vBulletin 3.0.6 and 2.3.6 Released

[Kier]

vBulletin 3.0.6 and 2.3.6

vBulletin 3.0.6 and 2.3.6 are security and bug fix releases. They fix a recently discovered XSS issue regarding BB code parsing.

All versions of vBulletin prior to 3.0.6 and 2.3.6 are vulnerable. The only workaround is to disable BB code parsing in signatures and all forums where untrusted users can post.

We strongly urge all customers to upgrade or patch their installations ASAP. At the end of this post, you will find a patch for the security issue for includes/functions_bbcodeparse.php (vBulletin 3) and admin/functions.php (vBulletin 2); overwrite the version on your server with the file in the appropriate zip.

I would again like to reiterate that security is of our utmost concern. Recently, there have been several reports of security issues in vBulletin that have prompted the recent releases. We realize that these releases can be a burden on you. For that, we are sorry, but once we have become aware of a security issue, it is our duty to provide a fix to that issue. We are also performing internal security audits and looking into changes to our core systems to prevent issues such as these from occuring in the future.


Performance Hit Since PHP 4.3.10 / 5.0.3

Many people have noticed that vBulletin (any a lot of other PHP applications) suddenly started to run significantly slowed than normal after installing PHP 4.3.10 or 5.0.3 in order to patch the security flaw in previous versions of PHP.

This cause of this slow-down has been identified as a problem with the unserialize() function in PHP. For more details, see bugs.php.net.

This problem has now been fixed by the PHP developers, though the fixed version has yet to be released in a 'stable' version. However, the latest CVS snapshots of PHP 4.3.x and 5.0.x, available from snaps.php.net contain the fix and restore the original speed of unserialize().

While we would not recommend running a 'dev' version of PHP on any production server, we understand that the performance problem has been a major issue for some people. If you are badly affected, you may want to consider running a 'dev' version of PHP at your own risk in order to overcome the performance problem.

Backing Up Your Forums

Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.

Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.


vBulletin 2 patch/download updated at 7:25 PM EST on Jan 18. See here for info.
vBulletin 3 patch/download updated at 11:35 EST on Jan 19. See here for info.

PLEASE NOTE THAT IF YOU ARE CURRENTLY RUNNING A VERSION OF VBULLETIN 3 OLDER THAN 3.0.5 AND YOU WANT TO PATCH, RATHER THAN UPGRADE, YOU MUST ALSO APPLY THE PATCH SUPPLIED WITH THE 3.0.5 RELEASE ANNOUNCEMENT


-

[Kier]

From 3.0.5 to 3.0.6

editor_toolbar_standard
editor_toolbar_wysiwyg

Added the "Increase Size / Decrease Size" controls that are in use on vbulletin.com

Requires Revert: Yes if you want this functionality


pollresults_table

Added a conditional that displays "Multiple Choice Poll" for such polls.

Requires Revert: Yes if you want this functionality.


im_send_msn

Added javascript error suppression to hide the error that occurs if you try to use MSN when you are not logged in.

Requires revert? No


headinclude

Change:
var SESSIONURL = "$session[sessionurl]";
to
var SESSIONURL = "$session[sessionurl_js]";

Requires Revert? Yes to have the proper session hash for javascript links.

From 2.3.5 to 2.3.6

There are no template changes from 2.3.5 to 2.3.6

[Kier]

From 3.0.5 to 3.0.6

• /
  • attachment.php
  • calendar.php
  • cron.php
  • forumdisplay.php
  • global.php
  • image.php
  • index.php
  • login.php
  • memberlist.php
  • poll.php
  • private.php
  • profile.php
  • search.php
  • showthread.php
  • subscription.php
  • usercp.php
• /admincp/
  
  • attachment.php
  • cronadmin.php
  • forum.php
  • forumpermission.php
  • image.php
  • index.php
  • phrase.php
  • subscriptions.php
  • template.php
  • thread.php
  • user.php
  • usertools.php
• /archive/
  
  • index.php
• /clientscript/
  
  • vbulletin_editor.js
  • vbulletin_stdedit.js
  • vbulletin_templatemgr.js
• /includes/
  
  • adminfunctions_backup.php
  • adminfunctions_language.php
  • adminfunctions_template.php
  • adminfunctions_user.php
  • functions.php
  • functions_bbcodeparse.php (updated Jan 19, 11:35 AM EST; info)
  • functions_cron.php
  • functions_editor.php
  • functions_newpost.php
  • functions_subscriptions.php
  • functions_wysiwyg.php (updated Jan 18, 8:35 PM EST; info)
  • functions_xml.php
  • init.php
  • modfunctions.php
  • sessions.php
• /modcp/
  
  • index.php
  • user.php

From 2.3.5 to 2.3.6

• /
  • private.php
  • showthread.php
• /admin/
  
  • functions.php
  • Other files for version numbers and upgrade scripts

[Kier]

From 3.0.5 to 3.0.6

• 3586 - Firefox Standard Editor - Increase and Decrease window size does not work
• 3618 - Wrong "Format For Date" Examples
• 3612 - "Forum Home Page" Link (Purely Cosmetic)
• 3478 - SQL Backup produces invalid files
• 3346 - Mozilla WYSIWYG Editor Adds Extra Spaces
• 3605 - Typo in private.php
• 3608 - "Display Age" cannot be translated
• 3609 - “Birthday Date Format Override” lost when exporting/importing language
• 3615 - Search by last visit in admincp returns incorrect data
• 3639 - Multiple choice poll percentages calculated incorrectly
• 3644 - PM_MESSAGELISTBIT_USER uncached
• 3647 - Datastore not rebuilt after delete custom phrase
• 3648 - Scheduled task names double escaped
• 3630 - Missing phrase activating_registration
• 3652 - language_files_text phrase missing content
• 3624 - SQL error when searching FAQ (MySQL 4.1.x)
• 3654 - Double slashes in URL path break login redirection
• 3653 - Searching for exact User causes mySQL-Error
• 3623 - Invalid XHTML (& not & )
• 3663 - Add smilies help misdocumented
• 3620 - POST referrer check broken
• 3665 - Redirect forums browsable in archive
• 3667 - Grammar error on user moderation page
• 3662 - Logging on forum list in archive fails
• 3660 - Orphaned polls cause JS error on "Who Voted"
• 3618 - Date format example incorrectly
• 3612 - Forum home page link in mod CP missing </a>
• 3640 - Paid Subscription DB error
• 3366 - Invalid characters not stripped on XML export
• 3482 - strip_bbcode()/strip_quotes() slow in specific case
• 3666 - password history only works on the 2nd try
• 3650 - Uncached templates in forumdisplay.php
• 3643 - strip_bbcode should remove URL's when checking signature length
• 3568 - Old versions of Camino show WYSIWYG
• 3642 - Start Date has no effect in Paid Subscriptions
• 3421 - Merging users ignores paid subscriptions
• 3527 - # not added to hex colors in signature
• 3459 - Alignment tags display in PHP tags
• 3669 - Holiday system cannot handle Leap Day
• 3617 - Moderated Posts showing up in admin panel home
• Possible XSS issue in private.php (fixed previously)
• Possible XSS with BB code parsing and invalid nesting

From 2.3.5 to 2.3.6

• Possible XSS with BB code parsing and invalid nesting
• Search wildcards not displayed properly in page nav
• Install/upgrade schema invalid in recent versions of MySQL
• Possible XSS issues in private.php/showthread.php

[Kier]

You can discuss these releases in this thread:

http://www.vbulletin.com/forum/showthread.php?t=127029

[Kier]

PLEASE NOTE THAT IF YOU ARE CURRENTLY RUNNING A VERSION OF VBULLETIN 3 OLDER THAN 3.0.5 AND YOU WANT TO PATCH, RATHER THAN UPGRADE, YOU MUST ALSO APPLY THE PATCH SUPPLIED WITH THE 3.0.5 RELEASE ANNOUNCEMENT