Read here:
http://www.vbulletin.com/forum/showthread.php?t=148584

Main changes:

1. MySQL 4.1 Support added.

2. XSS Flaws in faq.php, private.php, and several templates fixed.

To manually patch your vB 3.0.7 to fix the file security issues 3.0.8:

In private.php, find:


// PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
if (isset($pm['preview']))
{
define('PMPREVIEW', 1);
$foruminfo = array('forumid' => 'privatemessage');
$preview = process_post_preview($pm);
$_REQUEST['do'] = 'newpm';
}


REPLACE with:


// PREVIEW THE MESSAGE, AND FALL BACK TO 'NEWPM'
if (isset($pm['preview']))
{
$temp = $pm['title'];
$pm['title'] = htmlspecialchars_uni(fetch_censored_text($pm['title']));
define('PMPREVIEW', 1);
$foruminfo = array('forumid' => 'privatemessage');
$preview = process_post_preview($pm);
$_REQUEST['do'] = 'newpm';
$pm['title'] = $temp;
}


And in faq.php, find:


// construct navbits


ABOVE, add:


$q = htmlspecialchars_uni($q);


Done!

Then to fix the template IE XSS problem, in all your templates where you see:


<title>


Move that so that it is BELOW:


$headinclude


Done fixing the potential security issues.

Nice to see a new version on the 3.0.x series.

Hmm didn't 2.x have the same issues with MySQL?

Bump - added to the first post the security file and template changes needed. ;)

Done fixing the potential security issues.
THANKS MUCH!

where's the install button? :D

Then to fix the template IE XSS problem, in all your templates where you see:


<title>


Move that so that it is BELOW:


$headinclude

Is there a quick way to do this, such as a "replace all" that is safe to do or do I have to search through all of the templates?

Maybe with a SQL-Replace directly in the database.

I love vB search :)
http://www.vbulletin.com/forum/showthread.php?t=143320

As mySQL also supports regex, it might also be possible to do this directly in the DB.
But mySQL Regex is not PCRE compatible, eg. different Syntax.

So it's just a security release?

So it's just a security release?

Yes, bug fixes only :)

Yes, bug fixes only :)

Well that's kinda boring. :-\

Won't be boring if someone hacks your board!

Heh. Too lazy to upgrade. I'll patch it until 3.5 goes stable.

Is this all the fixed? If so how do you make the message in the AdminCP go away?

Did you run the upgrade script?

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

You should try asking for help in the hack's thread :)

crap..didn't realize it was a hack. Since they set it up for me...grrr...thanks!

Did you redo all of the file edits for it?

I had it installed through vbulletin originally...they did it for me. what are the file edits? is there a reference to walk me through it? thanks!

I upgraded but lost my homepage

I am using VBA CMPS and I have lost my homepage...How do I reconnect? I have a white screen where it used to be! help!

sounds like you just need to reinstall the templates

that was mentioned on vb.com as well. any directions out there to tell me how? thanks..

Go to http://vbadvanced.com and ask your question.

They have a new version of the CMPS for you to download, but you probably need the file edits associated with the older version.