This release of vBulletin addresses a minor cross-site scripting flaw discovered by imei addmimistrator
, fixes numerous bugs and adds a few new features.
New Feature: Enhanced File Diagnostics
In previous versions of vBulletin, the 'Suspect File Versions' system (AdminCP > Maintenance > Diagnostics > Suspect File Versions) performed a check on each file found to ensure that its stated version matched the currently-installed version of vBulletin. Therefore, a 3.5.2 version of forumdisplay.php would be flagged for attention on a board running 3.5.3.
The new and improved suspect file versions system extends the file checking functionality in the following ways:
New Feature: SkypeWeb Integration
- File version mismatch:
The system still checks for mismatched versions
- File not found:
The system will identify any missing files
- File not recognised:
It will also flag any script files in vBulletin directories that are not part of vBulletin
- Unexpected file contents:
The final and most important check is that on download, MD5 sums are generated for every script file in the downloaded package. The system will now compare the original MD5 sum of each file with its current MD5 sum, so it is now possible to tell instantly if any files have been modified from their original state, making it very simple to see if hacks have been installed or if files have not been uploaded correctly.
SkypeWeb allows the online status of Skype users to be viewed on web pages, and fits very nicely with vBulletin.
Please note that boards on which were installed the SkypeWeb plugin for vBulletin 3.5.3 will automatically have the plugin uninstalled and the full version inserted in its place.
Implementational changes: Archive
The output generated by the Archive is now buffered before being sent to the client. Plugins for the Archive that generate output must be adapted in order to work correctly.
Updating your vBulletin to combat the XSS flaw:
Versions of vBulletin 3.5 from 3.5.0 Beta 1 to 3.5.3 are affected by the XSS flaw so we recommend that customers upgrade or patch their installations.
For the vBulletin 3.5.x branch, the problem can be resolved in one of three ways.
- Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.4 package from the vBulletin Members' Area and following the regular upgrade instructions.
- Patch: A second option is to download the patch files attached to this thread and upload them to your web server, overwriting the existing files.
- Plugin: The plugin system built into vBulletin 3.5 allows the problem to be fixed with a simple plugin. The install file for this plugin is also attached to this thread and is the easiest way to fix the problem, as it does not require you to upload any files via FTP. The plugin will be automatically removed when you perform your next full upgrade. You can install the plugin by following the instructions here.
For a complete list of bugs fixed in 3.5.4, please click here