vBulletin Product Updates
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
January 10th, 2006
This email contains important security-related information.
Please read it carefully.
* Security Information
* vBulletin 3.5.3
* vBulletin 3.0.12
* vBulletin 2.3.9
* Your License Information
* Contact Us
---------- SECURITY INFORMATION ----------
A recently-discovered cross-site scripting (XSS) flaw
in all three branches of vBulletin has prompted us to
perform a security update, releasing new versions of
vBulletin 2.3.x, 3.0.x and 3.5.x simultaneously.
All prior versions of vBulletin are vulnerable to the
flaw and we advise all customers to upgrade or patch
their vBulletin installations at their earliest
convenience.
Specific details for each vBulletin version follow.
------------- VBULLETIN 3.5.3 ------------
If you run vBulletin 3.5, the problem can be resolved
in one of three ways.
1 - Full Upgrade
The best way to fix the problem is to perform a full
upgrade by downloading the complete 3.5.3 package
from the vBulletin Members' Area and following the
regular upgrade instructions. This method will also
fix a number of non-critical bugs that have been
resolved since the release of vBulletin 3.5.2. Any
previous version of vBulletin can be brought up to
date using this method.
2 - Patch
If you are currently running vBulletin 3.5.2, you
may download the patch files attached to the 3.5.3
release announcement thread and upload them to your
web server, overwriting the existing files. This
method will fix the XSS flaw, but will not resolve
any additional bugs.
3 - Plugin
The plugin system built into vBulletin 3.5 allows the
problem to be fixed with a simple plugin. This is the
quickest and easiest way to resolve the XSS flaw.
You will need to download the plugin installation
file from the 3.5.3 release announcement thread,
then use the product manager in your Admin Control
Panel to install the plugin. As with the patch, this
method will not resolve any bugs except for the XSS
flaw.
The release announcement thread can be found here:
http://www.vbulletin.com/forum/showthread.php?t=169997
------------ VBULLETIN 3.0.12 ------------
Installations of vBulletin 3.0 can be fixed in one
of the following ways:
1 - Full Upgrade
The best way to fix the problem is to perform a full
upgrade by downloading the complete 3.0.12 package
from the vBulletin Members' Area and following the
regular upgrade instructions. This method will also
fix a number of non-critical bugs that have been
resolved since the release of vBulletin 3.0.11.
Any previous version of vBulletin can be upgraded to
3.0.12 using this method.
2 - Patch
If you are currently running vBulletin 3.0.11, you
may download the patch files attached to the 3.0.12
release announcement thread and upload them to your
web server, overwriting the existing files. This
method will fix the XSS flaw, but will not resolve
any additional bugs.
The release announcement thread can be found here:
http://www.vbulletin.com/forum/showthread.php?t=169999
------------- VBULLETIN 2.3.9 ------------
In addition to the XSS flaw affecting vBulletin 3.0
and vBulletin 3.5, vBulletin 2.3 has been found to
contain an additional XSS problem relating to BB code
parsing. This problem is also resolved by the release
of vBulletin 2.3.9.
You may fix your vBulletin 2.3 installation using
either of the two methods listed here:
1 - Full Upgrade
The best way to fix the problem is to perform a full
upgrade by downloading the complete 2.3.9 package
from the vBulletin Members' Area and following the
regular upgrade instructions. This method will also
fix a number of non-critical bugs that have been
resolved since the release of vBulletin 2.3.9.
Any previous version of vBulletin can be upgraded to
2.3.9 using this method.
2 - Patch
If you are currently running vBulletin 2.3.8, you
may download the patch files attached to the 2.3.9
release announcement thread and upload them to your
web server, overwriting the existing files. This
method will fix both XSS flaws, but will not resolve
any additional bugs.
The release announcement thread can be found here:
http://www.vbulletin.com/forum/showthread.php?t=170001
---------------- YOUR LICENSE INFORMATION ----------------
You can use this information to log into the members area
and download vBulletin and ImpEx:
Customer Number: J1747AC983E1
If you have misplaced your customer password, you can
request that it be re-sent to your registered email
address using the following form:
http://members.vbulletin.com/lostpw.php
You can use this information to log into the members area:
http://members.vbulletin.com/
-------------------- CONTACT US --------------------------
Please do not respond to this email directly. We will not
receive your response. Please use the links below.
Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/support/
For all other queries, please visit this page:
http://www.vbulletin.com/contact.php
To report suspected bugs in vBulletin 3 and 3.5, please
use the bug tracker for each version:
vBulletin 3.0 - http://www.vbulletin.com/forum/bugs.php
vBulletin 3.5 - http://www.vbulletin.com/forum/bugs35.php
__________________
Ding Dong ;)