vBulletin 3.7.4 PL1

An XSS flaw within the user control panel has recently been discovered. This could allow an attacker to carry out an action as a user or obtain access to a user's account. To resolve this issue, it is necessary to release a patch level version of vBulletin 3.7.4.

vBulletin 3.6 is not affected. vBulletin 3.8 is affected, and the next beta/release candidate will include the fix.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


Upgrading from 3.7.4

If you are already running 3.7.4, the process you will be required to follow to make your board immune to this flaw is very simple.

There is no need to run an upgrade script if you are already running 3.7.4.

Visit the Patches section of the vBulletin Members' Area (http://members.vbulletin.com/patches.php) and download the patch for 3.7.4, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.


Upgrading from Versions Earlier than 3.7.4

If you are not already running 3.7.4, you should download the latest version from the Members' Area (http://members.vbulletin.com) and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here. (http://www.vbulletin.com/docs/html/upgrade)


Download vBulletin 3.7.4 PL1

As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area (http://members.vbulletin.com/)

Please do not use this thread for support questions.

More... (http://www.vbulletin.com/forum/showthread.php?t=291665&goto=newpost)

Thank you!

Thanks!

A forced upgrade :o

Why does 3.7.x series have so many problems? :(

[ADDED]: Thanks for the patches. *uploaded* :cool:

Thanks you :D

Initially I accepted that recent error messages generated after my upgrade were due to my host installing hardened php and Suhosin. (see here: https://vborg.vbsupport.ru/showpost.php?p=1663076&postcount=28) After further discussions it appears that the problems with hardened php and Suhosin only seem apparent when upgrading to 3.7.4

In this regard there is clearly an issue with this version of vBulletin.

In addition, since upgrading to 3.7.4 I've noticed that guests no longer appear in the Currently Active Users display. Only logged in members appear. Clicking "Who's Online" reveals several guests present, but the Currently Active Users display says there are none.

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

I had no such problems with previous versions and I am rapidly coming to the conclusion that 3.7.4 is a disaster. So much so in fact that I'm seriously considering giving up vBulletin. Releasing software with known bugs to paying customers is simply not acceptable - this is supposed to be a final release not a BETA! These constant "upgrades" are frankly nothing short of a nuisance - especially if they cause problems that didn't exist before. Most of the time they offer little if anything to improve the average forums - they just cause more work for webmasters. It seems to me that the constant release of "upgrades" is simply a way of ensuring that renewal fees keep rolling in!

Why can there not be an established and stable version where owners do not need to constantly edit templates and etc? Surely security patches could still be released if vulnerabilities are discovered.

Well I'm sure these are questions that have been asked before and I'm equally sure there will be some pat answers to them . . . but at the end of the day the 3.7.0 release candidate, together with subsequent security patches would have been less troublesome than the "upgraded" version I'm currently stuck with.

Yeh yeh, nobody HAS to upgrade, but if you're trying to design skins, graphics etc. there is little credibility for the work if it's presented on an out-of-date board version.

I've been running vBulletin on an active owned license for several years now, but it's unlikely I'll renew again. I've closed my board now and I'll probably remove vBulletin from my server soon. Back to open source software and html pages if this is the best vB can offer.

Initially I accepted that recent error messages generated after my upgrade were due to my host installing hardened php and Suhosin. (see here: https://vborg.vbsupport.ru/showpost.php?p=1663076&postcount=28) After further discussions it appears that the problems with hardened php and Suhosin only seem apparent when upgrading to 3.7.4

In this regard there is clearly an issue with this version of vBulletin.

In addition, since upgrading to 3.7.4 I've noticed that guests no longer appear in the Currently Active Users display. Only logged in members appear. Clicking "Who's Online" reveals several guests present, but the Currently Active Users display says there are none.

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

I had no such problems with previous versions and I am rapidly coming to the conclusion that 3.7.4 is a disaster. So much so in fact that I'm seriously considering giving up vBulletin. Releasing software with known bugs to paying customers is simply not acceptable - this is supposed to be a final release not a BETA! These constant "upgrades" are frankly nothing short of a nuisance - especially if they cause problems that didn't exist before. Most of the time they offer little if anything to improve the average forums - they just cause more work for webmasters. It seems to me that the constant release of "upgrades" is simply a way of ensuring that renewal fees keep rolling in!

Why can there not be an established and stable version where owners do not need to constantly edit templates and etc? Surely security patches could still be released if vulnerabilities are discovered.

Well I'm sure these are questions that have been asked before and I'm equally sure there will be some pat answers to them . . . but at the end of the day the 3.7.0 release candidate, together with subsequent security patches would have been less troublesome than the "upgraded" version I'm currently stuck with.

Yeh yeh, nobody HAS to upgrade, but if you're trying to design skins, graphics etc. there is little credibility for the work if it's presented on an out-of-date board version.

I've been running vBulletin on an active owned license for several years now, but it's unlikely I'll renew again. I've closed my board now and I'll probably remove vBulletin from my server soon. Back to open source software and html pages if this is the best vB can offer.
obviously it's not vBulletin's fault if you're the only one having those problems?

obviously it's not vBulletin's fault if you're the only one having those problems?

No I'm not the only one.

https://vborg.vbsupport.ru/showpost.php?p=1661389&postcount=22

https://vborg.vbsupport.ru/showpost.php?p=1666771&postcount=37

As already stated, the issue with guests not appearing has already been reported in the bug tracker and is apparently still unresolved.

Reading back I see that this is a known bug with 3.7.4! Despite this, 3.7.4 PL1 has now been released but this issue remains unaddressed. I've applied this update and I STILL cannot see guests on my board.

PL or Patch Level releases deal solely with security issues that can affect the integrity of your board by allowing someone permissions that they shouldn't have. Patch Levels do not address other individual bugs if they are not a security risk. A non-critical bug such as what you describe if confirmed will be fixed as soon as its possible, most likely the next version which would be vBulletin 3.7.5 in this case.

You will find a patch for this issue here: http://www.vbulletin.com/forum/project.php?issueid=26759#note71097

lets hope this one is better then the last up date about to install will let you know

--------------- Added 1227462973 at 1227462973 ---------------

i will have to say this worked a lot better then the other thanks:up:

I note users are still unable to log out properly using IE.

Hmm.

Fail. I am sticking with 3.7.3 for the time being

after reading about the new release 3.74 i will stay with 3.73 also

No I'm not the only one.

https://vborg.vbsupport.ru/showpost.php?p=1661389&postcount=22

https://vborg.vbsupport.ru/showpost.php?p=1666771&postcount=37

As already stated, the issue with guests not appearing has already been reported in the bug tracker and is apparently still unresolved.

I had this problem as well.
I thought it was because I was running old guest and member tracking plugins. I uninstalled them. Then the problem seemed to go away? I did install new versions of the plugins and everything is as it was. I have not noticed any other issues with 3.7.4 patch level 1.

thanks alot

Cheers for that fellas:up: