Content was removed so that the enterprising don't take it upon themselves to attempt to exploit this.

Open memberlist.php

On the first line you will see:
<?phpOn the line beneath that, place:
$letterbits = ''; so that you then have:
<?php
$letterbits = '';

The fix suggested in the bugtraq report is this:


I believe the simplest fix would be to initialized letterbits:

($letterbits = "";)

at the top of memberlist.php.

Do the vBulletin developers agree?

Yes, that would be an acceptable way.

Would you:

(a) Want v2.2.5
(b) Want a thread that tells you how to fix the problem on your own.
(c) Want only affected files to be posted as a 'patch' for you to download?

Hi there,

It seems that all of those three, if possible, would be the most beneficial.

1. The main source should be modified so that new users/those who choose to can install a fresh, non-compromisable version
2. Instructions for those who have highly modified forums can be followed as an interm fix.
3. A patch file would help with number 2.

At the very least, I'd appreciate it if someone would post instructions to fix it at this time until the other two can be done. The Bugtraq post was made quite a while ago and has a very large subscription. This is something that should be attended to ASAP. :)

Paul

The post was made today. Follow the instructions found in the first post of this thread for the time being and you will be 100% safe.

Thank you Dr. Freddie :)

Thanks for the quick response, vB! :)

Originally posted by freddie
Yes, that would be an acceptable way.

Would you:

(a) Want v2.2.5
(b) Want a thread that tells you how to fix the problem on your own.
(c) Want only affected files to be posted as a 'patch' for you to download?

not sure about a new version but i would suggest some sort of mass mailing or patch. if it takes naming it 2.2.5 then so be it but i think everyone needs to be notified about this. :)

v2.2.5 will be released shortly.

Let all of the uproar begin.

Originally posted by freddie
v2.2.5 will be released shortly.

Let all of the uproar begin.

it's much better to release a whole new update for a major bug fix.

Originally posted by Jakeman


it's much better to release a whole new update for a major bug fix. Oh there will be many all in the same vein as this reported one.

I'm thinking this definitely needs to be in the Annoucements forum so people can patch their boards.

I believe there just have been an E-mail out to the members?
My E_mail client crashed during mail fetching, so upon restart, I couldn't find the email anymore, could someone forward it to me please? info@creations.nl

I didn't get a mass mail :confused:

Originally posted by freddie
Yes, that would be an acceptable way.

Would you:

(a) Want v2.2.5
(b) Want a thread that tells you how to fix the problem on your own.
(c) Want only affected files to be posted as a 'patch' for you to download?

I would like a nice 2.2.5 vbulletin.zip with upgrade18.php so I can upload new memberlist.php and let upgrade18.php fix the version number.. and some kind of description which other files might have been modified (typo's? and other smaller bugs) + templates that have changed; gathered with some info on which is required for upgrading and what is optional. That way > users who complain about another upgrade, can just skip to the important part and patch manually, and the rest can just shut up :P

Originally posted by filburt1
I didn't get a mass mail :confused:

I think it was about something else, and I might just have read it incorrectly, others confirmed there was no bulletin email sent. Ignore that post :)

Originally posted by filburt1
I didn't get a mass mail :confused: We haven't released v2.2.5 yet, that is why.

Originally posted by freddie
We haven't released v2.2.5 yet, that is why.

So .. its been a day or close to that, .. will 2.2.5 be out soon or should I manually apply the fix ?

Originally posted by xiphoid


So .. its been a day or close to that, .. will 2.2.5 be out soon or should I manually apply the fix ? We are working on many related issues, which is delaying the release. It will be any day now but you can apply this fix that I posted.

does this mean that development on vb3 has been put to a stand still until vb 2.2.5 is released :confused:

Originally posted by freddie
We are working on many related issues, which is delaying the release. It will be any day now but you can apply this fix that I posted.

Uhoh, more issues! :/

Thank you for your reply, and I will apply the fix.

Originally posted by hypedave
does this mean that development on vb3 has been put to a stand still until vb 2.2.5 is released :confused: Sort of.

Originally posted by UserName
On the line beneath that, place:
$letterbits = ''


I advice to put an ; behind it. Otherwise it will be confusing to users I guess.

Originally posted by tubedogg
Sort of.


well in a way I guess its good
the more I look at that vb3 avatar, the more I want vb3,
you guys keep up the good work

Originally posted by hypedave
does this mean that development on vb3 has been put to a stand still until vb 2.2.5 is released :confused: Well Kier and I are still working on v3 and we have done the bulk of the work (Kier the most) so it doesn't affect it all that much.

What other problems are you working on?

cool the bulk of the work for vb3 is done,
keep up the good work

Originally posted by hypedave
cool the bulk of the work for vb3 is done,No, the bulk of the work that has been done was done by Kier and Freddie. That does not mean the bulk of vB3 is done.

Originally posted by tubedogg
No, the bulk of the work that has been done was done by Kier and Freddie. That does mean the bulk of vB3 is done.

so does that mean the bulk of the work is done by them and now you have to go in and hack the requested hacks heheheheh :D

Is it actually necessary to run the upgradeX files, can you just manually change the version number? How can I prevent from finding all those installers of hacks and run the upgrade option to update the database? :)

Hey MW, Nice seening SOMEONE from the community besides me has a registered copy of vB. ;)

Does anyone know if this is the only file that this fix needs to be applied on? Are there other known holes like this?

hey Marshalus! good to see another legal vB user in the C&C community =), well perhaps now it makes 2, me and you, heh.
anyway, I think it's just memberslist.php involved...

I used to think there were 3 of us, but then I found Jelsoft is on MHR's back about his 'legal' copy right now.

Wasnt this fixed in 2.2.5? Maybe add a "fixed" mention to the title so we know it has been fixed.

Take care