vBulletin Announcements

An exploit in vBulletin 5.X has been reported by the "Romanian Security Team". We have repaired the issue reported and are releasing patches for the following versions: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5 and 5.1.0 The issue has also been fixed in vBulletin 5.1.1 RC1. The issue is caused by improper handling of the Page object within vBulletin. This allowed some user supplied data to be elevated to the point where it cause problems. It also allowed javascript to be executed in certain situations. To resolve these issues we have: 1) Enhanced error checking on some values from the query string to avoid allowing them in the page array. This includes forbidding some commonly used strings. 2) Cleaning up a value in a route class that...

Announcing the release of vBulletin 5.1.1 Alpha. This release fixes a number of bugs related to the CMS, Image Handling and Email Notifications. More than 80 issues are resolved in this version, most of which are high value issues that impact a large number of customers. PHP 5.5.X Support As of vBulletin 5.1.1, vBulletin 5 Connect supports PHP 5.5.X for access to the latest security and performance enhancements available in PHP. Please note that as of PHP 5.5.0, the mysql library is deprecated and we suggest that you switch to mysqli in your /core/includes/config.php file. Image Handling We've improved image handling in vBulletin 5 Connect. After inserting images, you can double-click on them to edit size, positioning and word wrap...

A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible. Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for both vBulletin 3. Alternatively customers can install the JSON functions separately viahttp://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports...

We’re proud to release vBulletin 5.1.0 Connect. It is available to all customers with a valid vBulletin 5 Connect license. Our goal with this version is to primarily focus on returning the Article publishing functionality of the vBulletin 4 Publishing Suite. To do this we needed to port the functionality and recreate it within the vBulletin 5 database structure and APIs. Along with this we wanted to make sure that your existing articles are imported in a way that makes sense to you and your users without needing a lot of reconfiguration from you to get started. Please note the minimum required version of PHP is 5.3.7. This is a slight increase from previous versions of vBulletin 5 Connect. vBulletin 5.1.0 includes updates for the...

Release Candidate 1 is available. The developers have continued fixing bugs and we're currently working towards a release. As such, we have released 5.1.0 Release Candidate 1. The biggest change is that we've finished the permissions work around comments and you can control this with usergroup permissions per channel now. As a result of this change a number of other changes were made. You can see these in VBV-4523. We've also resolved an issue with Remember Me and the new password system.

This is an unstable Beta Release of the software. It is not recommended to be used on production systems at this time. Today we're proud to release of vBulletin 5.1.0 Beta 1. It is available to all customers with a valid vBulletin 5 Connect license. Our goal with this version is to primarily focus on returning the Article publishing functionality of the vBulletin 4 Publishing Suite. To do this we needed to port the functionality and recreate it within the vBulletin 5 database structure and APIs. Along with this we wanted to make sure that your existing articles are imported in a way that makes sense to you and your users without needing a lot of reconfiguration from you to get started. Article Publishing Channels During the transition...

It has come to our attention that there is a security issue in the uploader.swf file included as part of the Yahoo User Interface (YUI) library included in vBulletin 4. As the version of YUI included in vBulletin is end-of-lifed, Yahoo will not be fixing this issue. Their recommendation is to remove the file from your server. We recommend that you replace this with an empty file of the same name (attached). What this will do is force vBulletin to use a fallback javascript based uploader which is already provided in your system. See: http://yuilibrary.com/support/20131111-vulnerability/ The vulnerable file is also present in the vBulletin 5 download package though not used by the vBulletin 5 front-end. We recommend that you delete the...