PDA

View Full Version : Attention TMC Admin...


bigmac
11-03-2005, 02:06 PM
Recent security holes in PHP and Internet Explorer would strongly suggest that TMC upgrade the site in order to patch some of these flaws. You're probably already on it.

IMHO, going to vBulletin 3.5.1 might be premature. It's a complete re-write of the software and is likely to come with its own set of bugs, not to mention be a more problematic upgrade. I do think that upgrading from the current 3.0.7 to 3.0.10 is a good move.

Just a suggestion.


vBulletin 3.5.1
vBulletin 3.0.10
vBulletin 2.3.8

The original purpose of this release was to provide a regular, scheduled bug-fix / service release for the new 3.5.x series, but newly discovered flaws in Internet Explorer and PHP have necessitated a security release for all three vBulletin branches.

The first flaw is in Microsoft Internet Explorer. It affects vBulletin image uploads and potentially opens a cross-site-scripting exploit. It has affected many web-based applications that allow image uploads, including phpBB and Hotmail. Although a fix from Microsoft would be preferable, we have implemented a work-around in all three branches of vBulletin to prevent the Internet Explorer flaw from being exploited.

The second flaw is in PHP and may allow the entry of unsanitized data into several areas in vBulletin. This may create security holes that are not directly caused by vBulletin, simply exploited through vBulletin as it uses affected PHP code. PHP 4.4.1 has been released to address this issue (no updated PHP5 is available yet). If you are running PHP 4, it is strongly recommended that you update your PHP installation to 4.4.1!

I'd just like to reiterate that neither of these flaws are directly related to vBulletin. Rather, they are flaws in software that ties into vBulletin. We are simply creating workarounds for these issues to prevent them from being exploited.

Patch files for vBulletin 3.5.0, 3.0.6 - 3.0.9 and 2.3.4 - 2.3.7 are attached to this thread, though we would recommend that you fully upgrade your board rather than simply patch it wherever possible. The zip files contain partial directory structures of the upload/ folder that would normally be found in the package you downloaded from the members' area. You should simply download the correct file for your board and extract it. Connect to your server via FTP and upload the contents of the zip file to your main board directory. This should overwrite files already on your server -- if it does not, then your board will not be patched!

All customers should upgrade or patch their boards as soon as possible.

Installing or Upgrading vBulletin (3.0.x/3.5.x)

Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.

Note that the process is the same as it was in the 3.0.x series. However you must redo your config.php if you are upgrading from 3.0.x!

TMC
11-03-2005, 03:08 PM
I have sent this message on to TT Admin. Thanks for the heads up!!

-J

Cloaked
11-03-2005, 05:34 PM
I am using vB 3.5.0 on another forum that I host. I upgraded two weeks ago upon release of the full version and completion of the beta version... It's good to go...

stevo137
11-03-2005, 05:48 PM
I hope that we don't lose the pics again after the upgrade...

Cloaked
11-03-2005, 08:21 PM
I hope that we don't lose the pics again after the upgrade...I upgraded with no problems, this version, however I took the time to back up the entire database prior to the migration. That is what I like about this latest version. Not a flaw after the upgrade. There are also some nice add-on hacks that vB accommodates very well. A shoutbox is the latest popular feature that vB can deal with.