vBulletin Blog 1.0.5 Released

vBulletin Blog 1.0.5 is a maintenance release to our second vBulletin add-on. It contains a number of bug fixes since the release of 1.0.4. This release will work with vBulletin 3.6.8+ and vBulletin 3.7.0+.

Some of the bugs fixed include:

• 24750 – Trackbacks not working
• 25182 – Imagetags with parameters in blog description won’t work
• 24734 – IP-Link showing even IPs are turned off

See a full list of bugs fixed between Blog 1.0.4 and 1.0.5

Upgrading/Installing the Blog

Upgrades and new installations of the Blog follow the same process: upload the files and import the XML. After this, you will see a message that your upgrade or install was successful. For full instructions on how to upgrade or install, please see this manual entry.

About the Blog

vBulletin Blog is a fully featured blogging add-on that enables community members to create their very own online blogs within vBulletin. Giving members a place to post thoughts, ideas and musings will keep users returning to the community again and again, and advanced administration features allow forum owners and moderators to keep control and integrate Blog into vBulletin’s existing look and feel.

vBulletin Blog makes it simple for community members to create their own space within the community. Getting started is as simple as posting the first message (using the same familiar vBulletin editor). There is no lengthy setup process – blog owners are free to personalise their blog at any time by defining a title and a description that will appear at the top of every blog post.

• Find out more about the Blog
• View the Blog’s’ manual
• See the Blog in action on the vBulletin.com community forums

vBulletin 3.6.8 or newer is required to install the Blog. vBulletin 3.7.0 requires Blog version 1.0.3 or higher.

It should be proper for all plugins over vb.org to be updated shortly to implement this new security check, but anyway, this won’t any time soon by all the wanna be coders out there. So let me help you.

The new anti-CSRF is triggered by a specific constant on top of your script, the vb team selected this way to not break a few hundreds mods.

So on top of your script and before the call of the global.php ( under the define of the THIS_SCRIPT is a good place) add this line.

define('CSRF_PROTECTION', true);

Next step is to edit all your forms in your custom plugin templates to add a specific hidden input. A cool way to do this, is to open your product.xml and do a search for <form and under each of finds to add this line of code.

<input type="hidden" name="securitytoken" value="$bbuserinfo[securitytoken]" />

And you are done! You can make a test after the first step to see this nice error during any Post Request that comes from the scripts you added the first line.

Your submission could not be processed because a security token was missing or mismatched.

If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error.

After a little search and if you think as i do you will find out how the new check works in the file includes/init.php lines 399-420.

Note that only Post requests are checked not GET too.

If for some reason you want your script to have this extra check but you also want for some reason to bypass it you must specify on top of your script something like this:

define('CSRF_SKIP_LIST', 'save,update,dosex');

Where each of save, update and dosex are the actions specified by the $_REQUEST['do'] or $_POST['do'] if you prefer that.

Happy Coding as always….

vBulletin 3.6.10

Although 3.6.9 was intended to be the final maintenance release for the 3.6.x series, the discovery of a CSRF (cross-site request forgery) vulnerability in vBulletin over the weekend has forced the release of an update to plug the hole.

The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

The fix for the CSRF issue involves many files and many templates, so unfortunately it is not feasible to produce a patch or a plugin to address the problem. Only a full-scale update will work.

We recommend that customers running versions of vBulletin older than 3.6.10 upgrade as soon as possible.

Template Changes Automatically Applied

With one exception (userinfraction_view), all the template changes in this release require a revert, but they are simple to apply so the upgrade script will attempt to do this for you. The list below shows which templates will be affected by the change, and how they will be altered. Customized templates will be automatically updated, but your customized changes will be retained.

Read the full post

A security hole involving a CSRF (cross-site request forgery) vulnerability was reported to us over the weekend, requiring changes to significant numbers of templates and files in all of our products including vBulletin 3.x, Blog and Project Tools. The CSRF problem potentially enabled an administrator who had been lured to a third-party site to unknowingly submit forms located on the forum he or she administers, resulting in potential damage to the forum. Actions performed via the Admin Control Panel are not vulnerable.

Incidentally, this vulnerability is not unique to vBulletin – many web applications are affected and always have been, due to the very nature of the web.

It was decided that rather than push ahead and release 3.7.0, it would be better to roll out a further release candidate containing the fix for this problem, as the changes are widespread and it would not be prudent to label 3.7.0 as ‘stable’ before it has had at least one outing in pre-release form.

As we release vBulletin 3.7.0 Release Candidate 4, we are simultaneously releasing 3.6.10, which contains various bug fixes back-ported from 3.7.0, and of course the fix for the security problem. New versions of Blog and Project Tools will follow shortly in the coming days.

Unfortunately, due to the number of file and template changes required by the security fix, it is not practical to provide a patch or plugin to resolve the problem – only a full-scale upgrade will be sufficient.

Read the full post

vBSed is the name behind the huge 3dacc v08 upgrade. vBSed is a custom made cms script written around vbulletin and it is based on the not so popular but brilliant cms seditio.

3dacc.net was using from the very first day until the 25th December 2007 the seditio as a cms. Content Management System. I really appreciate seditio cause it taught me how to code in php. As time passed and many custom sections were added the need for better integration was becoming bigger and bigger. As my php skills improved i planned to create a new cms based on seditio for exclusive use in vb. The result is what you see now vBSed.

What vBSed inherited from seditio ?
- The very basic api of categories and pages. The categories system is just brilliant and although the end result of vBSed doesn’t resolve so much seditio in coding it was a great step for me.
- The coding sense, and order.

Why did you need to throw away seditio?
- The lack of any hope for integration with vbulletin.
- The current progress in seditio’s development.
- My shrewd thought that i needed more than a cms, i wanted mine cms.

vBSed Feature List
- Unlimited levels categories system.
- Multi-purpose pages. (multi-page articles, downloads, links)
- Site File Storage.
- Terminology.
- Startup Processes DB.
- GPU DB.

The vBSed isn’t online for too long but it made a huge impression to some veteran vb site owners. I know, i got your emails. For the time being i don’t plan in any way to release it, Free or Paid.

Btw if there is any company who likes my work here on 3dacc and wants to hire a php/mysql coder like me for full or part time work, i am interested. Above all webmaster, college student, gamer, or whatever i feel developer.

In one month T3 Design will be two years old …hooray…. I started this site by respect to the neocrome cms that i was been using for years. That time i wanted to offer things to neocrome community and the newly born seditio cms. Whatever i could skins, plugins, core hacks, general support and much more. As i was getting better with programming and designing my works got better and of course more popular, i think the almost 60K pages linking to t3 and me being part of teh Dev Team proves that. I admit that the Dev Team of seditio is not much, actually it’s nothing it just a title and nothing more.

After a year or so i started to produce some paid works with a fixed small price, some skins and plugs, i don’t think that move was much successful but from time to time i managed to paid my dedi server and put some gash on my saxo 1400cc. I don’t know but at some point things got worse, maybe i am a selfish bastard but i thought my work will receive more respect. Take a look out there some of my paid products are being redistributed, admins remove the small copyright tag from my free skins, other sed developers rip my works and sell them, ouch enough bitching…. Let’s get to the point.

After 2 full years of coding plugins and learning php/mysql i got to the point where i wanted to do more. I was being using sed for 3dacc.net as a main site and vBulletin as a forum. Oh many asked me how i did that but guh it was nothing really, having two engines working side by side is a shit work and specially hard if you want to get your users to be more interactive. 6 Months ago i decided to code my own cms for vBulletin based on seditio. What you see now here http://www.3dacc.net is the result. The idea was to simply transfer sed procedures to vb but after 12 major releases, the end product at least from the coding point of view is so much different, better if you ask me. I added features, remove things, took to another level many things and i am really proud for that. Except the basic structure list.php?c=xxx and page.php?id=xxx i doubt anyone can identify the mentor of vBSed, the sed from the look or even code. Read the full post