No announcement yet.

vBulletin 3.6.4 Released

  • Time
  • Show
Clear All
new posts
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179

    vBulletin 3.6.4 Released

    vBulletin 3.6.4

    The discovery of a potential cross-site scripting (XSS) issue in the administrators control panel has necessitated the preventative release of vBulletin 3.6.4 Due to several mitigating factors, this issue is hard to exploit and careful browsing by the admins can prevent it entirely. Nonetheless, we strongly recommend that all of our customers upgrade or apply the patch as soon as possible.

    Additionally, vBulletin 3.6.4 includes fixes for several non-security-related bugs, see here for a full list.

    Updating your vBulletin to combat the XSS issue:

    Please note that this issue is present in other versions of vBulletin as well. Please see the appropriate announcement!

    You have two options to fix the XSS issue:
    1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.6.4 package from the vBulletin Members' Area and following the regular upgrade instructions.
    2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page!
    If you absolutely cannot apply the patch or upgrade...

    We strongly recommend you actively take steps to address this issue. However, if this is not possible, we recommend that administrators only log into the control panel when work is necessary. While you are logged into the control panel, do not click unknown links. Log out from the control panel using the link in the upper right of the screen immediately after finishing your work. If you are unexpectedly presented with the control panel login screen after clicking a link, do not login.

    PHP and MySQL Requirements

    Please note that vBulletin 3.6.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.
  • Kier
    Former Lead Developer, vBulletin
    • Sep 2000
    • 8179


    Patches are now available in the members' area. You may view available patches here.

    Go to the page mentioned above and download the Security patch for 3.6.3. Extract the zip archive, then connect to your web server using FTP and overwrite the following files using the replacement versions from the zip.
    • admincp/index.php
    1. You do not need to download this patch if you perform a full upgrade to 3.6.4.
    2. If you only apply a patch, your version number will not change. Your version number will only be updated to 3.6.4 if you perform a full upgrade.


    • Kier
      Former Lead Developer, vBulletin
      • Sep 2000
      • 8179

      Changed Files (since 3.6.3)
      • ajax.php
      • calendar.php
      • memberlist.php
      • search.php
      • admincp/
        • admincalendar.php
        • index.php
        • usertools.php
        • subscriptions.php
      • archive/index.php
      • clientscript/
        • vbulletin_global.js
        • vbulletin_textedit.js
        • vbulletin_thrdpostlist.js
      • includes
        • adminfunctions.php
        • adminfunctions_language.php
        • adminfunctions_template.php
        • class_bbcode.php
        • class_core.php
        • class_dm_event.php
        • class_dm_pm.php
        • class_dm_user.php
        • class_sigparser_char.php
        • functions_newpost.php
        • functions_calendar.php
        • cron/removebans.php
        • xml/js_safe_phrases.xml
      • install/ - all of it
      • modcp/user.php


      • Kier
        Former Lead Developer, vBulletin
        • Sep 2000
        • 8179

        Templates Changed (since 3.6.3)

        These are the template changes since 3.6.3 ONLY

        If you are not running 3.6.3 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!


        You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

        If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert.

        Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them.



        Changes to HTML for XHTML validation purposes

        Requires revert? No (unless XHTML validation is important to you)


        Added maxlength parameter to the optional input to limit the amount of text to what is defined for the field.

        Requires Revert? No, see bug 1199


        Added style="border-top-width:0px" to the topic review bits table to prevent a border from doubling up.

        Requires revert? No.


        Added style="border-bottom-width:0px" to the PM title table to prevent a border from doubling up.

        Requires revert? No.


        • Kier
          Former Lead Developer, vBulletin
          • Sep 2000
          • 8179

          You may discuss this release here.


          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.