Tweet
vBulletin 2.2.5
vBulletin 2.2.5 is a moderately important security release, which fixes a number of problems we have identified with potential HTML-injection into the pages. This has, unfortunately, meant that a lot of files have been changed, but we would still encourage you to upgrade as soon as possible. Once again, we are reconsidering our internal-auditing strategies to ensure that we pick this issues up before they become an issue in the future. On a more positive note, vBulletin 3 has been designed with security in mind, already stopping this and several other potential issues dead in their tracks.
This is now a final release - the only file changed between 2.2.5 beta and 2.2.5 was global.php. This fixes a bug with $HTTP_POST_VARS, etc not being unescaped when they should be.
Backing up forums
Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems.
Installation / Upgrade Instructions
These are available in the Members Area.
Templates changed: (from 2.2.4)
Bug Fixes
Files changed: (from 2.2.4)
In conclusion...
We apologise for the frequency of updates recently. However, we are keen to maintain vBulletin's security, and to notify customers as soon as we are aware of issues, so we felt it was more important to get this information out to you as soon as possible, rather than sitting on it.
John
To discuss this, please post here:
vBulletin 2.2.5 is a moderately important security release, which fixes a number of problems we have identified with potential HTML-injection into the pages. This has, unfortunately, meant that a lot of files have been changed, but we would still encourage you to upgrade as soon as possible. Once again, we are reconsidering our internal-auditing strategies to ensure that we pick this issues up before they become an issue in the future. On a more positive note, vBulletin 3 has been designed with security in mind, already stopping this and several other potential issues dead in their tracks.
This is now a final release - the only file changed between 2.2.5 beta and 2.2.5 was global.php. This fixes a bug with $HTTP_POST_VARS, etc not being unescaped when they should be.
Backing up forums
Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems.
Installation / Upgrade Instructions
These are available in the Members Area.
Templates changed: (from 2.2.4)
- threads_deletethread -- fixed a typo in one of the variables
- modifyavatar_custom -- Fixed a bug causing the wrong box to be checked when setting a custom avatar. http://www.vbulletin.com/forum/showt...407#post267407
Bug Fixes
- Potential XSS/HTML-injection issues.
- Potential database error when updating user info in the control panel.
- Users of php4 less than version 4.0.3 may not have been able to upload attachments and custom avatars.
Files changed: (from 2.2.4)
- announcement.php, attachment.php, calendar.php, editpost.php, forumdisplay.php, global.php, index.php, member.php, member2.php, memberlist.php, misc.php, moderator.php, newreply.php, newthread.php, online.php, poll.php, postings.php, printthread.php, private.php, private2.php, register.php, search.php, showgroups.php, showthread.php, threadrate.php, usercp.php, admin/badwords.php, admin/functions.php, admin/sessions.php, admin/style.php, admin/thread.php, admin/user.php, mod/announcement.php, mod/global.php
- admin/misc.php
- And the usuals (all for just the version number): admin/global.php, admin/install.php, admin/upgrade1.php, admin/upgrade18.php
In conclusion...
We apologise for the frequency of updates recently. However, we are keen to maintain vBulletin's security, and to notify customers as soon as we are aware of issues, so we felt it was more important to get this information out to you as soon as possible, rather than sitting on it.
John
To discuss this, please post here:
