vBulletin 3.0.7 Released - Security Patch

[Mike Sullivan]

vBulletin 3.0.7

The discovery of a potentially serious security hole has necessitated the release of vBulletin 3.0.7. All customers are strongly encouraged to take one of the actions described in this post.

All versions of vBulletin 3 up to and including 3.0.6 are affected only if you have enabled the Add Template Name in HTML Comments option (Admin Control Panel -> vBulletin Options -> General Settings). We hope most of you will not have had this option enabled anyway, as it is mostly for debugging and wastes a fair amount of bandwidth on a production site.

Thus, to fix the issue, you should choose one of these options:

1. Disable the Add Template Name in HTML Comments option on your board.
2. Download the zip file attached to this post (or from here) and overwrite the misc.php in the main vBulletin directory on your server with the version in the zip. (More extensive instructions are provided in the zip file.)
3. Upgrade to 3.0.7. A link to upgrade instructions is provided below.

We would strongly recommend options 2 or 3 if possible.



The Importance of Keeping Current with Security Updates

We would like to take this time to reiterate the importance of keeping current with security updates. If you are not currently running a version with the recent patches built in or have not manually patched your board, please see the 3.0.5 and 3.0.6 announcements for important patches.

Recently, more issues have been discovered than we would have liked, but we try to make patching as painless as possible to ease the burden these issues create. We are looking into ways to make patch delivery even easier for future versions.



Backing Up Your Forums

Please be sure to check that your backups are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.



Installing or Upgrading vBulletin

Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.

[Mike Sullivan]

• 3675 - Mozilla WYSIWYG editor eats spaces
• 3678 - % in custom BB codes causes problems
• 3683 - Importing XML in PHP5 defaults to UTF-8 encoding
• 3685 - "Multiple Choice" vs "Multiple-Choice"
• 3687 - Redundant code in poll.php
• 3691 - "CSS Selector" can't be translated
• 3695 - URLs with parentheses not auto-parsed
• 3696 - BB codes with options not stripped by strip_bbcode()
• 3697 - Can't close thread while creating
• 3699 - User titles not wordwrapped
• 3703 - "0" not accepted as phrase text
• 3708 - Extra column displayed in PM list if icons off
• 3710 - Missing semicolon in HTML entity in memberlist.php
• 3714 - Smilies don't upload properly
• 3724 - Typo in "Message Attachment Options"
• 3725 - Redirected to wrong page after removing moderator
• 3730 - Attachment.php doesn't check "can view others"
• 3731 - Calendar moderator queue broken
• 3733 - Rebuild post cache results in empty cached post
• 3737 - URLs not auto-parsed in signatures
• 3738 - Editpost.php does not auto-parse links in preview
• 3739 - Call to non-existing template in register.php
• 3746 - Event ending at midnight spans two days in calendar
• 3748 - Unreachable code in functions_bbcodeparse.php
• 3749 - Inconsistent phrase in BB code manager
• 3751 - Smilies parse as IMG tags with Mozilla WYSIWYG
• 3754 - Uncached template in joinrequests.php
• 3763 - Bad chdir in modcp/deletedposts.php
• 3765 - Poll icon visible even when poll not posted
• 3772 - URLs not parsed immediately after closing BB code tags
• 3780 - Spacing issue with reply button and legacy postbit
• 3785 - Uncached templates in profile.php
• 3787 - Variable globalized twice in register.php
• 3788 - Unreachable code in register.php
• 3793 - Redirects in moderator.php don't respect admin perms
• 3796 - Can't delete profile picture from ModCP
• Potential security issue in misc.php
• Significant improvements to attachment.php (Etag support, ability to send signficantly larger attachments, ability to cancel sending attachment if user cancels)

[Mike Sullivan]

newattachment

Added conditional that displays "Forum is closed for new attachments" if editing a post that contains attachments in a forum that is closed for posting.

Requires Revert: Yes to gain this functionality.



pm_messagelist_periodgroup

Added a conditional to the colspan to prevent an empty column from being displayed if icons are disabled.

Requires revert? No.



SHOWTHREAD

Added a conditional to add some spacing below the posts when using the legacy postbit. See this bug.

Requires revert? No.

[Mike Sullivan]

• /
  • attachment.php
  • calendar.php
  • editpost.php
  • forumdisplay.php
  • joinrequests.php
  • member.php
  • memberlist.php
  • misc.php
  • moderator.php
  • newattachment.php
  • printthread.php
  • profile.php
  • register.php
  • showpost.php
  • showthread.php
• /admincp/
  
  • adminreputation.php
  • image.php
  • misc.php
  • moderator.php
  • phrase.php
• /archive/
  
  • index.php
• /includes/
  
  • adminfunctions.php
  • adminfunctions_help.php
  • adminfunctions_language.php
  • adminfunctions_options.php
  • adminfunctions_template.php
  • functions.php
  • functions_bbcodeparse.php
  • functions_calendar.php
  • functions_forumdisplay.php
  • functions_newpost.php
  • functions_wysiwyg.php
• /modcp/
  
  • deletedposts.php
  • moderate.php
  • user.php

[Mike Sullivan]

You may discuss the release in this thread:

http://www.vbulletin.com/forum/showthread.php?t=130592