vBulletin 3.5.3
A recently discovered cross-site scripting (XSS) flaw in all three branches of vBulletin has prompted us to perform a security update, releasing new versions of vBulletin 2, 3.0.x and 3.5.x simultaneously.
All prior versions of vBulletin are vulnerable and we advise customers to upgrade or patch their vBulletin installations at their earliest convenience.
For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
3.5.3 also contains a number of bug fixes. Click here for a list!
Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.
Note that the process is the same as it was in the 3.0.x series. However you must redo your config.php if you are upgrading from 3.0.x!
Additionally, if you are upgrading from 3.0.x and have custom avatars saved in the file system, you will need to move them back to the database before upgrading. If you do not do this, custom profile pictures will be lost!
Bug Reports
You may report bugs by clicking here. Before reporting a bug, please attempt to recreate the bug on a default, uncustomized style (especially if your errors are JavaScript related). Additionally, if you have used the plugins/products system at all, please attempt to recreate the issue with the plugins system disabled!
A recently discovered cross-site scripting (XSS) flaw in all three branches of vBulletin has prompted us to perform a security update, releasing new versions of vBulletin 2, 3.0.x and 3.5.x simultaneously.
All prior versions of vBulletin are vulnerable and we advise customers to upgrade or patch their vBulletin installations at their earliest convenience.
For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
- Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.3 package from the vBulletin Members' Area and following the regular upgrade instructions.
- Patch: A second option is to download the patch files attached to this thread and upload them to your web server, overwriting the existing files.
- Plugin: The plugin built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
3.5.3 also contains a number of bug fixes. Click here for a list!
Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.
Note that the process is the same as it was in the 3.0.x series. However you must redo your config.php if you are upgrading from 3.0.x!
Additionally, if you are upgrading from 3.0.x and have custom avatars saved in the file system, you will need to move them back to the database before upgrading. If you do not do this, custom profile pictures will be lost!
Bug Reports
You may report bugs by clicking here. Before reporting a bug, please attempt to recreate the bug on a default, uncustomized style (especially if your errors are JavaScript related). Additionally, if you have used the plugins/products system at all, please attempt to recreate the issue with the plugins system disabled!
Comment