[Code Monkey]

vBulletin 3.5.6



An undocumented behaviour in all Windows versions of Internet Explorer has rendered vBulletin vulnerable to a potential cross-site scripting flaw (XSS). Therefore, we have decided to put out a preventative security release in order to work-around the Internet Explorer problem before it is exploited.



We recommend that all customers still running a 3.5 board upgrade to 3.5.6 or apply the patch discussed in this post as soon as possible. Note that our current recommended release is 3.6.3 and we recommend customers upgrade to that!



Performing a full upgrade to 3.5.6 also contains several bug fixes, including a fix for a compatibility issue in PHP 5.2.0. Additionally, this version adds HttpOnly cookies, which helps reduce the amount of damage that could be caused by a potential XSS flaw.



Updating your vBulletin to combat the XSS flaw:



Please note that this issue is present in other versions of vBulletin as well. Please see the appropriate announcement!



Our primary recommendation for customers is to upgrade to vBulletin 3.6.3, but if you are not ready to do this, you can do one of the following:

1. Full Upgrade: The best way to fix the problem is to perform a full upgrade, downloading the complete 3.5.6 package from the vBulletin Members' Area and following the regular upgrade instructions.
2. Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available in the Members' Area patch page or later in this post!

Link To Original Article