vBulletin 2.3.9 Released

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    vBulletin 2.3.9 Released

    vBulletin 2.3.9

    A recently discovered cross-site scripting (XSS) flaw in all three branches of vBulletin has prompted us to perform a security update, releasing new versions of vBulletin 2, 3.0.x and 3.5.x simultaneously. vBulletin 2.3.x also contains an XSS flaw related to bbcode parsing, this problem is also resolved by the release of 2.3.9.

    All prior versions of vBulletin are vulnerable and we advise customers to upgrade or patch their vBulletin installations at their earliest convenience.

    For the vBulletin 2.3.x branch, the problem can be resolved in one of two ways.
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 2.3.9 package from the vBulletin Members' Area and following the regular upgrade procedure.
    2. Patch: A second option is to download the patch files attached to this thread and upload them to your web server, overwriting the existing files.
    Please do note that vBulletin 2.3.x and 3.0.x are reaching the end of their lives and is are longer actively developed, except for bug fixes. If you have not yet upgraded to vBulletin 3.5, you should consider doing so.

    Upgrade Instructions:

    Instructions for upgrading to vBulletin 2.3.9 are available here.
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    #2
    Patch File

    The file attached here allows you to fix the XSS problems without performing a full upgrade.

    Download the file and extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • online.php
    • admin/functions.php

    Notes:
    • You do not need to download this patch if you perform a full upgrade to 2.3.9, 3.0.12 or 3.5.3.
    • If you cannot download the patch, please see this thread.
    Attached Files

    Comment

    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179

      #3
      Template Changes Since 2.3.8

      There have been no templates altered in the vBulletin 2.3.x branch since the release of 2.3.8.

      Comment

      • Mike Sullivan
        Former vBulletin Developer
        • Apr 2000
        • 13327
        • 3.6.x

        #4
        Files changed since 2.3.8
        • online.php
        • admin/
          • functions.php
          • global.php
          • vbulletin.style / install.php / upgrade*.php -- for version numbers

        Comment

        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179

          #5
          You can discuss this release using this thread:

          Comment

          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
          Working...