vBulletin 3.0.5 Released

[Kier]

vBulletin 3.0.5



Critical Update

The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole.

The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.

This is a CRITICAL update, and urge all affected customers to upgrade vBulletin with the utmost urgency.

vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.

If you are running vB 3.0.0, 3.0.1, 3.0.2, 3.0.3 or 3.0.4 and are unable to upgrade immediately, we recommend that you download the init.php file attached to this message and overwrite the init.php in the includes folder of your existing vBulletin installation. This will patch the flaw. If you are running a RC or Beta version of vB 3, you will need to upgrade to 3.0.5 now. Note that this version of init.php supercedes the init.php patch available with the 3.0.4 release.



Important Warning About Sensitive Data

Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.

Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details, so that any information that may have been accessed by an unauthorized party could not be used.

We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.

Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data.



Security Issues in PHP 4.3.9, 5.0.2 and Older

As we have mentioned before, a security issue was detected in PHP versions up to and including 4.3.9 and 5.0.2. Updated versions have been released by the PHP team.

The internet is currently crawling with worms hunting for vulnerable servers, with many sites having fallen foul of these bugs already. We would therefore remind our customers to upgrade to the latest versions of PHP as soon as possible.

The updated PHP versions, which fix the vulnerability are:
PHP 4.3.10
PHP 5.0.3



Backing Up Your Forums

Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.



Installing or Upgrading vBulletin

Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.



Note: At approximately 11:25 PM (EST) on Jan 8th, the members' area package and the attached init.php were updated with this bug fix.

[Kier]

3.0.3 to 3.0.4

• 3118 - AdminCP Stats are misaligned
• 3126 - Little typo in includes/functions_databuild.php
• 3132 - Short php tags used in forum.php and upgradecore.php
• 3135 - Problem with adding multiple smilies when the full URL is used
• 3139 - forumpermissions.php: Displaying a single forum is broken
• 3123 - Rebuild Styles is in English
• 3235 - Referral Report
• 3150 - Jelsoft Enterprises Limited Link in Admin Panel
• 3166 - Wrong redirect when changing into pda mode
• 3176 - Wrong link in ACP View Rep Comments
• 3164 - Who's online problem
• 3158 - Copy thread issues
• 3179 - Who's online problem - 2
• 3127 - Indexing Inefficiency
• 3172 - Style Issue Upon Registration
• 3184 - Leave email field
• 3149 - Each time you Preview, you lose a little more of your message
• 3163 - Memberlist Search member then change sort order give wrong result
• 3188 - List Visitors in the Last 24 Hours show lastvisit day
• 3189 - E-mail support for .museum TLD
• 3182 - Parent E-Mail Bug
• 3198 - Uncached template: modifysignature
• 3209 - Moderators now shown in ACP/Forum Manager (Single mode)
• 3203 - Search Users from ACP bug
• 3215 - buildpostcache doesn't work properly
• 3219 - Invalid XHTML
• 3169 - Renaming using does not rename thread starter
• 3221 - Adding a Poll for admins / mods shouldn't expire
• 3193 - Date shown in navbar after event submission is wrong
• 3262 - View Reputation Comments
• 3249 - Announcements one day off
• 3268 - Can't view permissions through forum manager
• 3264 - Wrong links in modcp/banning.php
• 3276 - Images with a width of 1px cause database error
• 3283 - FAQ searching
• 3287 - Postcount Problem with Deleting Forum
• 3115 - running install.php, catching blank page
• 3303 - Partial "Rebuild Search Index" doesn't stop correctly
• 3312 - 'alt3' CSS Class
• 3314 - Image Error in language editing
• 3328 - Wrong text in admincp/statistics
• 3326 - Problems with Memberlist searching when Advanced Search is turned off
• 3348 - Problem with searching for a user in the Mod CP
• 3361 - faq.php unchecked do variable
• 3360 - Forum Links without permissions
• 3351 - Possibility to use every function in a template condition
• 3510 - Two deletions of the same thread will cause database error
• 3365 - "Edited by" shows for admin if user gave reason.
• 3382 - referrerid cookie in register.php
• 3383 - Registration problem with custom field
• 3392 - No sanitization of poststarttime
• 3388 - Existing Searches ignored - Search always rebuilt!
• 3393 - Error handling on save smilies
• 3137 - Error with changing an users avatar via admin cp
• 3427 - Expired password reset results in error with PHP5
• 3485 - Add Camino support to WYSIWYG
• 3536 - Spelling error in ranks_modify_text
• 3488 - Unable to resend email if can view forums is set to no
• 3138 - More untranslated text
• 3195 - custom field on user options page
• 3357 - Problem with "empty" unread_x_nav phrase
• 3526 - Hard-coded phrase
• 3523 - calendar url parsing
• 3522 - variable typo
• 3519 - "Undefined" randomly appearing in posts
• 3512 - external.php fails to check if a password is required for a forum
• 3507 - admincp/user.php -> pruneusers
• 3477 - Subforum (xx Viewing) problem
• 3483 - User Permission Bug
• 3447 - Apache 2 version isn't displayed
• 3505 - Installer does not guess at port for forum/home page URL
• 3334 - $vbphrase[to_delete_a_folder] seems not to be filled
• 3120 - Helptext for profile fields
• 3140 - $vbphrase[terrible] is in the wrong category
• 3161 - $vbphrase[alignment] does not display in vBulletin options
• 3175 - Missing form action attribute
• 3159 - Phrase closed_thread missing in showthread
• 3128 - Quote on a post shown as unread
• 3200 - Some bug in PM
• 3250 - Missing help info for FAQ manager varname
• 3252 - Sentence in the MSN popup
• 3313 - Typo in a phrase
• 3318 - problems with phpinclude_start template
• 3297 - Edit Post Access Keys
• 3322 - Phrase typo
• 3223 - Password History does not do anything
• 3288 - Super Trivial -- Help File...
• 3298 - When drawing poll result bars, language direction not taken into account
• 3325 - Default Time Zone Offset has no effect
• 3404 - Typo in functions_image.php
• 3391 - Different Thread Ratings shown in showthread.php & forumdisplay.php
• 3201 - Failure to edit avatars within AdminCP
• 3338 - Activation error
• 3374 - Combination Of Characters Not Allowing Login
• 3411 - Javascript error in css.php
• 3447 - Apache 2 version isn't displayed
• 3455 - Physical delete a thread does not remove records for "soft deleted posts" inside
• 3202 - Activation Letter and spam
• 3213 - Sort by Last Visit affected by Invisible Mode
• 3237 - Html entity value of space isn't detected
• 3332 - Error when renaming a template when the new name already exists
• 3180 - bbcode manager sql error
• 3352 - Poll Maximum Options
• 3353 - email vbcode not in vbcode list
• 3286 - Opera Search Display Error
• 3225 - Show Default Post Icon description incorrect
• 3379 - SQL Injection in Authorize.net callback code
• 3337 - Add user to your *nothing* list
• 3116 - translating the sort order submit button
• 3240 - Members list not sorting by reputation
• 3405 - Extra htmlspecialchars() on search string display for phrase search

3.0.4 to 3.0.5

• 3575 - Javascript error into head of ACP
• 3573 - Can't use some bbcodes
• 3574 - Local date is not shown correctly
• 3580 - New User Email doesn't contain proper strings for Custom Checkbox and Multiple Selects
• 3578 - Can't send PMs to some users when using a multibyte language
• 3582 - Calendar.php (3.0.4) Error in the code
• 3591 - Type in $vbphrase[options_options_minreputationpost_text]
• 3572 - search thread results return other threads
• 3593 - Child Style and '--'
• 3569 - Referrer Check fails when not using port 80
• 3598 - Template Manager - Javascript Error in FireFox
• Additional PHP5 compatibility changes
• Potential security issue
• Changes so enabling NOSHUTDOWNFUNC does not cause conflicts with certain systems.
• New error handler designed to prevent accidental path disclosure

[Kier]

3.0.3 to 3.0.4

newpoll If there is no maximum number of options, don't display text saying there is.
Requires revert? No.

help_bbcodes
Added [ email] BB code documention.
Requires revert? No.

search_results
Changed all instances of colspan="20" to colspan="7" for Opera.
Requires revert? No.

modifylist_adduser
Altered the template to use slightly different phrases.
Requires revert? No.

FORUMDISPLAY
Removed the fixed width settings from the thread controls at the bottom of the page so that translated words that are longer than the specified width are displayed properly.
Requires revert? No.

SHOWTHREAD_SHOWPOST
Change <form> to <form action="showpost.php">
Requires revert? No.

pm_newpm
Made the changes listed in Freddie's post here.
Requires revert? No

phpinclude_start
Changed the instructional comments
Requires revert? No

editpost
Changed accesskey for Delete button from 's' to 'd'
Requires revert? No

pollresult
Changes poll bar image references to account for right-to-left languages also.
Requires revert? Only if you use a rtl language.

userfield_select
Consitency with other select fields
Requires revert: Yes if desired

3.0.4 to 3.0.5

MEMBERINFO Line 250, change this
<if condition="$userinfo['birthday'] OR $customfields">
to this
<if condition="$show['extrainfo']">
Requires revert? Yes

[Kier]

3.0.3 to 3.0.4

• /
  • announcement.php
  • calendar.php
  • editpost.php
  • external.php
  • faq.php
  • forumdisplay.php
  • global.php
  • memberlist.php
  • newreply.php
  • newthread.php
  • poll.php
  • postings.php
  • private.php
  • profile.php
  • register.php
  • search.php
  • showgroups.php
  • showthread.php
  • usernote.php
• /admincp/
  
  • adminreputation.php
  • bbcode.php
  • css.php
  • forum.php
  • forumpermission.php
  • image.php
  • index.php
  • misc.php
  • stats.php
  • template.php
  • user.php
  • usergroup.php
  • usertools.php
• /archive/
  
  • global.php
  • index.php
• /clientscript/
  
  • vbulletin_stdedit.js
  • vbulletin_templatemgr.js
• /cpstyles/vBulletin_3_Manual/ - New!
• /includes/
  
  • adminfunctions.php
  • adminfunctions_language.php
  • adminfunctions_template.php
  • functions.php
  • functions_databuild.php
  • functions_editor.php
  • functions_login.php
  • functions_newpost.php
  • functions_online.php
  • functions_wysiwyg.php
  • init.php
  • sessions.php
  • vbulletin_credits.php
• /modcp/
  
  • moderate.php
  • user.php
• /subscriptions/
  
  • authorize.php

3.0.4 to 3.0.5

• /
  • announcement.php
  • calendar.php
  • faq.php
  • forumdisplay.php
  • member.php
  • newreply.php
  • private.php (only updated post-release)
  • register.php
  • showthread.php
• /admincp/
  
  • attachment.php (also updated post-release)
  • forum.php (only updated post-release)
  • forumpermission.php (only updated post-release)
  • user.php (also updated post-release)
• /clientscript/
  
  • vbulletin_stdedit.js
  • vbulletin_templatemgr.js (also updated post-release)
• /includes/
  
  • adminfunctions.php
  • adminfunctions_template.php
  • adminfunctions_user.php (only updated post-release)
  • db_mysql.php
  • functions.php
  • functions_subscriptions.php
  • init.php (also updated post-release)
• /install/ - significant parts of this change with every release. Ensure you use the most recent version of these files.

Note: Files that are indicated to have been updated post-release were updated at approximately 11:25 PM EST on Jan 8th.

[Kier]

You can discuss the release of vBulletin 3.0.5 in this thread.

[Steve Machol]

Please note that the init.php file in post #1 assumes that you have not installed any hacks. If you have installed hacks (in particular the Arcade hack but possibly others) you will need to ask for help in the appropriate forum and thread for that hack to find out if anything needs to be changed in this file.

[Kier]

Many customers have asked us how to detect whether or not their server may have been exploited through this flaw.

While it would not be prudent to post full details of how to exploit the hole here, as we do not believe that knowledge of this flaw is at all widespread, I will lay down some steps for customers to take that may help in detecting possible exploitation.

We would suggest that you search in your web server logs for the following:
&comma=

If you find this in your server logs, do not post about it on the forums, as that would be to spread knowledge of how the flaw can be exploited and would help no one.

Instead, please contact vBulletin Support via the Members' Area, and we will work with you to find out what has happened.

[Mike Sullivan]

An XSS issue has been discovered in 3.0.X in private.php; it affects all versions of vBulletin 3. While this issue is not nearly as serious as the issue that prompted the 3.0.5 release, we strongly recommend you patch your installation(s).

At the end of this post, you'll find a patched file and what to change if you wish to manually update your file.

As of this update, the download in the members' area has been patched. If you have downloaded 3.0.5 before this time, please redownload or use the provided private.php.

I just want to reiterate that it is not our intention to force you to have to update constantly. Once a security issue is reported--no matter the severity--we strive to release quick fixes; the same day the issue is discovered, regardless of whether it's a holiday or just any other day of the year, if possible. It just happened that there were several reports in the past week. We aim to have impeccable security, but sometimes things are missed by internal audits.

Thank you for understanding.


Do you have the patch already?
Technically, the members' area was patched before this post. If you don't want to use the provided private.php or see if you need to add the line provided below, search for:
CVS: $RCSfile: private.php,v $ - $Revision: 1.262.2.3 $
In your copy of private.php. If you find it, you have the patch already.


Manual Patch Instructions
In private.php, find the following:

Code:

construct_checkboxes($pm);

ABOVE it, add the following:

Code:

$pm['recipients'] = htmlspecialchars_uni($pm['recipients']);

If you have 3.0.4 or 3.0.5 with a working referrer checker (see note below), the affects of this issue are severely lessened. We still recommend you use the patch for users which block referrers (some internet security software).
Note: the referrer checker was broken in 3.0.5 until 11:28 PM (EST) on Jan 8th. If you downloaded 3.0.5 before then, see this bug for a fix.