vBulletin 3.5.5 Released

[Kier]

vBulletin 3.5.5

Following the internal discovery of 2 potential cross-site scripting flaws, we have decided to put out a preventative security release in order to close the holes before it is exploited.

Although vBulletin 3.6.0 is also released today, we understand that some customers may be reluctant to upgrade immediately to the new version, those people should upgrade to 3.5.5 or use the provided patch to secure their vBulletin installation as soon as possible.

Updating your vBulletin to combat the XSS flaw:

Our primary recommendation for customers is to upgrade to vBulletin 3.6.0, but if you are not ready to do this, you can do one of the following:

1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.5 package from the vBulletin Members' Area and following the regular upgrade instructions.
2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available in the Members' Area patch page. If you are not running 3.5.4, you must upgrade completely or use the plugin method!
3. Plugin: The plugin system built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
   Note: If you are using the plugin, you must still upload the attachment.php in this post to fix the second issue!

[Kier]

Patches are now available in the members' area. You may view available patches here.

Go to the page mentioned above and download the "Security patch for 3.5.4". Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.

• includes/functions.php

Notes:

• You do not need to download this patch if you perform a full upgrade to 3.5.5 or 3.6.0.
• This patch is only for 3.5.4. If you are not running 3.5.4, you must upgrade your board to 3.5.5 or use the plugin.

To repeat, go here to download the "Security patch for 3.5.4".

[Kier]

The file attached here allows you to fix the XSS problem using the vBulletin plugin system, without performing a full upgrade.

Download the XML file and proceed to your vBulletin 3.5 admin control panel. Navigate to Admin Control Panel > Plugin System > Manage Products > Add / Import Product, then follow the instructions here to import the XML plugin file.

Notes:

• You do not need to install this plugin if you perform a full upgrade to 3.5.5 or 3.6.0
• You do not need to install this plugin if you patch your board using the files attached to the previous post in this thread.
• If you cannot download the patch, please see this thread.
• This XML file does not fix the attachment.php issue. You must use the version attached to a post below to fix that issue!

[Kier]

Note:
You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert. If requires revert is listed as "no", your board should continue functioning without the changes, but any bug fixes/improvements will not be applied unless you revert the template!

Additionally, you may wish to use the "Find Updated Templates" feature in the control panel to find templates that have been changed since your last edit to them.

STANDARD_REDIRECT

Changed redirection html to better handle $postvars. See bug [2261] for more details.

Made the javascript redirect the default method for all browsers that have it enabled

Requires Revert? Yes


modifyprofilepic

Stray check_yes causing JavaScript Errors

Requires Revert? Yes

showthread_quickreply

Added a hidden field to pass the styleid so AJAX does not return postbits in a different style.

Requires Revert: No

help_bbcodes

Changed a phrase (see this Bug)

Requires revert? No (You will need to revert if you want a correct display)

WHOSONLINE

Missing </td> in template

Requires Revert? No

help_avatars_row

Removed class="$bgclass" text so blank cells dont look odd with the default style

Requires revert? No

modifyattachmentsbit

Add an alt tag to remove a validation warning.

Requires revert? No

[Mike Sullivan]

• /
  • ajax.php
    
  • attachment.php
    
  • calendar.php
    
  • cron.php
    
  • editpost.php
    
  • external.php
    
  • favicon.ico
    
  • index.php
    
  • inlinemod.php
    
  • misc.php
    
  • payments.php
    
  • postings.php
    
  • private.php
    
  • register.php
    
  • search.php
    
  • sendmessage.php
    
  • showthread.php
    
  • subscription.php
    
  • usercp.php
• admincp/
  • diagnostic.php
    
  • global.php
    
  • image.php
    
  • index.php
    
  • language.php
    
  • plugin.php
    
  • profilefield.php
    
  • queries.php
    
  • resources.php
    
  • subscriptions.php
    
  • template.php
    
  • thread.php
    
  • usertools.php
• archive/
  • global.php
    
  • index.php
• clientscript/
  • vbulletin_global.js
    
  • vbulletin_quick_edit.js
    
  • vbulletin_textedit.js
• includes/
  • adminfunctions.php
    
  • adminfunctions_language.php
    
  • class_bbcode.php
    
  • class_core.php
    
  • class_dm_user.php
    
  • class_image.php
    
  • class_mail.php
    
  • class_postbit.php
    
  • functions.php
    
  • functions_bigthree.php
    
  • functions_databuild.php
    
  • functions_file.php
    
  • functions_forumlist.php
    
  • functions_login.php
    
  • functions_ranks.php
    
  • functions_wysiwyg.php
    
  • init.php
    
  • vbulletin_credits.php
    
  • paymentapi/class_2checkout.php
• install/ - assume all files change
• modcp/
  • banning.php
    
  • global.php
    
  • moderate.php

[Kier]

You can discuss this release here:

http://www.vbulletin.com/forum/showthread.php?t=194088

[Kier]

If you downloaded vBulletin 3.5.5 prior to the date of this post, please download the attached file (attachment.php) and upload it to your webserver, overwriting the exiting attachment.php.

This will fix a security hole discovered in Internet Explorer that affects vBulletin.

Please use this file only to patch vBulletin 3.5.5. Patches for the three other versions released today are attached to their respective announcement threads.

Downloads made after the time of this post have been fixed in the Members' Area and are not vulnerable.