vBulletin 3.7.0

Today, the vBulletin team is proud to declare version 3.7.0 to be our stable, supported release.

vBulletin 3.7.0 is available immediately from the Members’ Area to all customers with active vBulletin licenses, and will be offered as the primary choice to those making new purchases.

This release supercedes the 3.6.x branch as our primary product. vBulletin 3.6.x will continue to be maintained for a limited time, as outlined in the end-of-life announcement posted today. We recommend that all customers with active licenses upgrade to vBulletin 3.7.0.

There are many new features and improvements to existing functionality in vBulletin 3.7.0 over vBulletin 3.6.x, most of which have already been described in the release announcements for the various pre-release versions, and in the First Look thread that was posted at the beginning of the beta process, but here is a brief list of just a few of the highlights.

• Inline spam management & prevention
• Thread tagging
• Search cloud / tag cloud
• Thread prefixes
• Reciprocal friendships between users
• Public visitor messaging on profile pages with ‘conversation’ feature
• User picture galleries with user comment facility
• User-created social groups with invite only and moderated membership options
• Extended member profile pages
• Customizable member profile pages with admin-controlled styling abilities
• Inline editing of custom user profile fields
• Lightbox viewer for attached images
• Viewable and comparable history maintained for post edits
• Extended re-authentication for inline moderation actions
• Notices system for navigation bar
• Multiple human-verification systems including reCAPTCHA, image verification and Q/A
• User change history
• Social bookmarking integration

Read the full post

vBulletin Blog 1.0.5 Released

vBulletin Blog 1.0.5 is a maintenance release to our second vBulletin add-on. It contains a number of bug fixes since the release of 1.0.4. This release will work with vBulletin 3.6.8+ and vBulletin 3.7.0+.

Some of the bugs fixed include:

• 24750 – Trackbacks not working
• 25182 – Imagetags with parameters in blog description won’t work
• 24734 – IP-Link showing even IPs are turned off

See a full list of bugs fixed between Blog 1.0.4 and 1.0.5

Upgrading/Installing the Blog

Upgrades and new installations of the Blog follow the same process: upload the files and import the XML. After this, you will see a message that your upgrade or install was successful. For full instructions on how to upgrade or install, please see this manual entry.

About the Blog

vBulletin Blog is a fully featured blogging add-on that enables community members to create their very own online blogs within vBulletin. Giving members a place to post thoughts, ideas and musings will keep users returning to the community again and again, and advanced administration features allow forum owners and moderators to keep control and integrate Blog into vBulletin’s existing look and feel.

vBulletin Blog makes it simple for community members to create their own space within the community. Getting started is as simple as posting the first message (using the same familiar vBulletin editor). There is no lengthy setup process – blog owners are free to personalise their blog at any time by defining a title and a description that will appear at the top of every blog post.

• Find out more about the Blog
• View the Blog’s’ manual
• See the Blog in action on the vBulletin.com community forums

vBulletin 3.6.8 or newer is required to install the Blog. vBulletin 3.7.0 requires Blog version 1.0.3 or higher.

It should be proper for all plugins over vb.org to be updated shortly to implement this new security check, but anyway, this won’t any time soon by all the wanna be coders out there. So let me help you.

The new anti-CSRF is triggered by a specific constant on top of your script, the vb team selected this way to not break a few hundreds mods.

So on top of your script and before the call of the global.php ( under the define of the THIS_SCRIPT is a good place) add this line.

define('CSRF_PROTECTION', true);

Next step is to edit all your forms in your custom plugin templates to add a specific hidden input. A cool way to do this, is to open your product.xml and do a search for <form and under each of finds to add this line of code.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

And you are done! You can make a test after the first step to see this nice error during any Post Request that comes from the scripts you added the first line.

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

After a little search and if you think as i do you will find out how the new check works in the file includes/init.php lines 399-420.

Note that only Post requests are checked not GET too.

If for some reason you want your script to have this extra check but you also want for some reason to bypass it you must specify on top of your script something like this:

define('CSRF_SKIP_LIST', 'save,update,dosex');

Where each of save, update and dosex are the actions specified by the $_REQUEST['do'] or $_POST['do'] if you prefer that.

Happy Coding as always….

vBulletin 3.6.10

Although 3.6.9 was intended to be the final maintenance release for the 3.6.x series, the discovery of a CSRF (cross-site request forgery) vulnerability in vBulletin over the weekend has forced the release of an update to plug the hole.

The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

The fix for the CSRF issue involves many files and many templates, so unfortunately it is not feasible to produce a patch or a plugin to address the problem. Only a full-scale update will work.

We recommend that customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible.

Template Changes Automatically Applied

With one exception (userinfraction_view), all the template changes in this release require a revert, but they are simple to apply so the upgrade script will attempt to do this for you. The list below shows which templates will be affected by the change, and how they will be altered. Customized templates will be automatically updated, but your customized changes will be retained.

Read the full post

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin – many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as ‘stable’ before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem – only a full-scale upgrade will be sufficient.

Read the full post

Good news for all the vbulletin owners. I have been using 3.7 since the first beta and i am pretty amazed by the level of work they have put on this release to introduce new social network features.

As those of you who have been keeping an eye on the bug tracker will probably be aware, the frequency and severity of bugs being reported has dropped right off in the past few weeks, and I believe that it has reached the point where we should declare vBulletin 3.7.0 stable and do a final, ‘gold’ release.

vBulletin 3.7.0 Stable/Gold will be released in the coming week.
I do not anticipate the release of any further release candidates in the interim period.

Today, we will be updating vBulletin.com to run the final version of the code, and we will allow this to run over the weekend to get some final, extra uninterrupted testing done on a production site.

Needless to say, should you find more bugs over the weekend, don’t hesitate to report them as soon as possible so that we can ensure that next week’s release will be one of the best ever.

Until next week!