6.5.3 Released: Security fix for 6.4.x-6.5.2

Tonight Rick released a security update for ubb.threads that fixes a newly found security exploit. Also included are 8-9 bugfixes for buglets that have been hanging around for a while.

Everyone is encouraged to update asap.

Official announcement can be found here:

http://www.ubbcentral.com/boards/showflat.php/Number/4560078

Rick gives the quick fix in the announcement, if you don't want to over-write your mods. If you'd like to file compare in the other bugfixes, the affected files are:

/admin/createforum.php
/admin/doapproveusers.php
/install/createtable.php
/templates/default/editbasic.tmpl
/editpost.php
/ubbt.inc.php
/languages/english/instant_markup.php

6.5.4 Released

http://www.ubbcentral.com/boards/showflat.php/Number/4560139

"We have finished doing a full security audit after the problem found with the addpoll script in 6.5.2 and prior versions. We've released 6.5.4 to the members area at this time. This fixes one other *potential* problem script along with fixing some file # problems that crept into 6.5.3."

Mass email sent to all members here (sorry), but there's still people out there running older versions and we're getting daily reports of them being hacked.

If you've already upgraded or run another software, please disregard the message.

Hi,

My site got hacked really bad this week. We are going to upgrade from 6.4.2 to 6.5.4 which I found in the members area.

Can someone give specific upgrade tips for this jump so I don't loose my IIP? I have a few other mods that I hopefully will be able to retain during the upgrade.

You'll want to upgrade IIP as well to current released files. It runs better anyways

Current IIP files can be found here:

https://www.ubbdev.com/forum/showflat.php/Number/116683

For an idea of what features have been added since your version, check here:

http://www.ubbcentral.com/support/version.php?product=UBB.threads

A good number of "mods" are now features in the base code

How is the upgrade from 6.4 to 6.5? Are we better off doing a clean install?

The thing is, the hackers put files everywhere. If it were me and all I basically had was a forum, I'd nuke all files (keeping a backup of config.inc.php, main.inc.php and any other config files) and re-install. Should be no problem and you'll still have all members, posts, pm's, forums, etc.

Of course I'd backup the forum first

Does this exploit effect older version such as 6.2.3?

Not sure, most likely it does tho. Scripts written years ago, even tho secure then, may have many security holes found once coding practices advance and people find out where the holes were that weren't before.

Clear as mud?

As php advances, there will be new ways of doing things, including finding security exploits that really weren't there when the software was released.

Okay, I took the plunge, and I've decided to move from Classic to Threads after learning that Classic would be discontinued ...

I finally have a couple nights off in a row, so I was going to install threads and start working on it, but when I click on the "zip" link in the members' area, all I get is a download for an .html file!

Since I'd really love to spend the night working on this, HELP!

~Sue
adwoff.com

oops, did you get this? Filing a trouble ticket with infopop will get you quick service there.

Hey Allen ... I did get it to work by opening up a Mozilla browser ...

~Sue

strange.. it works fine for me in IE, must be a security/firewall setting