No announcement yet.

vBulletin 3.5.4 Released

  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 3.5.4 Released

    vBulletin 3.5.4

    This release of vBulletin addresses a minor cross-site scripting flaw discovered by imei addmimistrator, fixes numerous bugs and adds a few new features.

    New Feature: Enhanced File Diagnostics

    In previous versions of vBulletin, the 'Suspect File Versions' system (AdminCP > Maintenance > Diagnostics > Suspect File Versions) performed a check on each file found to ensure that its stated version matched the currently-installed version of vBulletin. Therefore, a 3.5.2 version of forumdisplay.php would be flagged for attention on a board running 3.5.3.

    The new and improved suspect file versions system extends the file checking functionality in the following ways:
    1. File version mismatch:
      The system still checks for mismatched versions
    2. File not found:
      The system will identify any missing files
    3. File not recognised:
      It will also flag any script files in vBulletin directories that are not part of vBulletin
    4. Unexpected file contents:
      The final and most important check is that on download, MD5 sums are generated for every script file in the downloaded package. The system will now compare the original MD5 sum of each file with its current MD5 sum, so it is now possible to tell instantly if any files have been modified from their original state, making it very simple to see if hacks have been installed or if files have not been uploaded correctly.

    New Feature: SkypeWeb Integration

    SkypeWeb allows the online status of Skype users to be viewed on web pages, and fits very nicely with vBulletin.

    Please note that boards on which were installed the SkypeWeb plugin for vBulletin 3.5.3 will automatically have the plugin uninstalled and the full version inserted in its place.

    Implementational changes: Archive

    The output generated by the Archive is now buffered before being sent to the client. Plugins for the Archive that generate output must be adapted in order to work correctly.

    Updating your vBulletin to combat the XSS flaw:

    Versions of vBulletin 3.5 from 3.5.0 Beta 1 to 3.5.3 are affected by the XSS flaw so we recommend that customers upgrade or patch their installations.

    For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.4 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files.
    3. Plugin: The plugin system built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
    For a complete list of bugs fixed in 3.5.4, please click here.
    Last edited by Kier; Tue 21 Feb '06, 8:31am.

  • #2
    Patch File

    Patches are now available in the members' area. You may view available patches here.

    Go to the page mentioned above and download the "Security patch for 3.5.3". Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • sendmessage.php
    • includes/functions.php
    • You do not need to download this patch if you perform a full upgrade to 3.5.4.

    To repeat, go here to download the "Security patch for 3.5.3".


    • #3
      Plugin File

      The file attached here allows you to fix the XSS problem using the vBulletin plugin system, without performing a full upgrade.

      Download the XML file and proceed to your vBulletin 3.5 admin control panel. Navigate to Admin Control Panel > Plugin System > Manage Products > Add / Import Product, then follow the instructions here to import the XML plugin file.

      • You do not need to install this plugin if you perform a full upgrade to 3.5.4
      • You do not need to install this plugin if you patch your board using the files attached to the previous post in this thread.
      • If you cannot download the patch, please see this thread.
      Attached Files


      • #4
        Template Changes Since 3.5.3

        The are the template changes since 3.5.3 ONLY

        If you are not running 3.5.3 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

        You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

        If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert. If requires revert is listed as "no", your board should continue functioning without the changes, but any bug fixes/improvements will not be applied unless you revert the template!

        Additionally, you may wish to use the "Find Updated Templates" feature in the control panel to find templates that have been changed since your last edit to them.



        Added closing tag (</form>) for the form.

        Requires Revert? Technically Yes


        Added a missing </span> tag. See this bug.

        Requires Revert? No


        Wrapped a : in a conditional so it does not show up when there is no description. See this bug.

        Requires Revert? No


        For consistency, changed:
        <if condition="$bbuserinfo['userid']">
        <if condition="$show['member']">
        Requires Revert? No


        Minor changes to implement SkypeWeb online status support.

        Requires revert? No (Though you will need to revert if you want SkypeWeb support)


        Changed a phrase (see this Bug)

        Requires revert? No (You will need to revert if you want a correct display)


        Made changes so banned users that still have permission to view the board can change their password but not their email.

        Requires Revert? No

        (new template)

        If guest posting is enabled and a registered user's session times out while posting, allow them to log back in without losing their post.

        Requires revert? No (Though recommended if you allow guests to post)


        Added labels for username / password to increase accessibility

        Requires revert? No


        Fixed invalid HTML by adding </td></tr>

        Requires revert? No


        Changed such that the smilie box expands its width properly if necessary.

        Requires revert? No


        • #5
          Files changed since 3.5.3
          • /
            • ajax.php
            • attachment.php
            • calendar.php
            • cron.php
            • editpost.php
            • external.php
            • forumdisplay.php
            • global.php
            • inlinemod.php
            • misc.php
            • newreply.php
            • newthread.php
            • payment_gateway.php
            • postings.php
            • profile.php
            • register.php
            • search.php
            • sendmessage.php
            • showthread.php
            • subscription.php
            • usercp.php
          • admincp/
            • accessmask.php
            • diagnostic.php
            • global.php
            • index.php
            • plugin.php
            • user.php
            • usertools.php
          • archive/
            • global.php
            • index.php
          • clientscript/
            • vbulletin_ajax_namesugg.js
            • vbulletin_textedit.js
          • includes/
            • adminfunctions.php
            • adminfunctions_language.php
            • adminfunctions_template.php
            • class_bbcode.php
            • class_bbcode_alt.php
            • class_core.php
            • class_dm.php
            • class_dm_moderator.php
            • class_dm_threadpost.php
            • class_dm_user.php
            • class_paid_subscription.php
            • class_postbit.php
            • functions.php
            • functions_cron.php
            • functions_databuild.php
            • functions_digest.php
            • functions_forumlist.php
            • functions_misc.php
            • functions_newpost.php
            • functions_online.php
            • functions_user.php
            • cron/
              • activate.php
              • promotion.php
              • reminder.php

            • paymentapi/
              • class_authorizenet.php

            • xml/
              • bitfield_vbulletin.xml

          • install/ - assume all files have changed
          • modcp/
            • global.php


          • #6
            A thread for the purpose of discussing the release of vBulletin 3.5.4 is provided here:


            • #7
              Due to issues that affect a limited number of customers when running the updated "Suspect File Versions" system (see the first post), admincp/diagnostic.php has been updated as of this post.

              You do not need to update this file if you do not plan on using this system or have already used it without any problem since upgrading to 3.5.4. Customers that may be affected will be running PHP versions less than 4.2.0 or have renamed their admin/moderator control panel directories.


              • #8
                Issue with patch file

                An issue has been discovered with the version of functions.php in the patch file. This only affects users who have chosen to patch; full upgrades and those using the product to fix the security issue are not affected.

                The issue relates to some users not being able to stay logged in after applying the patch. If you have this problem, you should redownload the patch from this page. We apologize for any inconvienence.


                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.