vBulletin 3.0.6 and 2.3.6 are security and bug fix releases. They fix a recently discovered XSS issue regarding BB code parsing. All versions of vBulletin prior to 3.0.6 and 2.3.6 are vulnerable. The only workaround is to disable BB code parsing in signat
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 21st, 2005
This email contains important security-related information. Please read it carefully.
* vBulletin 3.0.6 / 2.3.6 Released
* Performance Hit Since PHP 4.3.10 / 5.0.3
------------ VBULLETIN 3.0.6 / 2.3.6 RELEASED ------------
vBulletin 3.0.6 and 2.3.6 are security and bug fix
releases. They fix a recently discovered XSS issue
regarding BB code parsing.
All versions of vBulletin prior to 3.0.6 and 2.3.6 are vulnerable. The only workaround is to disable BB code parsing in signatures and all forums where untrusted users can post.
We strongly urge all customers to either fully upgrade or
patch their installations as soon as possible. A patch is available for includes/functions_bbcodeparse.php
(vBulletin 3) and admin/functions.php (vBulletin 2).
Overwrite the version on your server with the file in the appropriate zip. The patch(es) can be downloaded from here:
http://www.vbulletin.com/forum/showthread.php?t=127027
After a full upgrade your forum will once again be secure.
If you would rather simply patch your forum, please take
note of the following:
Board is running vBulletin 2.3.5 or earlier
- Download patch for 2.3.5
- Overwrite admin/functions.php
Board is running vBulletin 3.0.4 or earlier
- Download patches for 3.0.5 and 3.0.6
- Overwrite includes/init.php
- Overwrite includes/functions_bbcodeparse.php
- Overwrite private.php
Board is running vBulletin 3.0.5
- Download patch for 3.0.6
- Overwrite includes/functions_bbcodeparse.php
Once you have performed the steps outlined above,
your board will be secure.
We would again like to reiterate that security is our
primary concern. In the past weeks, there have been several reports of security issues in vBulletin that have prompted the recent releases. We realize that these releases can be a burden on you. For that, we are sorry, but once we have become aware of a security issue, it is our duty to provide a fix to that issue. We are also performing internal security audits and looking into changes to our core systems to prevent issues such as these from occurring in the future.
Please read the announcement for upgrade and installation
instructions, as well as the list of bugs fixed and other
changes:
http://www.vbulletin.com/forum/showthread.php?t=127027
-------- PERFORMANCE HIT SINCE PHP 4.3.10 / 5.0.3 --------
Many people have noticed that vBulletin (and a lot of other
PHP applications) suddenly started to run significantly
slowed than normal after installing PHP 4.3.10 or 5.0.3
in order to patch the security flaw in previous versions
of PHP.
This cause of this slow-down has been identified as a problem with the unserialize() function in PHP. For more details, see http://bugs.php.net/bug.php?id=31332.
This problem has now been fixed by the PHP developers, though the fixed version has yet to be released in a 'stable' version. However, the latest CVS snapshots of PHP 4.3.x and 5.0.x, available from http://snaps.php.net contain the fix and restore the original speed of unserialize().
While we would not recommend running a 'dev' version of
PHP on any production server, we understand that the performance problem has been a major issue for some people. If you are badly affected, you may want to consider running a 'dev' version of PHP at your own risk in order to overcome the performance problem.
WebHostGear.com is a hosting directory, not a web host.
Copyright © 1998-2024 WebHostGear.com