vBulletin 3.5.4 Released

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    vBulletin 3.5.4 Released

    vBulletin 3.5.4

    This release of vBulletin addresses a minor cross-site scripting flaw discovered by imei addmimistrator, fixes numerous bugs and adds a few new features.

    New Feature: Enhanced File Diagnostics

    In previous versions of vBulletin, the 'Suspect File Versions' system (AdminCP > Maintenance > Diagnostics > Suspect File Versions) performed a check on each file found to ensure that its stated version matched the currently-installed version of vBulletin. Therefore, a 3.5.2 version of forumdisplay.php would be flagged for attention on a board running 3.5.3.

    The new and improved suspect file versions system extends the file checking functionality in the following ways:
    1. File version mismatch:
      The system still checks for mismatched versions
    2. File not found:
      The system will identify any missing files
    3. File not recognised:
      It will also flag any script files in vBulletin directories that are not part of vBulletin
    4. Unexpected file contents:
      The final and most important check is that on download, MD5 sums are generated for every script file in the downloaded package. The system will now compare the original MD5 sum of each file with its current MD5 sum, so it is now possible to tell instantly if any files have been modified from their original state, making it very simple to see if hacks have been installed or if files have not been uploaded correctly.


    New Feature: SkypeWeb Integration

    SkypeWeb allows the online status of Skype users to be viewed on web pages, and fits very nicely with vBulletin.




    Please note that boards on which were installed the SkypeWeb plugin for vBulletin 3.5.3 will automatically have the plugin uninstalled and the full version inserted in its place.

    Implementational changes: Archive

    The output generated by the Archive is now buffered before being sent to the client. Plugins for the Archive that generate output must be adapted in order to work correctly.

    Updating your vBulletin to combat the XSS flaw:

    Versions of vBulletin 3.5 from 3.5.0 Beta 1 to 3.5.3 are affected by the XSS flaw so we recommend that customers upgrade or patch their installations.

    For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.4 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files.
    3. Plugin: The plugin system built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
    For a complete list of bugs fixed in 3.5.4, please click here.
    Last edited by Kier; Tue 21 Feb '06, 7:31am.
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    #2
    Patch File

    Patches are now available in the members' area. You may view available patches here.

    Go to the page mentioned above and download the "Security patch for 3.5.3". Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • sendmessage.php
    • includes/functions.php
    Notes:
    • You do not need to download this patch if you perform a full upgrade to 3.5.4.


    To repeat, go here to download the "Security patch for 3.5.3".

    Comment

    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179

      #3
      Plugin File

      The file attached here allows you to fix the XSS problem using the vBulletin plugin system, without performing a full upgrade.

      Download the XML file and proceed to your vBulletin 3.5 admin control panel. Navigate to Admin Control Panel > Plugin System > Manage Products > Add / Import Product, then follow the instructions here to import the XML plugin file.

      Notes:
      • You do not need to install this plugin if you perform a full upgrade to 3.5.4
      • You do not need to install this plugin if you patch your board using the files attached to the previous post in this thread.
      • If you cannot download the patch, please see this thread.
      Attached Files

      Comment

      • Kier
        Former Lead Developer, vBulletin
        • Sep 2000
        • 8179

        #4
        Template Changes Since 3.5.3

        The are the template changes since 3.5.3 ONLY

        If you are not running 3.5.3 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

        Note:
        You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

        If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert. If requires revert is listed as "no", your board should continue functioning without the changes, but any bug fixes/improvements will not be applied unless you revert the template!

        Additionally, you may wish to use the "Find Updated Templates" feature in the control panel to find templates that have been changed since your last edit to them.

        -----------------------------------------------------

        reportbadpost

        Added closing tag (</form>) for the form.

        Requires Revert? Technically Yes




        pm_receiptsbit

        Added a missing </span> tag. See this bug.

        Requires Revert? No




        memberinfo_membergroupbit

        Wrapped a : in a conditional so it does not show up when there is no description. See this bug.

        Requires Revert? No




        search_forums

        For consistency, changed:
        Code:
        <if condition="$bbuserinfo['userid']">
        to:
        Code:
        <if condition="$show['member']">
        Requires Revert? No




        im_skype
        im_send_skype
        MEMBERINFO


        Minor changes to implement SkypeWeb online status support.

        Requires revert? No (Though you will need to revert if you want SkypeWeb support)




        help_bbcodes

        Changed a phrase (see this Bug)

        Requires revert? No (You will need to revert if you want a correct display)




        modifypassword

        Made changes so banned users that still have permission to view the board can change their password but not their email.

        Requires Revert? No




        calendar_edit
        newreply
        newthread
        SHOWTHREAD
        STANDARD_ERROR_LOGIN
        (new template)


        If guest posting is enabled and a registered user's session times out while posting, allow them to log back in without losing their post.

        Requires revert? No (Though recommended if you allow guests to post)




        navbar

        Added labels for username / password to increase accessibility

        Requires revert? No




        pm_newpm

        Fixed invalid HTML by adding </td></tr>

        Requires revert? No




        usernote_note

        Changed such that the smilie box expands its width properly if necessary.

        Requires revert? No

        Comment

        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179

          #5
          Files changed since 3.5.3
          • /
            • ajax.php
            • attachment.php
            • calendar.php
            • cron.php
            • editpost.php
            • external.php
            • forumdisplay.php
            • global.php
            • inlinemod.php
            • misc.php
            • newreply.php
            • newthread.php
            • payment_gateway.php
            • postings.php
            • profile.php
            • register.php
            • search.php
            • sendmessage.php
            • showthread.php
            • subscription.php
            • usercp.php
          • admincp/
            • accessmask.php
            • diagnostic.php
            • global.php
            • index.php
            • plugin.php
            • user.php
            • usertools.php
          • archive/
            • global.php
            • index.php
          • clientscript/
            • vbulletin_ajax_namesugg.js
            • vbulletin_textedit.js
          • includes/
            • adminfunctions.php
            • adminfunctions_language.php
            • adminfunctions_template.php
            • class_bbcode.php
            • class_bbcode_alt.php
            • class_core.php
            • class_dm.php
            • class_dm_moderator.php
            • class_dm_threadpost.php
            • class_dm_user.php
            • class_paid_subscription.php
            • class_postbit.php
            • functions.php
            • functions_cron.php
            • functions_databuild.php
            • functions_digest.php
            • functions_forumlist.php
            • functions_misc.php
            • functions_newpost.php
            • functions_online.php
            • functions_user.php
            • cron/
              • activate.php
              • promotion.php
              • reminder.php

            • paymentapi/
              • class_authorizenet.php

            • xml/
              • bitfield_vbulletin.xml

          • install/ - assume all files have changed
          • modcp/
            • global.php

          Comment

          • Kier
            Former Lead Developer, vBulletin
            • Sep 2000
            • 8179

            #6
            A thread for the purpose of discussing the release of vBulletin 3.5.4 is provided here:

            Comment

            • Mike Sullivan
              Former vBulletin Developer
              • Apr 2000
              • 13327
              • 3.6.x

              #7
              Due to issues that affect a limited number of customers when running the updated "Suspect File Versions" system (see the first post), admincp/diagnostic.php has been updated as of this post.

              You do not need to update this file if you do not plan on using this system or have already used it without any problem since upgrading to 3.5.4. Customers that may be affected will be running PHP versions less than 4.2.0 or have renamed their admin/moderator control panel directories.

              Comment

              • Mike Sullivan
                Former vBulletin Developer
                • Apr 2000
                • 13327
                • 3.6.x

                #8
                Issue with patch file

                An issue has been discovered with the version of functions.php in the patch file. This only affects users who have chosen to patch; full upgrades and those using the product to fix the security issue are not affected.

                The issue relates to some users not being able to stay logged in after applying the patch. If you have this problem, you should redownload the patch from this page. We apologize for any inconvienence.

                Comment

                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                Working...