No announcement yet.

Patch Available for 3.0.0 RC4

  • Filter
  • Time
  • Show
Clear All
new posts

  • Patch Available for 3.0.0 RC4

    An XSS vulnerability has been discovered in vBulletin 3 and posted to BugTraq.

    vBulletin 3 versions RC2, RC3 and RC4 are affected. This has necessitated the release of an updated version of includes/init.php to patch the problem.

    The members' area package has been updated with this file.

    If you are already running vBulletin 3 RC4, simply upload the attached init.php file to the 'includes' folder in your forum directory, overwriting the existing one.

    If you are running a previous version of vBulletin 3, we recommend that you upgrade to the version of RC4 available in the members' area as soon as possible.

    vBulletin 2.3.4 and earlier are not affected. Sites running vBulletin 2 need take no action.
    Attached Files

  • #2
    A replacement search.php is now available for RC4 to fix a potential XSS issue. This issue exists only in RC4 unless you allow large words to be indexed in the search results (25+ characters). In that case all versions of vB3 would be affected. This search.php should be compatible with RC2 and RC3 but we recommend that you upgrade to RC4. The patched search.php is not yet available in the member's area so please download it from this post.
    Attached Files


    • #3
      ... the members' area package now includes both the init.php and search.php patched versions.


      • #4
        forumdisplay.php and showthread.php XSS issues

        Patched versions of forumdisplay.php and showthread.php are now available to fix 2 potential XSS issues in RC4.

        These issues are likely in all versions of 3.0.0 to this point.

        The updated files are not available in the members' area at this time, so please download them from this post.
        Attached Files


        • #5
          Just to put your mind at rest, vBulletin 3 'Gold' will be released this week and has not been delayed.

          We simply figured that we'd let you have the fixed files as soon as they were available.


          widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.