vBulletin 3.0.5 Released - Critical Update
 

http://www.vbulletin.com/forum/showthread.php?t=125480

[high]This is a CRITICAL update[/high]

vBulletin 3.0.5 has been released due to a serious security flaw in all vBulletin 3 versions, including 3.0.4

It is a critical update and is recommended you upgrade immediately .

Important information about the vulnerability can be found in the thread, link at the top of this post:

Discussion about the thread is here

just done the init.php cant be bothered updating again

yep the one for 3.0.5

When can we expect the update to be performed here? :D

This is actually a bit of a poor show.

I've just spent three days rehacking my board for the upgrade to 3.0.4 and now I'm expected to do it all again. And for what? So 3.0.6 can be released days later?

This is the second time in succession that a release of vBulletin has effectively been botched. Everyone is congratulating the team on another release, and I am usually very supportive, but on this occasion there's been a big botch, and for the second time running.

The whole point of purchasing forum software instead of using the free programs is that this sort of messing about should not be neccessary.

especially when u have a lot of hacks installed.

again, but i just finished fiddling with hacks, it'll have to wait *uploads that init.php though*

woow , We are in era of the speed :p

, just wanna ask about 3.0.6 :D

yeah ,

<<< looking out for 3.0.6 :D

So, the only difference between 3.0.4 and 3.0.5 is init.php ?

This is not Jelsoft's fault.

This is a NEW security loophole that is present in ALL vB 3 forums except for the latest version, and is not caused by the release of 3.0.4.

They've just discovered the loophole, that's all. It was already there.

So this has nothing to do with a botched release. It's just coincidental.

i don't think so theirs more too it than that, i think it just fixes the immediate problem :p

The init.php update will plug the security hole.

Remember, the security hole is in ALL vBulletin 3 forums. It was always there. It just took someone all this time to discover how to exploit it, hence the need to close it now.

Yeah, I just took a look - all minor errors (including at least two that look like they were introduced in 3.0.4 !).

Only if you run with register_globals ON, which is a bad idea in the first place. :)

At least that's what they think. :) But the recommendations from the developers is to update init.php anyway.

One thing to say:
Bugger.

:p
No, seriously. I am one of these nerds that are desperate to update their vBulletin IMMEDIATELY, no matter how many hacks I have installed (which is 68 BTW).
Even though I have learned in the past that Jelsoft just loves to torture people like me, I still updated to 3.0.4.

Bwaha nah just kidding, I think it's great that they are so quick with patching
...but don't think for a second I'm gonna update any other file than what they list as changed...
XD


//peace

will wait for vbb 4.0 !!! maybe it is out tomorrow!! :)

I'm glad they found the loop hole...no complaints from me. = )

Thanks for the information

Shoot... I just rehacked my board.... oh well...

Better to be secure and rehack everything than to be lazy and have someone take control of my board....

when you say rehack you mean just the php files or even reinstall sql??

Just the php files that have changed from the upgrade...

You shouldn't usually have to worry about the SQL, lol.. that would suck if you do....

Refer to this for a 3.0.5 security patch involving private.php
https://vborg.vbsupport.ru/showthread.php?t=74035

D'oh!

My private.php is rather hacked. I guess I'll be patching the file for the first time ever.

i am with Mark.B on this... not to be rude, but this is a pain in the butt to constantly have to reinstall every hack because there's a new update every week or two

it is already unsatisfactory that every aspect of this particular company has to be paid for (after paying $160 to be able to have an owned license, the last thing i should have to pay for is yearly access to the members' section (which only has one important feature - software updates)... true it is not a lot of money, but that is not the point....

the point is, i am quite sure that everyone would've been more than happy to stick it out on vB2 until vB3 was THOROUGHLY finished and had none of these constant "oops, we found something... get the latest download ASAP" issues :ermm:

I would take a security fix over a possibly less-well-coded third-party modification any day. However, I do agree in my opinion that they should not charge access to the Member's Area for releases in the same major.minor group (i.e., 3.0.x). I know they usually post fixed files in the announcements, but there are dozens of bug fixes in each release that get left out.