vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released

**vBulletin.com Staff** · 07-07-2008 12:40 PM

vBulletin 3.7.2 PL1 / vBulletin 3.6.10 PL3

An XSS flaw affecting the vBulletin control panel logging system has been identified, another was found affecting boards running in debug mode. It could allow an attacker to trick an admin into unwittingly performing an action within the control panel that they had not intended. To resolve this issue, it is necessary to release patch level versions of vBulletin 3.7.2 and 3.6.10.

One of the XSS flaws was discovered by Jessica Hope and the other by ourselves.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

Upgrading from 3.7.2, 3.6.10 or their patch level versions

If you are already running 3.7.2, 3.6.10 or their patch level versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.2, 3.6.10 or their patch level versions.

Visit the Patches section of the vBulletin Members' Area and download either the patch for 3.7.2, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 or PL3 release respectively.

The 3.6.10 PL3 patch file also includes the PL1 and PL2 fixes.

Upgrading from Versions Earlier than 3.7.2 or 3.6.10

If you are not already running 3.7.2 or 3.6.10, you should download the most latest version from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.

Download vBulletin 3.7.2 PL1 or 3.6.10 PL3

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area

More...

**snakeair** · 07-07-2008 06:02 PM

I just got done doing the update. No template changes which is good.

Past 2 days, i've did a lot of updating on my forum. At least VB fixed some bug's that i had on my forum.

**Ace Shattock** · 07-07-2008 06:19 PM

Who is this Jessica Hope person that keeps getting mentioned as an exploit finder?

Should I know?

**Lee G** · 07-07-2008 06:22 PM

Glad I held off doing the last update. Two birds with one stone

Just hope it don't mess up my latest forum efforts

**snakeair** · 07-07-2008 06:22 PM

I have no idea and is this person actually a human or made up character?

Does VB pay people to hack there software to find bugs or something?

**briansol** · 07-07-2008 06:28 PM

she's a big wig on security tracker...
SecurityTracker.com Archives - vBulletin Input Validation Hole in 'redirect' Parameter Permits Cross-Site Scripting Attacks
http://www.google.com/search?q=jessi...ient=firefox-a

**Lee G** · 07-07-2008 06:29 PM

I'm sure there are plenty of people biting their lips with an answer to the last question.

I'm waiting to see what Brian says

**briansol** · 07-07-2008 07:01 PM

i don't know what vb does.

there's plenty of 3rd party service out there, like scan alert (now mcaffe secure) etc that will place various tests on your sites. vbseo in fact runs this same service.

**hornstar6969** · 07-07-2008 08:38 PM

Upgraded both my sites within minutes.

ps. I hope everyone here is using different admincp and modcp directories on there forums.

**briansol** · 07-07-2008 08:39 PM

IMO, these aren't even a big deal. you just need to be careful about what you click and when you click it. XSS are usually easy to detect/notice just by watching the status bar load

**snakeair** · 07-07-2008 11:52 PM

Thanks for the info Brian. I didn't even know this.

**meonet** · 07-08-2008 05:06 AM

Originally Posted by hornstar6969

ps. I hope everyone here is using different admincp and modcp directories on there forums.

Hello, what you mean?

**Shadab** · 07-08-2008 05:35 AM

Originally Posted by meonet

Hello, what you mean?

Means changing the directories of Admin Control Panel and Moderation control panel.
The default are : admincp/ and modcp/

Changing them to something obscure like :

admincp-hackers-cant-get-here/
modcp-not-here-too/

should be good

**meonet** · 07-08-2008 09:14 AM

Originally Posted by Shadab

Means changing the directories of Admin Control Panel and Moderation control panel.
The default are : admincp/ and modcp/

Changing them to something obscure like :

admincp-hackers-cant-get-here/
modcp-not-here-too/

should be good

Oh ok thanks

**Michael Biddle** · 07-08-2008 04:23 PM

However if you choose to do this, be sure that you update the path in your config.php

vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released

LinkBack

Thread Tools

Display

vBulletin 3.7.2 PL1 and 3.6.10 PL3 Released

Similar Threads

vBulletin 3.7.1 PL1 & 3.6.10 PL1 Released

vBulletin 3.6.10 Released

vBulletin 3.6.2 released

vBulletin 3.6.1 Released

vBulletin 3.5.1, 3.0.10 Released

Tags for this Thread

Posting Permissions