It is directed primarily as a security fix that apparently is caused by enabling debug comments in templates (something production sites should not do anyway). However, it also fixes a slew of other bugs, so as usual, you should always stay up to date.

More: http://www.vbulletin.com/forum/showthread.php?t=130591

Indeed, https://vborg.vbsupport.ru/showthread.php?t=76641 :)

Hmm, I'll have a look at it.

I'm just hoping it doesn't make any major changes to the files I use for my hack, as it's almost finished now ~~.

EDIT:
Yes, why not create an almost entirely new attachment.php, when that's one of the most time taking parts of my hack, and I was almost done with it -.-

Again? Yuk.

I had just gotten 3.0.6 almost working...
might as well start a fresh merge now...

The exploit code says 3.0.5 and up are immune. Is that not right?

The exploit code says 3.0.5 and up are immune. Is that not right?
No. Only 3.0.7 is immune but only if you have template name in HTML enabled in your Admin CP, which is off by default and which most sites won't have.

what is exactly the problem with using the html comments, the posts do not mention what the hole is. if it can not be discussed publically can someone drop me a pm...

It wouldn't be sensible to mention how it can be exploited in public. So before anyone tries ;)...

It wouldn't be sensible to mention how it can be exploited in public. So before anyone tries ;)...While that may be partly true - people may pay more attention if the problem is actually known rather than some vague "there is an issue". I must admit that I'm struggling to understand how adding comments poses a security risk, I'm sure many others are as well, and people tend to ignore and dismiss something they can't see or understand.

I understand that, but if we posted up how it can be exploted in public, then you'd have people going around exploiting people's sites. And there are LOTS of people who don't upgrade and apply patches :)

Is there going to be a discussion area on which mods will have to be redone if I chose the "upgrade" option over the single file patch? My license with Vbulletin is only a month old, so I can do the full upgrade if I want.

But I have installed - "for members who posted today" hack,
Installed pm.php AND users.php hack - for PMs
Also installed V3Arcade
vbookie installed
ucash and ustore installed

Crud - will I have to redo all of these?? Would it be worth it to upgrade from 3.0.6 to 3.0.7 or is just the patch good enough?

With only 4-5 hacks, best to upgrade to 3.0.7 which fixes some bugs (albeit minor ones) and reapply the hacks. You will have to do all of them.

Remember it's only the file edits you need to re-do, not complete hack re-installs.

I got 27 mods/addons/hacks installed.. :(
I think I may pass this upgrade u..

I got 27 mods/addons/hacks installed.. :(
I think I may pass this upgrade u..
Why dont you use araxis merge or something like that. You can check this thread (https://vborg.vbsupport.ru/showthread.php?t=38545) and upgrade your forum within 30 minutes.

Why dont you use araxis merge or something like that. You can check this thread (https://vborg.vbsupport.ru/showthread.php?t=38545) and upgrade your forum within 30 minutes.
i have upgraded to 3.07 everything seems fine

With only 4-5 hacks, best to upgrade to 3.0.7 which fixes some bugs (albeit minor ones) and reapply the hacks. You will have to do all of them.
*Sigh* yeah. I had to... Even though I only had about 4 hacks. The AWS hack is extremely loooooong though, so that counts as 2! ;)

hi,

this is pretty obvious goto your admincp => vbulletin settings => general settings

"add template name in html comments" => no that's all there is to it

for a list of bugs fixed in 3.07 you can go here (http://www.vbulletin.com/forum/showpost.php?p=819564&postcount=2)

offcource if you want the fixes you need the full upgrade ....

Upgraded to 3.0.7 quite easily :).

I now know why the "Add Template Name In HTML Comments" are a serious (!) security vulnerability.
With an unpatched board with this feature enabled, a cracker can inject malicious PHP code (yes, ANY PHP code) by the use of a malformed URL.
Of course, I'm not about to state HOW this is done, but let me just say that if *I* could find it (and I wasn't even LOOKING for this info!), then a cracker with a grudge will surely find it.

I hope this helps to make users patch themselves, if some are still in doubt of the severity of this exploit :)