vBulletin 3.0.6 and 2.3.6 are security and bug fix releases. They fix a recently discovered XSS issue regarding BB code parsing.

All versions of vBulletin prior to 3.0.6 and 2.3.6 are vulnerable. The only workaround is to disable BB code parsing in signatures and all forums where untrusted users can post.

We strongly urge all customers to upgrade or patch their installations ASAP. At the end of this post, you will find a patch for the security issue for includes/functions_bbcodeparse.php (vBulletin 3) and admin/functions.php (vBulletin 2); overwrite the version on your server with the file in the appropriate zip.

I would again like to reiterate that security is of our utmost concern. Recently, there have been several reports of security issues in vBulletin that have prompted the recent releases. We realize that these releases can be a burden on you. For that, we are sorry, but once we have become aware of a security issue, it is our duty to provide a fix to that issue. We are also performing internal security audits and looking into changes to our core systems to prevent issues such as these from occuring in the future.


Performance Hit Since PHP 4.3.10 / 5.0.3

Many people have noticed that vBulletin (any a lot of other PHP applications) suddenly started to run significantly slowed than normal after installing PHP 4.3.10 or 5.0.3 in order to patch the security flaw in previous versions of PHP.

This cause of this slow-down has been identified as a problem with the unserialize() function in PHP. For more details, see bugs.php.net.

This problem has now been fixed by the PHP developers, though the fixed version has yet to be released in a 'stable' version. However, the latest CVS snapshots of PHP 4.3.x and 5.0.x, available from snaps.php.net contain the fix and restore the original speed of unserialize().

While we would not recommend running a 'dev' version of PHP on any production server, we understand that the performance problem has been a major issue for some people. If you are badly affected, you may want to consider running a 'dev' version of PHP at your own risk in order to overcome the performance problem.

Backing Up Your Forums

Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.

Installing or Upgrading vBulletin
Please see the appropriate manual sections: Installing vBulletin and Upgrading vBulletin.



Source: www.vbstyles.com
Full Story: http://www.vbulletin.com/forum/showthread.php?p=800234