Announcement

Collapse
No announcement yet.

vBulletin 3.5.6 Released

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 3.5.6 Released

    vBulletin 3.5.6

    An undocumented behaviour in all Windows versions of Internet Explorer has rendered vBulletin vulnerable to a potential cross-site scripting flaw (XSS). Therefore, we have decided to put out a preventative security release in order to work-around the Internet Explorer problem before it is exploited.

    We recommend that all customers still running a 3.5 board upgrade to 3.5.6 or apply the patch discussed in this post as soon as possible. Note that our current recommended release is 3.6.3 and we recommend customers upgrade to that!

    Performing a full upgrade to 3.5.6 also contains several bug fixes, including a fix for a compatibility issue in PHP 5.2.0. Additionally, this version adds HttpOnly cookies, which helps reduce the amount of damage that could be caused by a potential XSS flaw.

    Updating your vBulletin to combat the XSS flaw:

    Please note that this issue is present in other versions of vBulletin as well. Please see the appropriate announcement!

    Our primary recommendation for customers is to upgrade to vBulletin 3.6.3, but if you are not ready to do this, you can do one of the following:
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.6 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available in the Members' Area patch page or later in this post!

  • #2
    Patch Information

    Patches are now available in the members' area. You may view available patches here. Alternatively, you may use the zip attached to this post to apply the patch. Both methods are equivalent.

    Go to the page mentioned above and download the "Security patch for 3.5.5" or download the zip at the end of this post. Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • includes/class_image.php


    Notes:
    1. If you cannot download the attachment in this post, you are not currently registered as a license customer. Please see this thread for instructions on how to proceed.
    2. You do not need to download this patch if you perform a full upgrade to 3.5.6.
    3. If you only apply a patch, your version number will not change. Your version number will only be updated to 3.5.6 if you perform a full upgrade.
    Attached Files

    Comment


    • #3
      Templates and Files Changed Since 3.5.5

      Templates Changed Since 3.5.5

      None

      Files Changed Since 3.5.5
      • /
        • attachment.php
        • printthread.php
        • profile.php
      • admincp/index.php
      • cpstyles/ - all cp_logo.gif files were updated to include registered mark
      • images/misc/ - again, for registered marks
        • vbulletin2_logo.gif
        • vbulletin3_logo_grey.gif
        • vbulletin3_logo_white.gif
      • includes/
        • class_bbcode.php
        • class_core.php
        • class_dbalter.php
        • class_image.php
        • class_upload.php
        • functions.php
        • functions_calendar.php
        • functions_login.php
        • init.php
      • install/ - assume all changed
      • modcp/
        • index.php
        • moderate.php

      Comment


      • #4
        You may discuss the release of vBulletin 3.5.6 here:

        http://www.vbulletin.com/forum/showthread.php?t=207863

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...
        X