Thread: UP dating vBulletin ASAP .. .
View Single Post
Old April 23rd, 2008, 02:33 PM
  post #1
Santai
3ts'
 
Santai's Avatar
 
Join Date: Mar 2006
Location: USA - tn
Age: 52
Posts: 5,532
Blog Entries: 6
Rep Power: 88 @ 666
Santai is a splendid one to beholdSantai is a splendid one to beholdSantai is a splendid one to beholdSantai is a splendid one to beholdSantai is a splendid one to beholdSantai is a splendid one to behold
Send a message via MSN to Santai Send a message via Yahoo to Santai Send a message via Skype™ to Santai
Buggg UP dating vBulletin ASAP .. .
a security thing that needs to be done -- we are working on up graded files now and will have the styles ASAP .. .

Quote:
vBulletin 3.6.10

Although 3.6.9 was intended to be the final maintenance release for the 3.6.x series, the discovery of a CSRF (cross-site request forgery) vulnerability in vBulletin over the weekend has forced the release of an update to plug the hole.

The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

The fix for the CSRF issue involves many files and many templates, so unfortunately it is not feasible to produce a patch or a plugin to address the problem. Only a full-scale update will work.

We recommend that customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible.

read more @ vBulletin 3.6.10 Released - vBulletin Community Forum
Quote:
vBulletin 3.7.0
Release Candidate 4
Yeah, we know...

THIS IS PRE-RELEASE SOFTWARE.
IT IS UNSUPPORTED.

If you are not fully at home with backing-up and restoring your forum, dealing with bugs and regular upgrades, DO NOT INSTALL THIS VERSION

Last week, I announced that we intended to release the stable, final version of vBulletin 3.7.0 this week. I'm sorry to say that this will not be the case.

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin - many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as 'stable' before it has had at least one outing in pre-release form.

read more @ vBulletin 3.7.0 Release Candidate 4 - vBulletin Community Forum
as far as plug ins and mods : Mod and plugin authors - the changes in 3.6.10 and 3.7.0 RC4 will break any forms in your code that post back to vBulletin scripts.
fix info @ Implementing CSRF Protection in modifications - vBulletin.org Forum
Kenj
a certain amount of common sense is necessary to survive in this world !
insanity leaves you no restrictions !
// support is available via the forums, post the apparent discrepancy or help needed . \\
Santai is offline   Reply With Quote