exactly is the risk if we don't patch?Grow up a bit and put your toys back in the pram. :)

If you actually read the announcement you would see it is a preventative fix.


Following the internal discovery of a potential cross-site scripting flaw, we have decided to put out a preventative security release in order to close the hole before it is exploited.

Great! But in the files changed you might want to remove:

/bugs.php -- it's not in the default package!

do not insult the paying customer paul m and dont insult peoples intelligence, this always happens... call it what you want, but as soon as you do a new release, suddenly these potential security risks arise... and you didnt answer my question... how long has this potential hole been a problem?

how long has this potential hole been a problem?
Well since there is a patch released for the same hole for vB 2.3 Its probably safe to say its always existed.

i want an apology paul m

Instead of fighting (which we won't allow here!) click the ' post report ' if you have an issue with another user, or take the issue outside of these forums.

i love you floris :)
Ik hou van mijn fiets - hou jij van mij?

do not insult the paying customer paul m and dont insult peoples intelligence, this always happens... call it what you want, but as soon as you do a new release, suddenly these potential security risks arise... and you didnt answer my question... how long has this potential hole been a problem?
If the security issue would have been known to us BEFORE the release we would have delayed the release a bit and fixed it. It was pointed out to us after the four version releases and unfortunatly that's just how it is.

Thankfully for our customers we are quick to respond to every security issue we receive and have no intention of leaving our customers waiting weeks or months for a fix. Please be patient as they're already working on this.

thats all i wanted to hear floris, thank you for the decent explaination instead of an insult!

Now, go check the announcement as a new .php file has been attached ;)

Great! But in the files changed you might want to remove:

/bugs.php -- it's not in the default package!
Updated.

Just to make sure here, the security bug that appeared affects the entire 3.5.x line and that patch will fix it...correct?

I believe every software package that allows uploading and downloading of attachments and used by IE, yes.

Great :)

I did the .xml plug-in patch until I'm ready to upgrade to 3.6.x. Am I assuming correctly that the attachment.php file is NOT for those of us who took this route, but only for those who upgraded fully to 3.5.5?

Thanks for any clarification.

Thanks for the plug-in. That really makes it easy to take care of a problem until I can get the time to make the official upgrade.

If I am reunning vB3.5.4, shall I upload this attached file and remove the old one:

attachment.php

http://www.vbulletin.com/forum/showpost.php?p=1178744&postcount=7

?

I did the .xml plug-in patch until I'm ready to upgrade to 3.6.x. Am I assuming correctly that the attachment.php file is NOT for those of us who took this route, but only for those who upgraded fully to 3.5.5?

Thanks for any clarification.
Can someone from vbulletin team confirm this? Thank you.

I did the .xml plug-in patch until I'm ready to upgrade to 3.6.x. Am I assuming correctly that the attachment.php file is NOT for those of us who took this route, but only for those who upgraded fully to 3.5.5?

Thanks for any clarification.
No, independent issues.

If you use the plugin, you need to use attachment.php from the announcement as well.
If you used the patches from the members' area before Kier's latest post, you can use the attachment.php from the announcement or redownload the patch.
If you did a full upgrade, you can use attachment.php or redownload the full package.

I have a vBulletin 3.5.0 board, and I have applied *all* off the security patches when they were released (the last one Feb 21st 2006 when 3.5.4 was released).

I also applied the plugin that was released today. Does this mean that I'm safe until I can get a chance to upgrade to 3.6?

Does this version more security then 3.5.4

or only littile bit diffirent ?

I uploaded the plugin and then new attachment.php file. Is that me done then?

Please use this file (attachment.php) only to patch vBulletin 3.5.5. Patches for the three other versions released today are attached to their respective announcement threads.
Then what do we do if we're running a 3.5.0 or 3.5.4 board? Do we *have* to upgrade to 3.5.5?


I have a vBulletin 3.5.0 board, and I have applied *all* off the security patches when they were released (the last one Feb 21st 2006 when 3.5.4 was released).

I also applied the plugin that was released today. Does this mean that I'm safe until I can get a chance to upgrade to 3.6?

I need some assitance here....I did the plugin patch to 3.5.5 from 3.5.4, I also did the template reverts as I saw in the thread.....now I can get the log in screen to the admincp, but when I enter my password....it just sits there and I can no longer get in to the admincp. The first template revert for STANDARD_REDIRECT went fine, the I did ModifyProfilePic and that is when the admincp locked up. Could someone help me please?

If you did the plugin you did not upgrade, and there wasn't anything esle for you to do, please start a thread in the correct forum for support.

I am thoroughly confused after reading the update options. The patch option says to open the zip and upload includes/functions.php, but it doesn't say to also upload attachment.php which is also in the zip. I assume that I need to overwrite both files, correct?

There is also a list of template and file changes -- do I also need to do something about those? If this is just a "preventative security release" to fix an XSS hole, why would all those templates and files also change? Or are there functional changes and other bug fixes as well? Am I ok to just upload the two files in the patch and ignore the template and file changes?

I'm getting this error since the patch.

Database error in vBulletin 3.5.2:
Jelsoft has been very good with these security plugins, but I think if it is not too difficult, it should be possible to stay patched for a bit longer. vB3.5.5 security plugin working on vB3.5.0 gold if not too much trouble.

I am running vB3.5.2 with the 3.5.3, 3.5.4, and 3.5.5 security plugins and did not get the SQL error posted by iardon.

I am thoroughly confused after reading the update options. The patch option says to open the zip and upload includes/functions.php, but it doesn't say to also upload attachment.php which is also in the zip. I assume that I need to overwrite both files, correct?

There is also a list of template and file changes -- do I also need to do something about those? If this is just a "preventative security release" to fix an XSS hole, why would all those templates and files also change? Or are there functional changes and other bug fixes as well? Am I ok to just upload the two files in the patch and ignore the template and file changes?
The patch is for 3.5.4 ONLY
If you run an older version you must upgrade.

The patch is for 3.5.4 ONLY
I am running 3.5.4 -- I'm still not clear about the instructions.

Installing the security plugin, which makes 1 change, will secure you from this security vulnerability. It is the least obtrusive way to get secured.

Installing vB 3.5.5 with all the template changes and replaced files will fix numerous bugs found since vB 3.5.4 was released.

Two totally different things.

Still curious about running vB3.5.2 and having the 3.5.3, 3.5.4, and 3.5.5 security plugins installed. I am trying to clear an 8 hour space in my schedule to upgrade to vB3.6.

I am running 3.5.4 -- I'm still not clear about the instructions.
My intention was to quote lardon. Not sure what went wrong ;)

It occurs to me now that I mentioned 3.5.2, 3.5.3, 3.5.4, 3.5.5 security patches in my posts. I meant plugins. Hopefully we can keep using plugins to keep a 3.5.1 or 3.5.2 forum secure.

I believe I updated properly yet my forums still display as 3.5.4 Is this normal?

This means the you did not properly upgrade. You need toi upload all the 3.5.5 files and run upgrade.php all the way through.

Odd since I tried 2 different ways to upgrade and neither seemed to take effect.

I uploaded both files that needed changing (attachment.php, includes/functions.php). Neither seem to change my version number. Would I need to recount a statistic or something?

I also tried the XML patch...not sure if it worked but it certainly didn't change my version number.

Please advise me Steve on the issue and how to proceed.

This thread is for discussion. Start a new thread in the troubleshooting for for specific help.

How does a admin know if they have fell victim to a cross site scripting attack, if they got hit before patching. Are there traces or rouge files they should look for that would have gotten created on the server.

im a little confused.

i have 3.5.4

i installed the plugin.

i have hacks installed on my site but it looks like none of the templates mentioned about reverting.

what next?

thanks.

the plugin will not require you to revert any templates.

The plugin doesn't get you to 3.5.5. It fixes that one security flaw and nothing else.

the plugin will not require you to revert any templates.

what next?

thanks.

The plugin doesn't get you to 3.5.5. It fixes that one security flaw and nothing else.

thats why i asked "what next?"

What do you mean 'what next'?

What do you mean 'what next'?

well the plugin only takes care of one problem right?

im just confused on the next step?

That depends on what you want to do. If you want to upgrade, then upgrade instead of installing that plugin. Those are two separate things.

well i understand that, thats why i chose to do the plugin because i do not want to upgrade, i dont feel i know enough to upgrade right now without asking a thousand more questions. im not sure what to do with my hacks if i upgrade, will they work or not?

if you havent noticed, i can barely get past this, without having to literally write a book for answers.

the thread that explains this whole deal is somewhat confusing, post after post, "if this.....", "if that....".

thats why i layed it as simple as i thought i could have, "i have this, i did that, what next?"

so, given what ive already said, that i have 3.5.4, i have installed the plugin, to prevent a possible security problem is there something else i need to do with my vB software to protect it?

thanks.

No, 3.5.4 with the plugin is secure.

No, 3.5.4 with the plugin is secure.

Doesn't he also need to uplado the new attachment.php?

ok just wanna make sure, in these two post it states something to the effect of a second problem not solved by just the plugin.

http://www.vbulletin.com/forum/showpost.php?p=1177751&postcount=1
in option 3 it states: "Note: If you are using the plugin, you must still upload the attachment.php in this post (http://www.vbulletin.com/forum/showpost.php?p=1178744&postcount=7) to fix the second issue!"


http://www.vbulletin.com/forum/showpost.php?p=1177756&postcount=3
in this post it also states: "This XML file does not fix the attachment.php issue. You must use the version attached to a post below to fix that issue!"

Doesn't he also need to uplado the new attachment.php?

well it looks like that patch might be for the people who downloaded 3.5.5 prior to the fix.

but the thread that covers all this is confusing.

and i could be wrong.

OK, my mistake. for a secure 3.5.5 you'll need to upload the attachment.php file and import the plugin.

Then the 3.5.5 patch should check for the presence of the updated attachment.php file and if it's not there, it should present an error message.

Can we say "false sense of security"?

OK, my mistake. for a secure 3.5.5 you'll need to upload the attachment.php file and import the plugin.

lol,........i dont have 3.5.5

i have 3.5.4

i installed the plugin.

do i need to do anything else to secure my paid lifetime vBulletin 3.5.4 software?

thanks.

Did you upload the attachment.php file, overwriting your current file?

Did you upload the attachment.php file, overwriting your current file?

nope:




i installed the plugin.

do i need to do anything else to secure my paid lifetime vBulletin 3.5.4 software?

thanks.

I'm currently on version 3.5.4. I have downloaded the the patch for 3.5.5:

functions.php
attachment.php

Is it simply a matter of overwriting these two file and I'm good to go? I don't need run any scripts or anything? :confused:

That's only to patch your current installation. It will only fix the security issues, but won't update your forum.

That's only to patch your current installation. It will only fix the security issues, but won't update your forum.

You mean I won't be running what is considered 3.5.5 but rather 3.5.4 with the security hole fixed?

I assumed 3.5.5 was just exactly that, a security fix. What other differences does updating the forum itself to 3.5.5 bring?

You mean I won't be running what is considered 3.5.5 but rather 3.5.4 with the security hole fixed?

I assumed 3.5.5 was just exactly that, a security fix. What other differences does updating the forum itself to 3.5.5 bring?
Dozens of bugfixes, big and small. Check the Bug Tracker to see all the bugs fixed between 3.5.4 -> 3.5.5. You might not even have noticed these bugs, or they might affect a feature you aren't using on your forum.

As with all of these updates, either you can do the security patch, which replaces typically 1 or 2 files, and gets you secure, or you can do the full upgrade, which requires reuploading ALL the php, javascript, etc. files. I am very glad that vBulletin offers a way, by uploading 1 or 2 files, to keep our forums secure in less than 30 seconds.

Currently my server is running PHP v4.3.10 and vbulletin v3.5.4. I'm considering upgrading to vbulletin 3.5.5 however, my server will be upgrading to PHP v5 shortly.

My question is... will vbulletin 3.5.5 run on php 5? What about vbulletin 3.5.4, will that run on php 5? Because the server may be upgraded to php5 before I am able to upgrade my vbulletin to v3.5.5

Thanks :)

Yes, vBulletin 3.5.x runs on PHP5.

thanks :)