vBulletin 3.0.6 has been released:
http://www.vbulletin.com/forum/showthread.php?t=127027

It fixes an XSS security hold in bbcode parsing so you should at least upload the latest patched /includes/functions_bbcodeparse.php

However, there is a serious bug in the 3.0.6 /includes/functions_bbcodeparse.php file.

This causes this error:


Warning: sprintf(): Too few arguments in /includes/functions_bbcodeparse.php on line 327

Unable to add cookies, header already sent.
File: /includes/init.php
Line: 27
This happens when you are trying to view a thread with custom bbcode.

To fix this, do this:

In functions_bbcodeparse.php, find:

return sprintf($return, $param, $option);

ABOVE IT, ADD:

$return = preg_replace('#%(?!\d+\$s)#', '%%', $return);


Bug description and fix located here:
http://www.vbulletin.com/forum/bugs.php?do=view&bugid=3678

I'm not sure whether the latest 3.0.6 release has this fix in it so I'm posting this manual fix just in case. :)

just applied :)

oh man this software is going off the handle. How can I get version 2?

Thanks for the info

Thanks for the info.

I hate having to update all the time though, can't they make up their mind? Geez...

Thanks for the info. It's good to know that I can be safer now with the new patch and this fix. Thanks Erwin!

Thanks Erwin! :D

oh man this software is going off the handle. How can I get version 2?In the members area, there is also no way to go from vB3 to vB2 ;) best to stay where you are.

Hmm, I don't get that error in a thread with custom bb code. And I didn't have the "updated" 3.0.6 version of it either, as I downloaded it half an hour after release yesterday.

Strange?

Anyway, I've applied the "fix".

Just so people know, CVS version 1.186.2.6 fixes this bug. If you have an earlier version you need to fix this manually.

Just so people know, CVS version 1.186.2.6 fixes this bug. If you have an earlier version you need to fix this manually.
How do you replicate this bug?

I assume that this only applies to site owners who have upgraded beyond v3.04 ... right?

I assume that this only applies to site owners who have upgraded beyond v3.04 ... right?
99% of the time security issues will go back for a long time, all the recent updates AFAIK will span back to at least vB3 RC1

Well, I have vb3.03 installed and I cannot find the line that Erwin described above in the file mentioned.

Well, I have vb3.03 installed and I cannot find the line that Erwin described above in the file mentioned.
If you are refering to that, its only in 3.0.6 but 3.0.3's bbcodeparse file is venuerable.

How Zac?

Thnx for the update:)

can someone give us the fix for 3.0.3
i can't update until my server decides to let me restore backups

can someone give us the fix for 3.0.3
i can't update until my server decides to let me restore backups
This is getting silly. All my announcements this year so far at www.ntlhellworld.com have been

Site closed from upgrades
Upgrades completed
Site closed for upgrades
Upgrades completed
Site closed for upgrades
Upgrades completed.

I've still got my other site www.peterska2.co.uk to do again and then I've got other sites that I look after that will also need upgrading again.

If I get through them all again and then 3.0.7 comes out I'll be marching to Jelsoft HQ and screaming at them for the hassle while in the same breath praising them for keeping us so uptodate and informed about potential security problems.

Im also getting tired of the updates. Its good that they fix the problems but they need to be more picky before the release something. I cant afford to pay someone for a hack then update my site then pay them to fix it to work with the new version over and over.

Im also getting tired of the updates. Its good that they fix the problems but they need to be more picky before the release something. I cant afford to pay someone for a hack then update my site then pay them to fix it to work with the new version over and over.
then learn how to hack your own site or get the hackers to give you documentation on how to upgrade.

... or don't use hacks ;)

I took the decision not to use hacks although boy could do do with some. However, the main benefit is that whenever vB update I get the sweetest upgrade from the vB installer. Works a treat!

I don't know if this is the right place to post this. If not, please let me know. I downloaded and installed 3.0.5 with no problems at all. When I tried to install 3.0.6, it failed completely. Ended up having to restore my site from a backup. It has something to do with my integrated FlashChat but I'm not sure what. Flashchat was also installed when I did the 3.0.5 upgrade so I'm not sure what happened this time.

Don

Okay folks...maybe when I uploaded the 3.0.6 files I got a bad upload or something. I uploaded everything again and this time it worked just fine. Sorry about the false alarm.

Don

... or don't use hacks ;)

I assume you are being ironic but for some of us the hacks are what makes vBulletin interesting in the first place.

Now, I can live with upgrades as long as a quick patch alleviates the immediate problems but the last upgrade took me a whopping 6 hours... :disappointed:

thx for the info about the bug :)

In the members area, there is also no way to go from vB3 to vB2 ;) best to stay where you are.
hehe I know... just buggin.

If you are refering to that, its only in 3.0.6 but 3.0.3's bbcodeparse file is venuerable.
what would happen if someone just used vb .6 version and that's it?

I love hacks however the site owner should be picky on which hack to use. Those that go overboard with unnecessary hacks have a hard time during upgrades, especially during patching time like these. I use 1 big hack and 2 simplier ones. Makes upgrades and troubleshooting easier to deal with. Now if I can only assume we'll stop at 3.06 I'll upgrade 3.03 lol.

Upgrading does not take that long if you use the right tools - I upgraded our site from 3.0.3 to 3.0.5, and then 3.0.6, both times took about 90 minutes - including all our hacks (we have something like 20 in total). Also, if you plan it correctly the downtime is very little - for both our upgrades the site was only off for about 10 - 15 minutes.

I think proper documentation of your 'hacking' history would be your best bet to problem free and less time consuming upgrades :)

thanks for update :squareeyed: