Veel websites hebben een forum waar de gebruikers met elkaar verschillende discussies aan kunnen gaan. Om dit in een overzichtelijke vorm te doen is een handig stukje software nodig zodat je verschillende rechten kan toekennen waarmee het forum beheerd kan worden. Één van deze forum pakketten is vBulletin dat is ontwikkeld voor een webserver met een PHP-MySQL omgeving. Hoewel men druk bezig is om versie 3.5.0 klaar te stomen voor het publiek heeft het ontwikkelteam nog snel versie 3.0.8 naar buiten gebracht. De release notes zien er als volgt uit:
While most development time is currently focussed on preparing vBulletin 3.5 for stable release, various problems and bugs have been reported in the vBulletin 3.0 series. The release of vBulletin 3.0.8 includes fixes for various issues and some minor security problems in earlier versions. We would therefore recommend that all customers currently running a version of vBulletin 3.0.x upgrade to this version. Customers already running one of the pre-release versions of vBulletin 3.5 do not need to take any action related to vBulletin 3.0.8 - the fixes in this version are already included in the 3.5 code.
Changes for MySQL 4.1 Support
As many people have discovered, MySQL 4.1 disagrees with the method used by vBulletin 3.0.x to store attachments, avatars, profile pictures and any other binary data stored in the database, resulting in what appears to be corrupt data. The 3.0.8 upgrade script runs several queries to resolve this problem, meaning that attachments and avatars etc. will function properly with MySQL 4.1. Once again, these changes are already included in vBulletin 3.5.
The queries we run are as follows:
XSS Flaws in faq.php, private.php, and several templates
- ALTER TABLE attachment CHANGE filedata filedata MEDIUMBLOB NOT NULL, CHANGE thumbnail thumbnail MEDIUMBLOB NOT NULL;
- ALTER TABLE customavatar CHANGE avatardata avatardata MEDIUMBLOB NOT NULL;
- ALTER TABLE customprofilepic CHANGE profilepicdata profilepicdata MEDIUMBLOB NOT NULL;
Minor cross-site-scripting flaws exist in faq.php and private.php in previous versions of vBulletin 3.0.x; fixed versions of these files have been attached to this post. Simply overwrite these files in your main vBulletin directory with those in the zip file. A similar issue has been found in several templates; the changes necessary to fix this are detailed at the beginning of the third post of this thread. Bulletin 3.0.8 corrects these problems.
Backing Up Your Forums
Please be sure to check that your backups are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.