vBulletin 3.5.3 Released

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    vBulletin 3.5.3 Released

    vBulletin 3.5.3

    A recently discovered cross-site scripting (XSS) flaw in all three branches of vBulletin has prompted us to perform a security update, releasing new versions of vBulletin 2, 3.0.x and 3.5.x simultaneously.

    All prior versions of vBulletin are vulnerable and we advise customers to upgrade or patch their vBulletin installations at their earliest convenience.

    For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.3 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files attached to this thread and upload them to your web server, overwriting the existing files.
    3. Plugin: The plugin built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.


    3.5.3 also contains a number of bug fixes. Click here for a list!

    Installing or Upgrading vBulletin

    Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.

    Note that the process is the same as it was in the 3.0.x series. However you must redo your config.php if you are upgrading from 3.0.x!

    Additionally, if you are upgrading from 3.0.x and have custom avatars saved in the file system, you will need to move them back to the database before upgrading. If you do not do this, custom profile pictures will be lost!

    Bug Reports

    You may report bugs by clicking here. Before reporting a bug, please attempt to recreate the bug on a default, uncustomized style (especially if your errors are JavaScript related). Additionally, if you have used the plugins/products system at all, please attempt to recreate the issue with the plugins system disabled!
    Last edited by Colin F; Wed 4 Jan '06, 7:58am.
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    #2
    Patch File

    The file attached here allows you to fix the XSS problem without performing a full upgrade.

    Download the file and extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • calendar.php
    • includes/functions_online.php
    Notes:
    • You do not need to download this patch if you perform a full upgrade to 3.5.3.
    • You do not need to download this patch if you resolve the problem using the plugin file (see post below).
    • If you cannot download the patch, please see this thread.
    Attached Files

    Comment

    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179

      #3
      Plugin File

      The file attached here allows you to fix the XSS problem using the vBulletin plugin system, without performing a full upgrade.

      Download the XML file and proceed to your vBulletin 3.5 admin control panel. Navigate to Admin Control Panel > Plugin System > Manage Products > Add / Import Product, then follow the instructions here to import the XML plugin file.

      Notes:
      • You do not need to install this plugin if you perform a full upgrade to 3.5.3
      • You do not need to install this plugin if you patch your board using the files attached to the previous post in this thread.
      • If you cannot download the patch, please see this thread.
      Attached Files
      Last edited by Colin F; Wed 4 Jan '06, 7:59am.

      Comment

      • Kier
        Former Lead Developer, vBulletin
        • Sep 2000
        • 8179

        #4
        Template Changes Since 3.5.2

        The are the template changes since 3.5.2 ONLY

        If you are not running 3.5.2 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

        Note:
        You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

        If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert.

        Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them.

        -----------------------------------------------------

        memberlist_search


        $vbphrase[is_greater_than] => $vbphrase[is_greater_than_or_equal_to]

        Requires Revert: Yes

        FORUMDISPLAY
        search_results

        Changed
        HTML Code:
        <td class="vbmenu_control" id="imod" align="center">
        to

        HTML Code:
        <td class="vbmenu_control" id="imod" align="center" title="$vbphrase[moderation]">
        Requires Revert: No


        FORUMDISPLAY

        Removed width="auto" from one table.

        Requires Revert: No


        search_forums

        Removed the Boolean / Natural Language buttons. The fulltext search now works off one permission. If the user has the boolean permission then that is what they use, otherwise the natural language option.

        Requires Revert: No


        pm_messagelist
        pm_editfolderbit
        pm_editfolders

        Changed & to &amp; in several links.

        Requires Revert: No


        STANDARD_REDIRECT

        Added character in red for validation purposes:
        Code:
        document.write('<[B][COLOR=red]\[/COLOR][/B]/div>');
        Requires Revert: No


        MEMBERINFO

        Removed characters in red:
        Code:
        <table cellpadding="0" cellspacing="$stylevar[formspacer][B][COLOR=Red]px[/COLOR][/B]" border="0">
        Requires Revert: No
        Last edited by Colin F; Thu 5 Jan '06, 12:23am.

        Comment

        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179

          #5
          Files changed since 3.5.2
          • ./
            • calendar.php
            • external.php
            • global.php
            • image.php
            • index.php
            • inlinemod.php
            • login.php
            • memberlist.php
            • online.php
            • payments.php
            • poll.php
            • postings.php
            • private.php
            • profile.php
            • register.php
            • report.php
            • search.php
          • ./admincp/
            • css.php
            • image.php
            • options.php
            • subscriptions.php
            • user.php
            • usergroup.php
            • usertools.php
          • ./archive/
            • global.php
            • index.php
          • ./clientscript/
            • vbulletin_quick_edit.js
          • ./images/misc/
            • im_skype.gif
            • skype_addcontact.gif
            • skype_callstart.gif
            • skype_fileupload.gif
            • skype_info.gif
            • skype_message.gif
            • skype_voicemail.gif
          • ./includes/
            • adminfunctions_user.php
            • class_core.php
            • class_datastore.php
            • class_dbalter.php
            • class_dm.php
            • class_dm_pm.php
            • class_dm_user.php
            • class_image.php
            • class_paid_subscription.php
            • class_postbit.php
            • config.php.new
            • functions.php
            • functions_calendar.php
            • functions_cron.php
            • functions_digest.php
            • functions_forumdisplay.php
            • functions_newpost.php
            • functions_online.php
            • functions_search.php
            • functions_wysiwyg.php
            • ./includes/xml/
              • bitfield_vbulletin.xml
              • hooks_vbulletin.xml
          • ./install/
            • init.php
            • install.php
            • tableprefix.php
            • upgrade.php
            • upgrade_3012.php
            • upgrade_350b1.php
            • upgrade_353.php
            • upgrade_language_en.php
            • vbulletin-adminhelp.xml
            • vbulletin-language.xml
            • vbulletin-settings.xml
            • vbulletin-style.xml

          Comment

          • Kier
            Former Lead Developer, vBulletin
            • Sep 2000
            • 8179

            #6
            A thread for the purpose of discussing the release of vBulletin 3.5.3 is provided here:

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...