vBulletin 3.5.5 Released

**Kier** · Thu 3 Aug '06, 5:52am

Patch File

Patches are now available in the members' area. You may view available patches here.

Go to the page mentioned above and download the "Security patch for 3.5.4". Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.

includes/functions.php

Notes:

You do not need to download this patch if you perform a full upgrade to 3.5.5 or 3.6.0.
This patch is only for 3.5.4. If you are not running 3.5.4, you must upgrade your board to 3.5.5 or use the plugin.

To repeat, go here to download the "Security patch for 3.5.4".

**Kier** · Thu 3 Aug '06, 5:52am

Plugin File

The file attached here allows you to fix the XSS problem using the vBulletin plugin system, without performing a full upgrade.

Download the XML file and proceed to your vBulletin 3.5 admin control panel. Navigate to Admin Control Panel > Plugin System > Manage Products > Add / Import Product, then follow the instructions here to import the XML plugin file.

Notes:

You do not need to install this plugin if you perform a full upgrade to 3.5.5 or 3.6.0
You do not need to install this plugin if you patch your board using the files attached to the previous post in this thread.
If you cannot download the patch, please see this thread.
This XML file does not fix the attachment.php issue. You must use the version attached to a post below to fix that issue!

Attached Files

product-vb354security.xml (808 Bytes, 649 views)

**Kier** · Thu 3 Aug '06, 5:56am

Templates Changed Since vBulletin 3.5.4

Note:
You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert. If requires revert is listed as "no", your board should continue functioning without the changes, but any bug fixes/improvements will not be applied unless you revert the template!

Additionally, you may wish to use the "Find Updated Templates" feature in the control panel to find templates that have been changed since your last edit to them.

STANDARD_REDIRECT

Changed redirection html to better handle $postvars. See bug [2261] for more details.

Made the javascript redirect the default method for all browsers that have it enabled

Requires Revert? Yes

modifyprofilepic

Stray check_yes causing JavaScript Errors

Requires Revert? Yes

showthread_quickreply

Added a hidden field to pass the styleid so AJAX does not return postbits in a different style.

Requires Revert: No

help_bbcodes

Changed a phrase (see this Bug)

Requires revert? No (You will need to revert if you want a correct display)

WHOSONLINE

Missing </td> in template

Requires Revert? No

help_avatars_row

Removed class="$bgclass" text so blank cells dont look odd with the default style

Requires revert? No

modifyattachmentsbit

Add an alt tag to remove a validation warning.

Requires revert? No

**Mike Sullivan** · Thu 3 Aug '06, 7:42am

Files Changed Since vBulletin 3.5.4

/
- ajax.php
- attachment.php
- calendar.php
- cron.php
- editpost.php
- external.php
- favicon.ico
- index.php
- inlinemod.php
- misc.php
- payments.php
- postings.php
- private.php
- register.php
- search.php
- sendmessage.php
- showthread.php
- subscription.php
- usercp.php
admincp/
- diagnostic.php
- global.php
- image.php
- index.php
- language.php
- plugin.php
- profilefield.php
- queries.php
- resources.php
- subscriptions.php
- template.php
- thread.php
- usertools.php
archive/
- global.php
- index.php
clientscript/
- vbulletin_global.js
- vbulletin_quick_edit.js
- vbulletin_textedit.js
includes/
- adminfunctions.php
- adminfunctions_language.php
- class_bbcode.php
- class_core.php
- class_dm_user.php
- class_image.php
- class_mail.php
- class_postbit.php
- functions.php
- functions_bigthree.php
- functions_databuild.php
- functions_file.php
- functions_forumlist.php
- functions_login.php
- functions_ranks.php
- functions_wysiwyg.php
- init.php
- vbulletin_credits.php
- paymentapi/class_2checkout.php
install/ - assume all files change
modcp/
- banning.php
- global.php
- moderate.php

**Kier** · Thu 3 Aug '06, 8:54am

You can discuss this release here:

vBulletin Community Forum

http://www.vbulletin.com/forum/showthread.php?t=194088

**Kier** · Thu 3 Aug '06, 4:36pm

Important Notice

If you downloaded vBulletin 3.5.5 prior to the date of this post, please download the attached file (attachment.php) and upload it to your webserver, overwriting the exiting attachment.php.

This will fix a security hole discovered in Internet Explorer that affects vBulletin.

Please use this file only to patch vBulletin 3.5.5. Patches for the three other versions released today are attached to their respective announcement threads.

Downloads made after the time of this post have been fixed in the Members' Area and are not vulnerable.

Attached Files

attachment.php (12.8 KB, 249 views)

vBulletin 3.5.5 Released

vBulletin 3.5.5 Released

Comment

Comment

Comment

Comment

Comment

Comment