vBulletin 3.6.4

The discovery of a potential cross-site scripting (XSS) issue in the administrators control panel has necessitated the preventative release of vBulletin 3.6.4 Due to several mitigating factors, this issue is hard to exploit and careful browsing by the admins can prevent it entirely. Nonetheless, we strongly recommend that all of our customers upgrade or apply the patch as soon as possible.

Additionally, vBulletin 3.6.4 includes fixes for several non-security-related bugs, see here (http://www.vbulletin.com/forum/bugs36.php?s=&do=list&vbversion=3.6.3&status=20) for a full list.

Updating your vBulletin to combat the XSS issue:

Please note that this issue is present in other versions of vBulletin as well. Please see the appropriate announcement!

You have two options to fix the XSS issue:

Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.6.4 package from the vBulletin Members' Area (http://members.vbulletin.com/) and following the regular upgrade instructions (http://www.vbulletin.com/docs/html/upgrade?manualversion=30602500).
Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the Members' Area patch page (http://members.vbulletin.com/patches.php)!If you absolutely cannot apply the patch or upgrade...

We strongly recommend you actively take steps to address this issue. However, if this is not possible, we recommend that administrators only log into the control panel when work is necessary. While you are logged into the control panel, do not click unknown links. Log out from the control panel using the link in the upper right of the screen immediately after finishing your work. If you are unexpectedly presented with the control panel login screen after clicking a link, do not login.

PHP and MySQL Requirements

Please note that vBulletin 3.6.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

....Read more at vBulletin 3.6.4 Released (http://www.vbulletin.com/forum/showthread.php?t=209717)

That was fast!

man can't keep up with you guys.:D

This is going to cause me a headahe..

again... :( but don't know why i love to update lol :D:D

Thanks for the heads up. On my way to upgrade both forums. :)

That was fast!

At this rate we should reach 6.1.0 in two months!

At this rate we should reach 6.1.0 in two months!

Errm, there is still such thing as 3.7,3.8,3.9 :)

Let's call it XSS wwIII :)

its bloody ridiculous,vbulletin is in beta,release after release in a matter of months is beyond a joke,ive got better things to do than constant upgrades, I give up!!!!

its bloody ridiculous,vbulletin is in beta,release after release in a matter of months is beyond a joke,ive got better things to do than constant upgrades, I give up!!!!

* Shazz joins you

* projectego goes to upgrade now... ;)

Upgraded succesfully.

its bloody ridiculous,vbulletin is in beta,release after release in a matter of months is beyond a joke,ive got better things to do than constant upgrades, I give up!!!!

Yes, but when you see your forum with *Hacked* to the header of your page, you will come to say "Why vB hadn't upgraded and fixed some security problems!?".

its bloody ridiculous,vbulletin is in beta,release after release in a matter of months is beyond a joke,ive got better things to do than constant upgrades, I give up!!!!

Then don't upgrade. But, if it's hacked it's your fault. These exploits are hard to take advantage of, but it's possible, and I'd much rather a solution to the problem than to have a big upgrade once a year while these exploits can be taken advantage of.

wow the upgrades are very close to each other. getting ready to upgrade now. thanks

oh my god, ton of releases !

lol its like a upgrade every month, oh well shows good support :)

I just upgraded again few mins ago
thanks

You don't have to upgrade.....all you have to do is upload the 2 files from the last 2 patches to be fully patched.

Takes about 30 seconds.....:confused:

All though I prefer the full update to address the bugs....great job!!!

It's not a bad upgrade. No Template changes, except on ones that are rarely changed. You might need to redo changes to the pm template, and that is a "might".

Then don't upgrade. But, if it's hacked it's your fault. These exploits are hard to take advantage of, but it's possible, and I'd much rather a solution to the problem than to have a big upgrade once a year while these exploits can be taken advantage of.

Aye true.

its bloody ridiculous,vbulletin is in beta,release after release in a matter of months is beyond a joke,ive got better things to do than constant upgrades, I give up!!!!

I share your frustration, but that's just the way it goes. Code will always have errors, bugs and security issues. Ain't no perfect coder in the world. The real issue is what's done about them, and vBulletin are exceptionally quick.

For 3.6:
1 update to iron out bugs discovered once 3.6 was generally used and a few improvements based on customer feedback. This is to be expected for the first stable release.
1 Update to fix a serious bug introduced when releasing the first update. serious bugs like this don't happen often with vB.
1 Update to fix a security issue in IE (so the release was not vB triggered)
1 update to fix a possible vulnerability that was almost impossible to exploit, but fixed anyway.

Am I mistaken or was there only one file to replace with this patch going from 3.6.3?

Am I mistaken or was there only one file to replace with this patch going from 3.6.3?

On the 3.6.2 patched is one file change...
On the 3.6.3 its numerious code fixes I think you can read more about it the 3.6.3 thread

Now I'm happy that I never had any 3.6.3 in my hands :D

'sid

ps constant improvement is something to respect for!

Successfully upgraded last night without problems. Only one template in each style to revert. :)

On the 3.6.2 patched is one file change...
On the 3.6.3 its numerious code fixes I think you can read more about it the 3.6.3 thread
Sorry to bother; I read the thread on vbcom and I didn't see all these code changes if you're on 3.6.3 as i am.
I see there are something on templates but nothing that really needs to revert.
Well, probably I misunderstood something, but i really thought that overwriteng admincp/index.php was enough :(

Upgrading is so easy now with the 3.6 version... I dont know what you are complaining about.. In fact, its almost too easy now.. Templates used to be the pain in the ass, but anymore you rarely have file edits, and minimal if at all, and you can compare template history to figure out what template changes need done if any during an upgrade..

The 3.0 days are over.. 3.6 makes upgrading simple.. Quit yer +++++in :)

I personally like the fact that VB has been upgrading so often. phpBB has been plagued with exploit after exploit, and has still yet to release another upgrade since June!

I personally like the fact that VB has been upgrading so often. phpBB has been plagued with exploit after exploit, and has still yet to release another upgrade since June!

+1

Well put

I personally like the fact that VB has been upgrading so often. phpBB has been plagued with exploit after exploit, and has still yet to release another upgrade since June!

Very true, I totaly agree.

I personally like the fact that VB has been upgrading so often. phpBB has been plagued with exploit after exploit, and has still yet to release another upgrade since June!

+1

Well put

Very true, I totaly agree.
Agreed.

The fact that they are always on top of security issues and bug fixes, coupled with the top notch support, sure makes me feel good about purchasing a vB license rather than going with a freebie.

hey wasn`t the version 3.6.3 and 3.6.4 released too early.....

hey wasn`t the version 3.6.3 and 3.6.4 released too early.....

Not when security is at risk.

So... I sorta expected to see that 3.6.5 had been released, or to have missed a couple... Are they finally settling?

I personally like the fact that VB has been upgrading so often. phpBB has been plagued with exploit after exploit, and has still yet to release another upgrade since June!

yeah, i agree i like some of the updates on it :alien:

lmao:rolleyes:
Let's call it XSS wwIII :)