An XSS flaw affecting the vBulletin URL redirection system has been identified. It could allow an attacker to trick a moderator or admin into unwittingly performing an action in either the front-end or control panel that they had not intended. To resolve this issue, it is necessary to release PL2 versions of vBulletin 3.7.1 and 3.6.10.

This XSS flaw, and that which made the release of the PL1 versions necessary, was discovered by Jessica Hope and others.

The upgrade process is the same as the PL1 releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

vBulletin 3.7.2 to be Released Next Week

In line with our new scheduled maintenance release policy, we have evaluated the merits of providing a new maintenance release one month after the previous release or waiting until next month. It has been decided that we will bring forward the release of vBulletin 3.7.2 from Tuesday July 29th to this coming Tuesday, June 24th.

This release will be mentioned in the security bulletin sent out to customers today, but we will not send a further notification next week when 3.7.2 is released. Watch your Admin CP News, or the latest version check in the Admin CP to see when the new version is available. Alternatively, keep an eye on this forum for the 3.7.2 announcement.

To reiterate, vBulletin 3.7.2 will be released on Tuesday, June 24th 2008.

Upgrading from 3.7.1, 3.6.10 or their PL1 versions

If you are already running 3.7.1, 3.6.10 or their PL1 patch versions, the process you will be required to follow to make your board immune to the XSS problem is very simple.

There is no need to run an upgrade script if you are already running 3.7.1, 3.6.10 or their PL1 versions.

Visit the Patches section of the vBulletin Members’ Area and download either the patch for 3.7.1, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL2 release.

The 3.7.1 PL2 patch file also includes the PL1 fixes. The same is true of the 3.6.10 PL2 patch file.

Upgrading from Versions Earlier than 3.7.1 or 3.6.10

If you are not already running 3.7.1 or 3.6.10, you should download the most latest version from the Members’ Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.

Download vBulletin 3.7.1 PL2 or 3.6.10 PL2

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members’ Area.

vBulletin Members Area

MySpace continues to wage a legal war on alleged spammers.

An arbitrator has ordered Scott Richter and Media Breakaway to pay the social networking giant $4.8 million in damages and $1.2 million in legal fees, according to legal filings. The company’s employees were also ordered to stay off MySpace.

Source: CNET

I believe this is an interesting case and rather than being an exception, this should really set a precedent and more and more spammers should be bought to book for spamming our email boxes, websites, forums and blogs. Only when spamming becomes not worth the risk will we see a sharp decline in it.

Apart from the usual banner, it seemed to have navigation arrows which when clicked would display different packages from Viator.

Here are the screenshots of the Google Adsense Ad from Viator and different types of packages as I go through the navigation option:

Have you seen these types of ads on your or someone else’s site?

Did you felt these were good or bad?

Martin Reed recently wrote an interesting post on this, titled “Should communities ban the discussion of certain topics?”

Martin has managed to hit the nail bang on the head by not only talking about discussions of certain nature (politics, religion) which at times can go badly out of control, he has also managed to provide crucial advice on how to deal with the situation.

According to me, the best thing to do in such a scenario is to remain calm and try not to appear bias towards a certain section, even if you strongly agree with their points. This is also something which needs to be conveyed to the rest of the moderators and forum staff to ensure that it doesn’t appears that the staff is taking the side of a particular group. Which if it happens, would alienate the members belonging to the other school of thought, and can actually make the situation worse.

What do you think needs to be done in such types of situations and in case if you have been through one, what did you do to calm every one?

A decent directory on averages receives tens if not hundreds of submissions each day, while we tend to hit the delete button on sites which do not belong to the niche of our directory or aren’t suitable for our directory. There are quite a few MFAs which get submitted as well, while they might belong to the same niche, however they don’t add value to the web and aren’t likely to impress a visitor.

In such a scenario, what do you do?

Do you allow them to get listed or do you simply reject their submission?

If you are like me, then it is likely that you don’t approve those websites. However in case you are one of those directory owners, who approves just about every thing for the sake of increasing the amount of link in their directory, I got news for you. You are polluting your own directory!

Yes that’s right, you are polluting your own directory by approving such submissions. Not only you aren’t helping a web user who might have come to your directory to search for information, you are also lowering the quality and valuation of your directory in the long term.

By listing poor quality websites, you are undermining your link power which can have a negative effect in your directories listing. Not only that, you are sending the wrong signal to those who might be thinking of buying featured link or advertisement at your directory.

By being strict about the editorial guidelines, you will not only ensure a positive experience for the users of your web directory but also ensure that advertisers see your directory in a positive light.

The recent discovery of an obscure method in which to expose a cross-site scripting (XSS) error in vBulletin when using specific browser software means that it is necessary to release Patch Level (PL) versions of both 3.7.1 and 3.6.10.

Although it is difficult to exploit the XSS flaw, and the potential for exposure and damage is limited, we nonetheless recommend that customers upgrade to protect themselves.

Upgrading from 3.7.1 or 3.6.10

If you are already running 3.7.1 or 3.6.10, the process you will be required to follow to make your board immune to the XSS problem is very simple. Visit the Patches section of the vBulletin Members’ Area and download either the patch for 3.7.1, or the patch for 3.6.10, according to the version you are currently running, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.

There is no need to run an upgrade script if you are already running 3.7.1 or 3.6.10.

Upgrading from Versions Earlier than 3.7.1 or 3.6.10

If you are not already running 3.7.1 or 3.6.10, you should download the most latest version from the Members’ Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.

PHP and MySQL Requirements

Please note that vBulletin 3.7.x requires at least PHP 4.3.3 and MySQL 4.0.16 or later.

However, we recommend that vBulletin 3.7.x is run on PHP 5.2.6 with APC (or a similar opcode cache) and MySQL 5.0.51 for best performance and stability.

End of Life for PHP 4

The PHP group has announced the end of life for PHP 4. We strongly recommend that customers update their servers to PHP 5.2.6 if they are still running PHP 4. vBulletin 3.7.1 supports PHP 5 and MySQL 5 fully, though you may need to disable strict mode for MySQL, see here on how to enable ‘force_sql_mode’.

Note: We will continue to support PHP 4 in the vBulletin 3 series.

Download vBulletin 3.7.1 PL1 or 3.6.10 PL1

As usual, both versions released today are available for all customers with valid, active licenses to download from the vBulletin Members’ Area.

vBulletin Members Area