vBulletin 3.7.1 PL2 / vBulletin 3.6.10 PL2

An XSS flaw affecting the vBulletin URL redirection system has been identified. It could allow an attacker to trick a moderator or admin into unwittingly performing an action in either the front-end or control panel that they had not intended. To resolve this issue, it is necessary to release PL2 versions of vBulletin 3.7.1 and 3.6.10.

This XSS flaw, and that which made the release of the PL1 versions necessary, was discovered by Jessica Hope and others.

The upgrade process is the same as the PL1 releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


vBulletin 3.7.2 to be Released Next Week

In line with our new scheduled maintenance release policy (http://www.vbulletin.com/forum/showthread.php?t=273299), we have evaluated the merits of providing a new maintenance release one month after the previous release or waiting until next month. It has been decided that we will bring forward the release of vBulletin 3.7.2 from Tuesday July 29th to this coming Tuesday, June 24th.

This release will be mentioned in the security bulletin sent out to customers today, but we will not send a further notification next week when 3.7.2 is released. Watch your Admin CP News, or the latest version check in the Admin CP to see when the new version is available. Alternatively, keep an eye on this forum for the 3.7.2 announcement.

To reiterate, vBulletin 3.7.2 will be released on Tuesday, June 24th 2008.


Upgrading from 3.7.1, 3.6.10 or their PL1 versions

If you are already running 3.7.1, 3.6.10 or their PL1 patch versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.1, 3.6.10 or their PL1 versions.

Visit the Patches section of the vBulletin Members' Area (http://members.vbulletin.com/patches.php) and download either the patch for 3.7.1, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL2 release.

The 3.7.1 PL2 patch file also includes the PL1 fixes. The same is true of the 3.6.10 PL2 patch file.


Upgrading from Versions Earlier than 3.7.1 or 3.6.10

If you are not already running 3.7.1 or 3.6.10, you should download the most latest version from the Members' Area (http://members.vbulletin.com) and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here. (http://www.vbulletin.com/docs/html/upgrade)


Download vBulletin 3.7.1 PL2 or 3.6.10 PL2

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area (http://members.vbulletin.com/)


More... (http://www.vbulletin.com/forum/showthread.php?t=275889&goto=newpost)

just patched thanks ;)

thanks :)

Cool!

*goes up upgrade* :D

sorry for such a noob but how are you going just to apply the patch without rerunning the whole upgrade procedure all over again? I just had mine upgraded to PL1. Thanks.

sorry for such a noob but how are you going just to apply the patch without rerunning the whole upgrade procedure all over again? I just had mine upgraded to PL1. Thanks.

Just upload/overwrite the files on your FTP with the patched ones you can find on http://members.vbulletin.com/patches.php

Thanks... I'll try that.

patched :)

Thanks patched

Patched .
thanks for the simplest way .
wbr

This was certainly an easy patch to apply. I was wondering though, is there any news yet on whether 3.7.2 is going to require yet another round of reverting templates and the subsequent editing this requires?

I sincerely hope not as I've only just finished the process for 3.7.1! :erm:

The only time we know about Template Edits are on release days.

When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?

When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?

Just upload them all... :)

When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?

Did you download the patch from the patches page or from the main download page?

Is this the file name? vbulletin_3-7-1_Patch_Level_2_VBF4E08FD2.zip

If yes, then after unzip, there are ton of files in there...

@ rapidphim: No, the file you require is called vb_patch371. It contains 3 folders, and there are a total of 5 files within them. When you log into the members area at vb.com, look in the left side column - scroll down to Support Services > Security Patches. You'll find it at the top of the patch list. :)

Oh God... Thanks Belder. You're life saver here.

when i startd upgrading i'm having this error :

mysql_connect() [<a href='function.mysql-connect'>function.mysql-connect</a>]: Access denied for user 'root'@'localhost' (using password: NO)
/xxx/xxx/public_html/includes/class_core.php on line 311

What can i do?

@ rapidphim: You're very welcome :)

@ binevi: It sounds like a problem with your config.php

If you're upgrading from a previous version, compare your previous config.php (passwords/database info etc) with the new one, and hopefully the error will become apparent.

but the problem is i dont have previous one. Because i rewrite it. it was 3.7.1

binevi, I don't really understand what you're trying to do. If you already had 3.7.1, the only "upgrade" is the security patch discussed previously in this thread. If you've uploaded that and it's generated a problem, I would suggest asking for help over at vb.com. Sorry I can't be more helpful.

You have default config values. You need to change the mysql values.

Quick patches right after one another. Great to see jelsoft right on top of things :)

When I unrar the patch file, I do see pretty much ton of files in there... Just like a folder for upgrade or brand new installation.... where is the patch file(s)?
Then you have the wrong one.

Go here:

http://members.vbulletin.com/patches.php

That will get you the list of patches. Use the newest one, upload 5 files. You are done.