vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   News and Announcements (https://vborg.vbsupport.ru/forumdisplay.php?f=2)
-   -   vBulletin 3.0.6 Critical Update, and a Bug Fix for 3.0.6 (https://vborg.vbsupport.ru/showthread.php?t=74637)

Erwin 01-19-2005 11:04 AM
vBulletin 3.0.6 Critical Update, and a Bug Fix for 3.0.6
 
vBulletin 3.0.6 has been released:
http://www.vbulletin.com/forum/showthread.php?t=127027

It fixes an XSS security hold in bbcode parsing so you should at least upload the latest patched /includes/functions_bbcodeparse.php

However, there is a serious bug in the 3.0.6 /includes/functions_bbcodeparse.php file.

This causes this error:

Quote:
Warning: sprintf(): Too few arguments in /includes/functions_bbcodeparse.php on line 327

Unable to add cookies, header already sent.
File: /includes/init.php
Line: 27
This happens when you are trying to view a thread with custom bbcode.

To fix this, do this:

In functions_bbcodeparse.php, find:

PHP Code:
    return sprintf($return$param$option); 
ABOVE IT, ADD:

PHP Code:
    $return preg_replace('#%(?!\d+\$s)#''%%'$return); 


Bug description and fix located here:
http://www.vbulletin.com/forum/bugs....iew&bugid=3678

I'm not sure whether the latest 3.0.6 release has this fix in it so I'm posting this manual fix just in case. :)

sabret00the 01-19-2005 11:11 AM
just applied :)

T3MEDIA 01-19-2005 11:21 AM
oh man this software is going off the handle. How can I get version 2?

TTG 01-19-2005 11:23 AM
Thanks for the info

Deaths 01-19-2005 01:34 PM
Thanks for the info.

I hate having to update all the time though, can't they make up their mind? Geez...

yoyoyoyo 01-19-2005 01:36 PM
Thanks for the info. It's good to know that I can be safer now with the new patch and this fix. Thanks Erwin!

the Sandman 01-19-2005 03:41 PM
Thanks Erwin! :D

Zachery 01-19-2005 03:58 PM
Quote:
Originally Posted by T3MEDIA
oh man this software is going off the handle. How can I get version 2?
In the members area, there is also no way to go from vB3 to vB2 ;) best to stay where you are.

mOdEtWo 01-19-2005 06:38 PM
Hmm, I don't get that error in a thread with custom bb code. And I didn't have the "updated" 3.0.6 version of it either, as I downloaded it half an hour after release yesterday.

Strange?

Anyway, I've applied the "fix".

Erwin 01-19-2005 06:49 PM
Just so people know, CVS version 1.186.2.6 fixes this bug. If you have an earlier version you need to fix this manually.

mOdEtWo 01-19-2005 06:58 PM
Quote:
Originally Posted by Erwin
Just so people know, CVS version 1.186.2.6 fixes this bug. If you have an earlier version you need to fix this manually.
How do you replicate this bug?

Bison 01-19-2005 08:12 PM
I assume that this only applies to site owners who have upgraded beyond v3.04 ... right?

Zachery 01-19-2005 08:22 PM
Quote:
Originally Posted by Bison
I assume that this only applies to site owners who have upgraded beyond v3.04 ... right?
99% of the time security issues will go back for a long time, all the recent updates AFAIK will span back to at least vB3 RC1

Bison 01-19-2005 08:33 PM
Well, I have vb3.03 installed and I cannot find the line that Erwin described above in the file mentioned.

Zachery 01-19-2005 08:38 PM
Quote:
Originally Posted by Bison
Well, I have vb3.03 installed and I cannot find the line that Erwin described above in the file mentioned.
If you are refering to that, its only in 3.0.6 but 3.0.3's bbcodeparse file is venuerable.

Bison 01-20-2005 01:14 AM
How Zac?

lanc3lot 01-20-2005 01:58 AM
Thnx for the update:)

aussiev8 01-20-2005 03:28 AM
can someone give us the fix for 3.0.3
i can't update until my server decides to let me restore backups

peterska2 01-20-2005 09:13 PM
Quote:
Originally Posted by aussiev8
can someone give us the fix for 3.0.3
i can't update until my server decides to let me restore backups
This is getting silly. All my announcements this year so far at www.ntlhellworld.com have been

Site closed from upgrades
Upgrades completed
Site closed for upgrades
Upgrades completed
Site closed for upgrades
Upgrades completed.

I've still got my other site www.peterska2.co.uk to do again and then I've got other sites that I look after that will also need upgrading again.

If I get through them all again and then 3.0.7 comes out I'll be marching to Jelsoft HQ and screaming at them for the hassle while in the same breath praising them for keeping us so uptodate and informed about potential security problems.

templates911 01-21-2005 07:56 PM
Im also getting tired of the updates. Its good that they fix the problems but they need to be more picky before the release something. I cant afford to pay someone for a hack then update my site then pay them to fix it to work with the new version over and over.

Zachery 01-21-2005 11:35 PM
Quote:
Originally Posted by templates911
Im also getting tired of the updates. Its good that they fix the problems but they need to be more picky before the release something. I cant afford to pay someone for a hack then update my site then pay them to fix it to work with the new version over and over.
then learn how to hack your own site or get the hackers to give you documentation on how to upgrade.

Andreas 01-21-2005 11:41 PM
... or don't use hacks ;)

mjb 01-25-2005 01:39 PM
I took the decision not to use hacks although boy could do do with some. However, the main benefit is that whenever vB update I get the sweetest upgrade from the vB installer. Works a treat!

dknelson 01-26-2005 03:26 AM
I don't know if this is the right place to post this. If not, please let me know. I downloaded and installed 3.0.5 with no problems at all. When I tried to install 3.0.6, it failed completely. Ended up having to restore my site from a backup. It has something to do with my integrated FlashChat but I'm not sure what. Flashchat was also installed when I did the 3.0.5 upgrade so I'm not sure what happened this time.

Don

Okay folks...maybe when I uploaded the 3.0.6 files I got a bad upload or something. I uploaded everything again and this time it worked just fine. Sorry about the false alarm.

Don

tormodg 01-26-2005 07:40 AM
Quote:
Originally Posted by KirbyDE
... or don't use hacks ;)
I assume you are being ironic but for some of us the hacks are what makes vBulletin interesting in the first place.

Now, I can live with upgrades as long as a quick patch alleviates the immediate problems but the last upgrade took me a whopping 6 hours... :disappointed:

havefun 01-27-2005 02:04 PM
thx for the info about the bug :)

T3MEDIA 01-29-2005 01:27 AM
Quote:
Originally Posted by Zachery
In the members area, there is also no way to go from vB3 to vB2 ;) best to stay where you are.
hehe I know... just buggin.

Quote:
Originally Posted by Zachery
If you are refering to that, its only in 3.0.6 but 3.0.3's bbcodeparse file is venuerable.
what would happen if someone just used vb .6 version and that's it?

xlegends 01-29-2005 07:35 AM
I love hacks however the site owner should be picky on which hack to use. Those that go overboard with unnecessary hacks have a hard time during upgrades, especially during patching time like these. I use 1 big hack and 2 simplier ones. Makes upgrades and troubleshooting easier to deal with. Now if I can only assume we'll stop at 3.06 I'll upgrade 3.03 lol.

Paul M 01-29-2005 09:53 AM
Upgrading does not take that long if you use the right tools - I upgraded our site from 3.0.3 to 3.0.5, and then 3.0.6, both times took about 90 minutes - including all our hacks (we have something like 20 in total). Also, if you plan it correctly the downtime is very little - for both our upgrades the site was only off for about 10 - 15 minutes.

cinq 01-29-2005 10:48 AM
I think proper documentation of your 'hacking' history would be your best bet to problem free and less time consuming upgrades :)

KanyeWest 01-29-2005 10:04 PM
thanks for update :squareeyed:


All times are GMT. The time now is 01:30 AM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01411 seconds
  • Memory Usage 1,783KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (31)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete