The discovery of a potentially serious security hole has necessitated the release of vBulletin 3.0.7. All customers are strongly encouraged to take one of the actions described in this post.
All versions of vBulletin 3 up to and including 3.0.6 are affected only if you have enabled the Add Template Name in HTML Comments option (Admin Control Panel -> vBulletin Options -> General Settings). We hope most of you will not have had this option enabled anyway, as it is mostly for debugging and wastes a fair amount of bandwidth on a production site.
Thus, to fix the issue, you should choose one of these options:
- Disable the Add Template Name in HTML Comments option on your board.
- Download the zip file attached to this post (or from here) and overwrite the misc.php in the main vBulletin directory on your server with the version in the zip. (More extensive instructions are provided in the zip file.)
- Upgrade to 3.0.7. A link to upgrade instructions is provided below.
The Importance of Keeping Current with Security Updates
We would like to take this time to reiterate the importance of keeping current with security updates. If you are not currently running a version with the recent patches built in or have not manually patched your board, please see the 3.0.5 and 3.0.6 announcements for important patches.
Recently, more issues have been discovered than we would have liked, but we try to make patching as painless as possible to ease the burden these issues create. We are looking into ways to make patch delivery even easier for future versions.
Backing Up Your Forums
Please be sure to check that your backups are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.
Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.