vBulletin 3.7.0 Release Candidate 4
 

vBulletin 3.7.0
Release Candidate 4
Yeah, we know...

THIS IS PRE-RELEASE SOFTWARE.
IT IS UNSUPPORTED.

If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem - only a full-scale upgrade will be sufficient.

We recommend that all customers upgrade as soon as possible.
Customers running 3.7.x should upgrade to 3.7.0 RC4.
Customers running 3.6.9 or earlier should upgrade to 3.6.10.

To all those who have been expecting to download vBulletin 3.7.0 'Gold' this week, we are sorry. We hope that the fact that we would rather delay a major, pre-announced release than put out software with known vulnerabilities illustrates our commitment to security.

If testing of this release candidate goes well, we will once again be looking at a stable release next week.

PHP and MySQL Recommendations

We recommend that vBulletin 3.7 is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

What does Release Candidate mean?

Release Candidate, or RC for short, means that we believe vBulletin 3.7 will be ready to be declared a "stable" and "supported" supported release once it has undergone some final testing. The only known bugs that may remain are trivial.

RCs will be released until only trivial bugs are being fixed. Once this happens, the next stage is to move on to "gold" or, as it's officially known, 3.7.0.

This is still pre-release software. If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, do not install this version but rather wait for the final, 3.7.0 version.


Customers should bear in mind that this is a release candidate, not a certified 'stable' release so the following caveats apply:

• Pre-release software is unsupported and you install beta and RC versions at your own risk.
• Some minor bugs remain unresolved at this time, so pre-release software should not be deployed on production sites.
• You should always back up your database fully before attempting to install pre-release software.
• If you choose to install this version, you should be aware that we plan to release new RC versions in rapid succession as bugs are fixed and holes are plugged. Do not install this RC version if you are not willing or able to keep up-to-date with new releases.
• The ImpEx import system does not support the 3.7 code yet, and will not support it until the release of 3.7.0 (stable).

More...

For support questions, please use the appropriate forums on vBulletin.com

Thank you very much :up:

Hacks that post back to vBulletin scripts will no longer work. vB.org should be letting us know on how to add the information to the hacks.

man.... what can I say :-) Any template changes since RC3?

Then have a look in the coders forum. ;)

Oh god :erm:

That was exactly what my thought was. I guess getting my site read for 3.7 is gonna take a little more effort than I originally thought. Oh well. It is worth it if it is more secure.

God.. I shouldn't of hacked any 3.7.0 (all version) Mods until the stable release. Or it will not matter for all hacks for/already on 3.7.x?

From what I understand, this only affects the mods that use $_POST. My guess is that this isn't a large amount of mods.

There are probably only a very few modifications affected by this. Most will keep working without a change.

too many templates are changed onto my board ... :(

I was looking foreward to the gold release but i would rather wait until all the security issues and bugs have been fixed before i upgrade from 3.69

A security update for the 3.6 version has also been released. I strongly suggest that you install 3.6.10 if you are currently using the 3.6 version.

Call me blind, but I seem unable to find it ^.^ :o

I think you need to have the user title designer/coder or just coder. I've just seen the fix, but many hacks shouldn't need it. :)

It should be made viewable to all soon, currently only available to coders (i.e. those that have released modifications)

Oh, I don't have that. But I've made (and making) quite some (large) products for vBB. So if I don't contribute them here, i'm unable to see what could be wrong and how I can fix it? :erm:

Oh, ok... And how soon is soon if i may ask? :)

I agree...we are always being told "learn how to do things yourself", but if we do, and modify our own boards, important stuff like this is not made available to us because we haven't released anything.

Well, I'm not yet at a skill level where I could release anything, yet I'm denied the fix.

what are the differences if I run vbulletin on php4 or php5? In which way more stable and better performance?

It would be nice to get a list of MOD's that will be effected by this somewhere.

_V

The recommended version is PHP 5.2, however both vBulletin 3.6 and 3.7.0 will run on PHP 4 -- that is the minimum requirement. PHP 5.2 can give a performance boost. You should also note that PHP 4 is now unsupported.

--------------- Added [DATE]1208973258[/DATE] at [TIME]1208973258[/TIME] ---------------

I'm sure the mod authors will update their hacks if they need too. The fix is only needed if $_POST points to stock vBulletin files.

I doubt it will be long, though you'll have to wait for confirmation from Marco, it is not being done to prevent you from fixing your board, I believe Marco just want to make sure the advice given is correct and anything that the coders bring up is resolved.

There is no need to release anything in order to obtain access to the fix, you should be able to see it fairly soon.

Bear in mind that only forms posting to default vBulletin files would be affected, if you are adding options to existing forms then there is no need to worry. It is only if the modifications you have are non-vB forms which are posting to vB pages.

I wonder why I can't find it. I guess I have to come up with another mod to make.

MoT3rror: I stated in my previous post that you do not need to release anything. You will be able to see it soon. (Although you are tagged as a coder, so you should have access to the forum I would have thought.)

GARS stopped working after I upgraded to RC4. I have posted on their support site, but just incase anyone else is using it.

A couple of shout boxes stopped working after the upgrade - inferno vbshout and Cyb's Chatbox.

Also Farcasters event attendance stopped working.

Possible problems with vbcasino.

Most modifications need updating to work with the CSRF flaws. There are instructions on how to do this for the coders to access.

Just checked mine and also got problems.

Please post issues with modifications in the modification's thread/site/board from which you downloaded it. This way it alerts the author that they need to fix their modification, posting here will serve very little purpose.

I hope I am not going blind already at my young age. :(

Could someone pm me the link to the forum if possible?

Is there a way to access this information without being a vb.org coder?

Find the post forms in the template system and you will find your answer or you can always look in the init.php file. The answer can be found in either. I am not going to say it because I can be wrong.

Thanks, it seemed like it wasn't too difficult judging by the FORM code, but I wanted to make sure, I'll try it out.

never mind me.

Which, as people keep pointing out, is of little use if you have made your own modifications, as we are often quite sarcastically told to go off and learn how to do.

Quite what the logic is of keeping this apparently simple fix for the eyes of the elite only is beyond me.

Perhaps every time I see someone having a problem with a modification which I can fix, I should refuse to post the solution on the same basis. This site used to be about helping each other, not a select elite.

Technical explanation on hwo to incorporate CSRF Protection into custom scripts has now been posted as an article also: Implementing CSRF Protection in modifcations

Was rather looking forward to a gold release this weekend but glad that some bugs were fixed anyway.

Can someone please tell me if the security problem announced is affecting vB 3.0.xx?

I know, ancient, but I do not plan to upgrade until absolutely essential and so far, I haven't find a good reason to do so.

Many thanks.