vBulletin 2.2.5 Released
vBulletin 2.2.5 vBulletin 2.2.5 is a moderately important security release, which fixes a number of problems we have identified with potential HTML-injection into the pages. This has, unfortunately, meant that a lot of files have been changed, but we would still encourage you to upgrade as soon as possible. Once again, we are reconsidering our internal-auditing strategies to ensure that we pick this issues up before they become an issue in the future. On a more positive note, vBulletin 3 has been designed with security in mind, already stopping this and several other potential issues dead in their tracks. Since we have had to modify a lot of files to fix this issue, the files will be tagged as 'beta' for a few days to allow us to update them if any minor bugs are found. Backing up forums Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems. Installation / Upgrade Instructions These are available in the Members Area. Templates changed: (from 2.2.4)threads_deletethread -- fixed a typo in one of the variables modifyavatar_custom -- Fixed a bug causing the wrong box to be checked when setting a custom avatar. http://www.vbulletin.com/forum/show...7407#post267407 Bug Fixes
Potential XSS/HTML-injection issues. Potential database error when updating user info in the control panel. Files changed: (from 2.2.4)
announcement.php, attachment.php, calendar.php, editpost.php, forumdisplay.php, global.php, index.php, member.php, member2.php, memberlist.php, misc.php, moderator.php, newreply.php, newthread.php, online.php, poll.php, postings.php, printthread.php, private.php, private2.php, register.php, search.php, showgroups.php, showthread.php, threadrate.php, usercp.php, admin/badwords.php, admin/functions.php, admin/sessions.php, admin/style.php, admin/thread.php, admin/user.php, mod/announcement.php, mod/global.php admin/misc.php And the usuals (all for just the version number): admin/global.php, admin/install.php, admin/upgrade1.php, admin/upgrade18.php In conclusion... We apologise for the frequency of updates recently. However, we are keen to maintain vBulletin's security, and to notify customers as soon as we are aware of issues, so we felt it was more important to get this information out to you as soon as possible, rather than sitting on it. John To discuss this, please post here:
http://www.vbulletin.com/forum/show...?threadid=43079
__________________
John Percival
vBulletin Product Manager
[email protected] Artificial intelligence usually beats real stupidity
vBulletin 2.2.5 vBulletin 2.2.5 is a moderately important security release, which fixes a number of problems we have identified with potential HTML-injection into the pages. This has, unfortunately, meant that a lot of files have been changed, but we would still encourage you to upgrade as soon as possible. Once again, we are reconsidering our internal-auditing strategies to ensure that we pick this issues up before they become an issue in the future. On a more positive note, vBulletin 3 has been designed with security in mind, already stopping this and several other potential issues dead in their tracks. Since we have had to modify a lot of files to fix this issue, the files will be tagged as 'beta' for a few days to allow us to update them if any minor bugs are found. Backing up forums Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems. Installation / Upgrade Instructions These are available in the Members Area. Templates changed: (from 2.2.4)threads_deletethread -- fixed a typo in one of the variables modifyavatar_custom -- Fixed a bug causing the wrong box to be checked when setting a custom avatar. http://www.vbulletin.com/forum/show...7407#post267407 Bug Fixes
Potential XSS/HTML-injection issues. Potential database error when updating user info in the control panel. Files changed: (from 2.2.4)
announcement.php, attachment.php, calendar.php, editpost.php, forumdisplay.php, global.php, index.php, member.php, member2.php, memberlist.php, misc.php, moderator.php, newreply.php, newthread.php, online.php, poll.php, postings.php, printthread.php, private.php, private2.php, register.php, search.php, showgroups.php, showthread.php, threadrate.php, usercp.php, admin/badwords.php, admin/functions.php, admin/sessions.php, admin/style.php, admin/thread.php, admin/user.php, mod/announcement.php, mod/global.php admin/misc.php And the usuals (all for just the version number): admin/global.php, admin/install.php, admin/upgrade1.php, admin/upgrade18.php In conclusion... We apologise for the frequency of updates recently. However, we are keen to maintain vBulletin's security, and to notify customers as soon as we are aware of issues, so we felt it was more important to get this information out to you as soon as possible, rather than sitting on it. John To discuss this, please post here:
http://www.vbulletin.com/forum/show...?threadid=43079
__________________
John Percival
vBulletin Product Manager
[email protected] Artificial intelligence usually beats real stupidity
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货