Following the internal discovery of a potential cross-site scripting flaw, we have decided to put out a preventative security release in order to close the hole before it is exploited.
Although vBulletin 3.6.0 is also released today, we understand that some customers may be reluctant to upgrade immediately to the new version, those people should upgrade to 3.5.5 or use the provided patch to secure their vBulletin installation as soon as possible.
Updating your vBulletin to combat the XSS flaw:
Our primary recommendation for customers is to upgrade to vBulletin 3.6.0, but if you are not ready to do this, you can do one of the following:
Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.5 package from the vBulletin Members' Area and following the regular upgrade instructions.
Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available in the Members' Area patch page. If you are not running 3.5.4, you must upgrade completely or use the plugin!
Plugin: The plugin system built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
08-03-2006, 04:53 PM
vBulletin 3.5.5 Released
Threaded Mode