vb.org Archive - vBulletin 3.0.7 released

Page 1 of 2

Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- News and Announcements (https://vborg.vbsupport.ru/forumdisplay.php?f=2)

- - vBulletin 3.0.7 released (https://vborg.vbsupport.ru/showthread.php?t=76645)

filburt1

02-19-2005 06:27 PM

vBulletin 3.0.7 released

It is directed primarily as a security fix that apparently is caused by enabling debug comments in templates (something production sites should not do anyway). However, it also fixes a slew of other bugs, so as usual, you should always stay up to date.

More: http://www.vbulletin.com/forum/showthread.php?t=130591

Paul M

02-19-2005 06:28 PM

Indeed, https://vborg.vbsupport.ru/showthread.php?t=76641 :)

Deaths

02-19-2005 06:30 PM

Hmm, I'll have a look at it.

I'm just hoping it doesn't make any major changes to the files I use for my hack, as it's almost finished now ~~.

EDIT:
Yes, why not create an almost entirely new attachment.php, when that's one of the most time taking parts of my hack, and I was almost done with it -.-

Geographic2

02-19-2005 08:49 PM

Again? Yuk.

I had just gotten 3.0.6 almost working...
might as well start a fresh merge now...

Merlin_

02-19-2005 09:29 PM

The exploit code says 3.0.5 and up are immune. Is that not right?

Erwin

02-19-2005 09:31 PM

Quote:

Originally Posted by Merlin_

The exploit code says 3.0.5 and up are immune. Is that not right?

No. Only 3.0.7 is immune but only if you have template name in HTML enabled in your Admin CP, which is off by default and which most sites won't have.

AN-net

02-20-2005 12:49 AM

what is exactly the problem with using the html comments, the posts do not mention what the hole is. if it can not be discussed publically can someone drop me a pm...

Dean C

02-20-2005 11:09 AM

It wouldn't be sensible to mention how it can be exploited in public. So before anyone tries ;)...

Paul M

02-20-2005 12:25 PM

Quote:

Originally Posted by Dean C

It wouldn't be sensible to mention how it can be exploited in public. So before anyone tries ;)...

While that may be partly true - people may pay more attention if the problem is actually known rather than some vague "there is an issue". I must admit that I'm struggling to understand how adding comments poses a security risk, I'm sure many others are as well, and people tend to ignore and dismiss something they can't see or understand.

Dean C

02-20-2005 12:44 PM

I understand that, but if we posted up how it can be exploted in public, then you'd have people going around exploiting people's sites. And there are LOTS of people who don't upgrade and apply patches :)

All times are GMT. The time now is 01:42 PM.

Page 1 of 2

Show 40 post(s) from this thread on one page

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.02345 seconds Memory Usage 1,727KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)pagenav (1)pagenav_curpage (1)pagenav_pagelink (1)post_thanks_navbar_search (1)printthread (10)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start pagenav_page pagenav_complete bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: