vBulletin 3.6.3 Released

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Mike Sullivan
    Former vBulletin Developer
    • Apr 2000
    • 13327
    • 3.6.x

    vBulletin 3.6.3 Released

    vBulletin 3.6.3

    An undocumented behaviour in all Windows versions of Internet Explorer has rendered vBulletin vulnerable to a potential cross-site scripting flaw (XSS). Therefore, we have decided to put out a preventative security release in order to work-around the Internet Explorer problem before it is exploited.

    3.6.3 also includes fixes for approximately 50 bugs that were discovered in 3.6.2. For this reason, we recommend all customers upgrade to 3.6.3 as soon as possible. If this is not possible and you are currently running 3.6.2, you may use the patch method discussed here.

    Updating your vBulletin to combat the XSS flaw:

    Please note that this issue is present in other versions of vBulletin as well. Please see the appropriate announcement!

    You have two options to fix the XSS issue:
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.6.3 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available in the Members' Area patch page or later in this post!
  • Mike Sullivan
    Former vBulletin Developer
    • Apr 2000
    • 13327
    • 3.6.x

    #2
    Patch Information

    Patches are now available in the members' area. You may view available patches here. Alternatively, you may use the zip attached to this post to apply the patch. Both methods are equivalent.

    Go to the page mentioned above and download the "Security patch for 3.6.2" or download the zip at the end of this post. Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • includes/class_image.php


    Notes:
    1. If you cannot download the attachment in this post, you are not currently registered as a license customer. Please see this thread for instructions on how to proceed.
    2. You do not need to download this patch if you perform a full upgrade to 3.6.3.
    3. If you only apply a patch, your version number will not change. Your version number will only be updated to 3.6.3 if you perform a full upgrade.
    Attached Files

    Comment

    • Mike Sullivan
      Former vBulletin Developer
      • Apr 2000
      • 13327
      • 3.6.x

      #3
      Templates Changed Since 3.6.2

      These are the template changes since 3.6.2 ONLY

      If you are not running 3.6.2 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

      Note:

      You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

      If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert.

      Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them.

      --------------------------------------

      announcement_edit

      Changed title input field to use $announcementinfo[title_safe] and removed the maxlength attribute.

      Requires revert? Yes




      modifyavatar
      modifysignature

      Removed extraneous </if> from template. See bug 1009 for details.

      Requires Revert? No




      modifyprofilepic

      Change No Profile Picture Specified to $vbphrase[no_profile_picture]

      Requires Revert? No - only for language translation




      register

      Change
      HTML Code:
      <input id="referrerfield_txt" type="text" class="bginput" name="referrername" value="$referrername" size="50" maxlength="250" />
      to
      HTML Code:
      <input id="referrerfield_txt" type="text" class="bginput" name="referrername" value="$referrername" size="50" maxlength="$vboptions[maxuserlength]" />
      Requires Revert? No, see bug 1059




      SHOWTHREAD_SHOWPOST

      Made the "Close This Window" button only show if the window was opened by JavaScript. See this bug for details.

      Requires Revert? No




      search_results_postbit

      Changed reference from $show['hidden'] to $show['moderated'], as $show['hidden'] did not exist.

      Requires Revert? No




      editor_toolbar_off

      Change
      HTML Code:
      <div class="controlbar" style="text-align:$stylevar[left]">
      to
      HTML Code:
      <div style="text-align:$stylevar[left]">
      Requires Revert? No
      Last edited by Marco van Herwaarden; Fri 10 Nov '06, 12:59am. Reason: Corrected typo

      Comment

      • Mike Sullivan
        Former vBulletin Developer
        • Apr 2000
        • 13327
        • 3.6.x

        #4
        Files Changed Since 3.6.2
        • /
          • announcement.php
          • external.php
          • forumdisplay.php
          • global.php
          • infraction.php
          • inlinemod.php
          • newattachment.php
          • newreply.php
          • postings.php
          • profile.php
          • report.php
          • showthread.php
          • subscription.php
          • usercp.php
          • usernote.php
        • admincp/
          • adminpermissions.php
          • attachment.php
          • diagnostic.php
          • index.php
          • options.php
          • template.php
          • user.php
          • usertools.php
        • clientscript/
          • vbulletin_ajax_imagereg.js
          • vbulletin_cpcolorpicker.js
          • vbulletin_global.js
          • vbulletin_menu.js
          • vbulletin_quick_reply.js
          • vbulletin_textedit.js
        • cpstyles/ - all cp_logo.gif files were updated to include registered mark
        • images/
          • buttons/
            • edit.gif
            • email.gif
            • find.gif
            • sendpm.gif

          • misc/ (for registered marks)
            • vbulletin2_logo.gif
            • vbulletin3_logo_grey.gif
            • vbulletin3_logo_white.gif

          • regimage/fonts/
            • HECK.TTF
            • SPONGY.ttf
            • WetPet.ttf
        • includes/
          • adminfunctions.php
          • adminfunctions_options.php
          • class_bbcode.php
          • class_bbcode_alt.php
          • class_core.php
          • class_database_explain.php
          • class_dm_infraction.php
          • class_dm_user.php
          • class_image.php
          • class_paid_subscription.php
          • class_postbit_alt.php
          • class_rss_poster.php
          • class_upload.php
          • functions.php
          • functions_forumdisplay.php
          • functions_newpost.php
          • functions_wysiwyg.php
          • init.php
          • cron/promotion.php
          • xml/
            • bitfield_vbulletin.xml
            • cpnav_vbulletin.xml
        • install/ - assume all changed

        Comment

        • Mike Sullivan
          Former vBulletin Developer
          • Apr 2000
          • 13327
          • 3.6.x

          #5
          You may discuss the release of vBulletin 3.6.3 here:

          Comment

          • Mike Sullivan
            Former vBulletin Developer
            • Apr 2000
            • 13327
            • 3.6.x

            #6
            Just bumping this after the eBulletin post.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...