Forums Help - vBulletin, IPB, phpBB, SMF skins and community - View Single Post

ForumsHelp · 11-22-2006, 03:09 PM

Hello everybody

Yes it's not a joke, vBulletin 3.6.4 has been released few hours ago to fix the potential cross-site scripting (XSS) issue in the administrators control panel and as usual, the best way to fix the problem is to perform a full upgrade. But if you don't want to go for a full upgrade then you can use the patch released to fix this issue.
Here are the file changes since vb 3.6.3:

ajax.php
calendar.php
memberlist.php
search.php
admincp/
- admincalendar.php
- index.php
- usertools.php
- subscriptions.php
archive/index.php
clientscript/
- vbulletin_global.js
- vbulletin_textedit.js
- vbulletin_thrdpostlist.js
includes
- adminfunctions.php
- adminfunctions_language.php
- adminfunctions_template.php
- class_bbcode.php
- class_core.php
- class_dm_event.php
- class_dm_pm.php
- class_dm_user.php
- class_sigparser_char.php
- functions_newpost.php
- functions_calendar.php
- cron/removebans.php
- xml/js_safe_phrases.xml
install/ - all of it
modcp/user.php

These are the template changes since 3.6.3 ONLY

If you are not running 3.6.3 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style!

Note:

You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions.

If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert.

Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them.

--------------------------------------

bbcode_code
bbcode_html
bbcode_php

Changes to HTML for XHTML validation purposes

Requires revert? No (unless XHTML validation is important to you)

calendar_edit_customfield

Added maxlength parameter to the optional input to limit the amount of text to what is defined for the field.

Requires Revert? No, see bug 1199

newreply

Added style="border-top-width:0px" to the topic review bits table to prevent a border from doubling up.

Requires revert? No.

pm_showpm

Added style="border-bottom-width:0px" to the PM title table to prevent a border from doubling up.

Requires revert? No.
-------------------------------

This is not all as vbulletin 3.0.17 & 3.5.7 have been released as well.
Go ahead and upgrade

11-22-2006, 03:09 PM	#1 (permalink)
User Profile ForumsHelp Senior Member Join Date: Apr 2006 Age: 32 Posts: 968 Total Points: 289,272 Donate My Zoints Profile My Photos: () My Mood:	vBulletin 3.6.4 is out there! Hello everybody Yes it's not a joke, vBulletin 3.6.4 has been released few hours ago to fix the potential cross-site scripting (XSS) issue in the administrators control panel and as usual, the best way to fix the problem is to perform a full upgrade. But if you don't want to go for a full upgrade then you can use the patch released to fix this issue. Here are the file changes since vb 3.6.3: ajax.php calendar.php memberlist.php search.php admincp/ admincalendar.php index.php usertools.php subscriptions.php archive/index.php clientscript/ vbulletin_global.js vbulletin_textedit.js vbulletin_thrdpostlist.js includes adminfunctions.php adminfunctions_language.php adminfunctions_template.php class_bbcode.php class_core.php class_dm_event.php class_dm_pm.php class_dm_user.php class_sigparser_char.php functions_newpost.php functions_calendar.php cron/removebans.php xml/js_safe_phrases.xml install/ - all of it modcp/user.php These are the template changes since 3.6.3 ONLY If you are not running 3.6.3 yet, there are significantly more changed templates than are listed here. Use "Find Updated Templates" to find the templates that have changed and incorporate those changes. You may even wish to start with a default style! Note: You need to only look through this post for templates you have customized. You do not need to take any action to ensure that your uncustomized templates are the latest versions. If you find a template you have customized in this list, you will likely want to include the changes made here. However, this is not always required. Under each change listed here, you will see "requires revert?" This refers to whether the changes are mandatory (yes). If the changes are mandatory, things will break if you do not incorporate the changes made. It is strongly recommended that you revert and recustomize any templates that say they require a revert. Additionally, you may wish to use the "Find Updated Template" feature in the control panel to find templates that have been changed since your last edit to them. -------------------------------------- bbcode_code bbcode_html bbcode_php Changes to HTML for XHTML validation purposes Requires revert? No (unless XHTML validation is important to you) calendar_edit_customfield Added maxlength parameter to the optional input to limit the amount of text to what is defined for the field. Requires Revert? No, see bug 1199 newreply Added style="border-top-width:0px" to the topic review bits table to prevent a border from doubling up. Requires revert? No. pm_showpm Added style="border-bottom-width:0px" to the PM title table to prevent a border from doubling up. Requires revert? No. ------------------------------- This is not all as vbulletin 3.0.17 & 3.5.7 have been released as well. Go ahead and upgrade