Security Patch Release 3.8.6 PL1

[Steve Machol]

It has come to our attention that 3.8.6 contains a security exploit related to the FAQ. If you have already installed vB 3.8.6, then follow these instructions in order to fix this:

1. First, download the 3.8.6 PL1 patch here:

http://members.vbulletin.com/patches.php

2. Delete the existing vbulletin-language.xml file from your 'install' directory. Then upload the new one to that directory. Make sure you upload this in ASCII format.

3. Next upload the two files in that patch:

includes/version_vbulletin.php
install/vbulletin-language.xml

4. Go into your Admin CP and run this:

Admin CP -> Languages & Phrases -> Download/Upload Languages -> Import Language XML File

Then leave the settings as they are and click on Import.

Also please note that if you have not upgraded to 3.8.6 yet, the download has already been patched.

[Steve Machol]

The patch removes a phrase named: database_ingo

To verify this patch has been applied, search the phrases to see if that still exists:

Admin CP -> Language & Phrases -> Search in Phrases -> Search for Text: database_ingo -> Phrase Variable Name Only (checked) -> Find

If the phrase is not found, the patch was applied. If you do find this phrase, then you can delete it with this query:

DELETE FROM " . TABLE_PREFIX . "phrase WHERE varname = 'database_ingo'

Note: Either remove the " . TABLE_PREFIX . " or replace it with your database prefix as needed.


After patching your site, you should change your MySQL password through the options your hosting provider gives.