Announcement

Collapse
No announcement yet.

vBulletin 2.2.3 Released

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 2.2.3 Released

    vBulletin 2.2.3c

    vBulletin 2.2.3c is a small but very important upgrade. It fixes a number of small bugs, but more importantly it fixes a potential XSS (Cross-site scripting) issue. We seriously recommend that you upgrade immediately, most importantly your functions.php and global.php files.

    If you have had problems with attachments or since your host patched the recent security hole in PHP, please be sure to follow the instructions here:
    http://www.vbulletin.com/forum/showt...threadid=41098

    Backing up forums

    Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems.

    New Installation Instructions

    For fresh installations, you must run the install.php file in the admin directory. Before you do this, take the config.php.new file, edit it to contain your details, then upload it as config.php to the server.

    Then you can run through the install.php script in much the same way as old install scripts. More detailed instructions are in the vBulletin online manual:
    http://www.vbulletin.com/manual/

    Upgrade instructions:

    >From 1.1.x: and 2.0.3 or before:
    Please email me at [email protected] for full information. Please be sure to include your vBulletin customer number and password, and the URL of the forum you are upgrading.

    > From 2.2.0
    Upload all the files except install.php, then load up the following web pages:
    http://your.site/forums/admin/upgrade14.php
    http://your.site/forums/admin/upgrade15.php
    http://your.site/forums/admin/upgrade16.php
    When you are done, be sure to delete all the upgradex.php scripts.

    > From 2.2.1
    Upload all the files except install.php, then load up the following web pages:
    http://your.site/forums/admin/upgrade15.php
    http://your.site/forums/admin/upgrade16.php
    When you are done, be sure to delete all the upgradex.php scripts.

    > From 2.2.2
    Upload all the files except install.php, then load up the following web page:
    http://your.site/forums/admin/upgrade16.php
    When you are done, be sure to delete all the upgradex.php scripts.

    Changed Templates

    Note: Upgrading will not overwrite any of your custom templates. If you have customized any template that is listed as 'modified' below, we seriously recommend using the 'revert' option to return them to the default template, then re-applying your customizations.

    Modified templates
    • Postbit_signature - added in a newline character
    • forumhome, navbar - minor javascript changes
    • editpost, modifyavatar, newreply, newthread -- enctype="multipart/form-data" was replaced with $enctype

    You can view the new templates from in the control panel by clicking on the 'view original' next to your custom template.

    Bug Fixes
    • Problem with being able to post custom avatars even when they should be disabled.
    • Fixed a few typos
    • Fixed problem with using { with Disable smilies
    • Fixed problem with mass-pruning users
    • Fixed performance issue with forumdisplay
    • Fixed issue causing postings not to work when file uploads were off
    • Fixed a couple of security issues, including one XSS vulnerability. We recommend that you upgrade, especially your functions.php and global.php files
    • Fixed issue with template cache


    In conclusion...

    Get to that members area!

    John

    To discuss this, please post here:
    http://www.vbulletin.com/forum/showt...threadid=41255
    Last edited by Chris Schreiber; Sun 10 Mar '02, 6:46am.
    John Percival

    Artificial intelligence usually beats real stupidity ;)

  • #2
    If you are running 2.2.3c , there is no immediate need to upgrade as you are secure.

    If you are running 2.2.3 or 2.2.3b , there are details below telling you how to patch the files.

    If you are running older versions, you are recommended to upgrade to 2.2.4 as soon as possible.

    John
    Last edited by John; Sun 10 Mar '02, 10:53am.
    John Percival

    Artificial intelligence usually beats real stupidity ;)

    Comment


    • #3
      We just released 2.2.3c, which fixes a critical problem for anyone that allows guest posting. If you have downloaded 2.2.3, and you allow guests to post on your boards, please download and install 2.2.3c available from the members area.

      If you have modified your boards and would like to make this change manually, you will need to edit your newthread.php and newreply.php files.

      Look for this code:
      if ($userinfo=$DB_site->query_first("SELECT user.*,userfield.* FROM user,userfield WHERE username='".addslashes(htmlspecialchars($username))."' OR username='".addslashes(eregi_replace("[^A-Za-z0-9]","",$username))."' AND user.userid=userfield.userid")) {

      And replace it with this:
      if ($userinfo=$DB_site->query_first("SELECT user.*,userfield.* FROM user,userfield WHERE (username='".addslashes(htmlspecialchars($username))."' OR username='".addslashes(eregi_replace("[^A-Za-z0-9]","",$username))."') AND user.userid=userfield.userid")) {

      This line occurs once in both files.
      Last edited by Chen; Sun 10 Mar '02, 9:23am.

      Comment


      • #4
        Attached is the patched newreply.php
        John Percival

        Artificial intelligence usually beats real stupidity ;)

        Comment


        • #5
          Attached is the patched newthread.php
          John Percival

          Artificial intelligence usually beats real stupidity ;)

          Comment


          • #6
            Attached is a unified diff file for newreply.php to patch the error. If this means nothing to you, just ignore it
            John Percival

            Artificial intelligence usually beats real stupidity ;)

            Comment


            • #7
              Attached is a unified diff file for newthread.php to patch the error. If this means nothing to you, just ignore it
              John Percival

              Artificial intelligence usually beats real stupidity ;)

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X