Register Members List Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools
  #1  
Old 23 Apr 2008, 16:30
vB.Org System vB.Org System is offline
 
Join Date: Aug 2007
vBulletin 3.6.10 Released

vBulletin 3.6.10

Although 3.6.9 was intended to be the final maintenance release for the 3.6.x series, the discovery of a CSRF (cross-site request forgery) vulnerability in vBulletin over the weekend has forced the release of an update to plug the hole.

The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

The fix for the CSRF issue involves many files and many templates, so unfortunately it is not feasible to produce a patch or a plugin to address the problem. Only a full-scale update will work.

We recommend that customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible.

Template Changes Automatically Applied

With one exception (userinfraction_view), all the template changes in this release require a revert, but they are simple to apply so the upgrade script will attempt to do this for you. The list below shows which templates will be affected by the change, and how they will be altered. Customized templates will be automatically updated, but your customized changes will be retained.


Upgrading from Previous Versions

3.6.10 is a security release and we recommend that all customers upgrade to benefit from many bug fixes and stability improvements.

Full instructions for upgrading vBulletin are available here.

PHP and MySQL Requirements

Please note that vBulletin 3.6.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

However, we recommend that vBulletin 3.6.x is run on PHP 5.2.5 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

End of Life for PHP 4

The PHP group has announced the end of life for PHP 4. We strongly recommend that customers update their servers to PHP 5.2.5 if they are still running PHP 4. vBulletin 3.6.10 supports PHP 5 without any problems, though you may need to disable strict mode for MySQL, see here on how to enable 'force_sql_mode'.

Note: We will continue to support PHP 4 in the vBulletin 3 series.

Download vBulletin 3.6.10

As usual, vBulletin 3.6.10 is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area


More...

For support questions, please use the appropriate forums on vBulletin.com

Last edited by Marco van Herwaarden; 23 Apr 2008 at 16:53.
  #2  
Old 23 Apr 2008, 16:56
rapidphim rapidphim is offline
 
Join Date: Feb 2007
Thank you for the update but I'm already on RC3.
  #3  
Old 23 Apr 2008, 16:56
Jasem's Avatar
Jasem Jasem is offline
 
Join Date: Feb 2006
Location: www.menokia.com
Thank you for the update
__________________
games
Forum Nokia
  #4  
Old 23 Apr 2008, 17:01
PerSOnaL PerSOnaL is offline
 
Join Date: Jan 2008
Thank you
  #5  
Old 23 Apr 2008, 21:15
Ryuk's Avatar
Ryuk Ryuk is offline
 
Join Date: Feb 2007
Real name: Sebastian Montoya
thank you for the update vb staff ^^
__________________
AnimeRawr

A Crunchy Toast
Bleach and Naruto weekly Updates
  #6  
Old 23 Apr 2008, 21:40
i.s.s.w i.s.s.w is offline
 
Join Date: Jul 2007
Thank you for the update 3.6.10
  #7  
Old 24 Apr 2008, 01:42
user_not_found user_not_found is offline
 
Join Date: Sep 2007
Very quick and fine job as always
  #8  
Old 24 Apr 2008, 02:54
meolangthang's Avatar
meolangthang meolangthang is offline
 
Join Date: Apr 2008
Thank you for the update!
  #9  
Old 24 Apr 2008, 18:46
steve1966 steve1966 is offline
 
Join Date: Dec 2007
Thank you
  #10  
Old 25 Apr 2008, 08:16
redlabour's Avatar
redlabour redlabour is offline
 
Join Date: Mar 2004
Real name: André
Any news how to update Hacks that have Form in them?

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.
  #11  
Old 25 Apr 2008, 08:25
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Contact the author for a solution.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #12  
Old 25 Apr 2008, 11:30
FatalBreeze FatalBreeze is offline
 
Join Date: Apr 2004
Real name: Aviad
Originally Posted by Marco van Herwaarden View Post
Contact the author for a solution.
I build an hack which now produces the same error, so there is no author i can contact

Will there be posted an article about fixing this like Kier said?
  #13  
Old 25 Apr 2008, 11:31
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Articles have already been posted.

Implementing CSRF Protection in modifications
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
  #14  
Old 26 Apr 2008, 13:52
almansoori almansoori is offline
 
Join Date: Aug 2007
How can a friend to come every day the news of a strange and puzzling!!
__________________
Admin of http://www.hazza.com
Closed Thread



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 18:20.

Layout Options | Width: Wide Color: