No announcement yet.

vBulletin 2.2.5 Released

  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin 2.2.5 Released

    vBulletin 2.2.5

    vBulletin 2.2.5 is a moderately important security release, which fixes a number of problems we have identified with potential HTML-injection into the pages. This has, unfortunately, meant that a lot of files have been changed, but we would still encourage you to upgrade as soon as possible. Once again, we are reconsidering our internal-auditing strategies to ensure that we pick this issues up before they become an issue in the future. On a more positive note, vBulletin 3 has been designed with security in mind, already stopping this and several other potential issues dead in their tracks.

    This is now a final release - the only file changed between 2.2.5 beta and 2.2.5 was global.php. This fixes a bug with $HTTP_POST_VARS, etc not being unescaped when they should be.

    Backing up forums

    Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through telnet, as it will not suffer from any such problems.

    Installation / Upgrade Instructions

    These are available in the Members Area.

    Templates changed: (from 2.2.4)

    Bug Fixes
    • Potential XSS/HTML-injection issues.
    • Potential database error when updating user info in the control panel.
    • Users of php4 less than version 4.0.3 may not have been able to upload attachments and custom avatars.

    Files changed: (from 2.2.4)
    • announcement.php, attachment.php, calendar.php, editpost.php, forumdisplay.php, global.php, index.php, member.php, member2.php, memberlist.php, misc.php, moderator.php, newreply.php, newthread.php, online.php, poll.php, postings.php, printthread.php, private.php, private2.php, register.php, search.php, showgroups.php, showthread.php, threadrate.php, usercp.php, admin/badwords.php, admin/functions.php, admin/sessions.php, admin/style.php, admin/thread.php, admin/user.php, mod/announcement.php, mod/global.php
    • admin/misc.php
    • And the usuals (all for just the version number): admin/global.php, admin/install.php, admin/upgrade1.php, admin/upgrade18.php

    In conclusion...

    We apologise for the frequency of updates recently. However, we are keen to maintain vBulletin's security, and to notify customers as soon as we are aware of issues, so we felt it was more important to get this information out to you as soon as possible, rather than sitting on it.


    To discuss this, please post here:
    Last edited by Chris Schreiber; Thu 4 Apr '02, 12:31pm.
    John Percival

    Artificial intelligence usually beats real stupidity ;)
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.