A security issue has been reported to the vBulletin team. To fix this issue, we have created a new security patch.
We have made patches available for the following versions of vBulletin Connect:
- 5.6.4 PL1
Installing the Patch
For the best results with your vBulletin site, it is recommended to upgrade to vBulletin 5.6.4 PL1 if you are not using 5.6.4 currently.
- Download the appropriate files for your version of vBulletin 5.6.X
- Upload all files found within the zip file to your server. Make sure to overwrite the existing files on your server.
- Run the upgrade scripts included in the patch on your server. (/core/install/upgrade.php)
- When the upgrade process ends, delete the /core/install directory from your server.
vBulletin 5.6.3 Changes and Updates
vBulletin 5.6.3 now available for download customers. Cloud customers will be automatically upgraded in the coming weeks.
Front End Changes
Censored Word Handling
The handling of administrator-defined censoring has been refactored and applies to more locations now. With vBulletin 5, word censorship is applied on display and not save. This provides the benefit of maintaining the actual words. For example, if you remove a word from the censor list, it can be recovered in the content. In the past, several locations of word censorship were not appropriately handled. Words are now censored correctly in the following areas:
Tags
- Topic Titles.
- Topic URLs.
- Post content, including replies and comments.
- Search Results.
- User Profile Status.
Ignored User Handling
- Improved the ability to search for posts by indexing tags as keywords. This change will allow for tag searching using the simple search box in the header of every page.
- Improved the handling of tag synonyms on the new topics. Previously, when a tag is automatically converted to a synonym, an error dialog would display and break the workflow. This would give the appearance that the post had not been saved. The display of this message has changed. Now the message will display at the top of the screen for five seconds. The new message display does not disrupt the workflow when creating new topics.
We have updated the caching of ignored users. This change will allow the ignored user functionality to work as designed in topic lists, topic display, and searches. There is still a known issue where the ignored user will continue to appear in the "Last Post" information box of a topic list.
Additional Issues
Back End / AdminCP Changes
- Administrators can edit a user's status by visiting the user's profile page.
- Moderator Notifications are now marked auto-read when visiting the topic.
- Resolved a layout issue with the user information in a post and using RTL Languages.
- Custom Icons now display for sub-forums in the forum list.
- Latest Activity searches should now correctly display topics created before the lookback period.
- Added a style variable for the "Mark Channels Read" phrase.
Phrase Censoring / Monitoring
In addition to the visual changes on the front-end, you can now censor phrases if you wish. You would do this by surrounding the words with braces - {}. An example would be {brown dog}. This formatting will censor the phrase brown dog but not the words brown and dog individually.
The Word Monitoring and User Title Censorship options also support phrase handling.
Option Groups
vBulletin 5 has a large number of settings within the AdminCP. From time to time, we review these options and remove those that are no longer needed. We have combined the Content Management and Blog groups with the Channel Management group. Unused options have been removed from the Message Attachment and the Channel Display groups.
Additional Issues
- Resolved an issue that could prevent Private Messages from being deleted when using Node Tools.
- A misspelled function name could prevent RSS Scheduled tasks from running.
- Improved the navigation of the AdminCP to accommodate longer phrase translations.
- Consolidated several phrases for "Groups."
vBulletin Connect 5.6.2 is now available for download customers. vBulletin Cloud will be automatically upgraded in the upcoming days.
Front End Changes
Global Module Areas
Two new module sections have been added to Site Builder Pages. Placing a module within the new sections will cause it to appear on all pages. The new sections appear above and below the content areas on the page.
Forum Listing Cleaned Up
Removed the extraneous category backgrounds above top-level forums in the default presentation. This presents a clearer view of the forums to the end-user and brings the display in line with older versions of vBulletin.
Old Forum Layout:
New Forum Layout:
Moderator Notifications
New moderator notifications have been added to the User Settings -> Notifications page. The settings to control these notifications are designed to replace the Moderator Email controls in the AdminCP and shift the control to the end-user. They will only appear to users that already have moderator permissions. Currently, there are four different notifications that a moderator can receive.
jQuery Update
jQuery 3.41 is now used to power the web client. During the process of upgrading jQuery, many of the JavaScript functions have also been updated and refactored. During this refactor, we have switched the JavaScript compiler to a more efficient and up to date tool. This will allow JavaScript to be handled better by your browser.
Additional Frontend Issues
Back End / AdminCP Changes
- Resolved an issue where Articles were sorted by the last comment date and not published date.
- Renamed the Activity Stream module on the default Home Page to Forum Home module. This better reflects its purpose.
- Updated the layout of Site Builder's Page Editor to allow for proper module spacing.
- Updated node parsing to prevent extraneous JSON from appearing after attachment deletion.
- Resolved an issue where Code, PHP, and HTML BBCode can have an improper height.
- Resolved an issue that prevented pagination on the Members List when using a non-English language.
- Resolved an issue that could show incorrect content based on caching and the use of is_member_of() based conditionals.
Setting -> Option Groups
To make URL options easier to locate, all URL Options have been moved to a new group called "Site URLs and Routing". In addition to this, the following changes have been made:
Convert URLs to ASCII
- The Site Name / URL / Contact Details group has been renamed "Site Name / Contact Details"
- The Human Verification Group has been removed. The single option from this group can now be found under Settings -> Human Verification Manager.
An option has been added to convert URLs to ASCII format. When enabled, the system will automatically convert the UTF-8 characters in new topic titles to their ASCII representation. Turning this on will not necessarily change old content. However, if you edit the content the URL will be converted. The conversion is based on the user's active language settings at the time.
You can find this option in the "Site URLs and Routing" group.
Delete Private Messages
A tool has been added to mass delete private messages in the AdminCP. It can be found under Node Tools. The tool will search and delete private message topics based on the criteria given. Depending on its settings there is the potential to delete active conversations. Private Messages deleted with this tool cannot be retrieved.
Date Handling
New utility functionality has been added to help convert date() and strftime() formatted dates into a more consistent format throughout the system. These changes should make dates more consistent within translations that must use a Locale to support UTF-8 character sets.
Additional Backend Issues
- Moderators should not be sorted by username on the Moderator Permissions page.
- Registration Statistics should work properly.
- Added a button to copy the text of the default phrase to the Help Manager to allow for easier translations.
Front End Changes
Global Module Areas
Two new module sections have been added to Site Builder Pages. Placing a module within the new sections will cause it to appear on all pages. The new sections appear above and below the content areas on the page.
Forum Listing Cleaned Up
Removed the extraneous category backgrounds above top-level forums in the default presentation. This presents a clearer view of the forums to the end-user and brings the display in line with older versions of vBulletin.
Old Forum Layout:
New Forum Layout:
Moderator Notifications
New moderator notifications have been added to the User Settings -> Notifications page. The settings to control these notifications are designed to replace the Moderator Email controls in the AdminCP and shift the control to the end-user. They will only appear to users that already have moderator permissions. Currently, there are four different notifications that a moderator can receive.
jQuery Update
jQuery 3.41 is now used to power the web client. During the process of upgrading jQuery, many of the JavaScript functions have also been updated and refactored. During this refactor, we have switched the JavaScript compiler to a more efficient and up to date tool. This will allow JavaScript to be handled better by your browser.
Additional Frontend Issues
Back End / AdminCP Changes
- Resolved an issue where Articles were sorted by the last comment date and not published date.
- Renamed the Activity Stream module on the default Home Page to Forum Home module. This better reflects its purpose.
- Updated the layout of Site Builder's Page Editor to allow for proper module spacing.
- Updated node parsing to prevent extraneous JSON from appearing after attachment deletion.
- Resolved an issue where Code, PHP, and HTML BBCode can have an improper height.
- Resolved an issue that prevented pagination on the Members List when using a non-English language.
- Resolved an issue that could show incorrect content based on caching and the use of is_member_of() based conditionals.
Setting -> Option Groups
To make URL options easier to locate, all URL Options have been moved to a new group called "Site URLs and Routing". In addition to this, the following changes have been made:
Convert URLs to ASCII
- The Site Name / URL / Contact Details group has been renamed "Site Name / Contact Details"
- The Human Verification Group has been removed. The single option from this group can now be found under Settings -> Human Verification Manager.
An option has been added to convert URLs to ASCII format. When enabled, the system will automatically convert the UTF-8 characters in new topic titles to their ASCII representation. Turning this on will not necessarily change old content. However, if you edit the content the URL will be converted. The conversion is based on the user's active language settings at the time.
You can find this option in the "Site URLs and Routing" group.
Delete Private Messages
A tool has been added to mass delete private messages in the AdminCP. It can be found under Node Tools. The tool will search and delete private message topics based on the criteria given. Depending on its settings there is the potential to delete active conversations. Private Messages deleted with this tool cannot be retrieved.
Date Handling
New utility functionality has been added to help convert date() and strftime() formatted dates into a more consistent format throughout the system. These changes should make dates more consistent within translations that must use a Locale to support UTF-8 character sets.
Additional Backend Issues
- Moderators should not be sorted by username on the Moderator Permissions page.
- Registration Statistics should work properly.
- Added a button to copy the text of the default phrase to the Help Manager to allow for easier translations.
Front End Changes
Blogs
The grid view has been added to the Blog Listing. This works similarly to the grid view on Groups. In addition to this, sorting functionality has been added to the Blog Listing.
User Referrals
A user referral system has been added to vBulletin Connect. Through this system, users will be able to retrieve a custom URL that they can provide to their friends and family to register on your site. By default, they can retrieve this link on their User Profile page. When used, the referral link will create a cookie. On registration, they will give a referral credit to the person that referred them. Within the AdminCP, you'll be able to view who referred others on a new Referrals page (Admin CP -> Users -> Referrals).
Administrators have a couple of controls to manage this. First is a setting that allows you to specify how long a referral link is valid. The default is 30 days. You can change this in the AdminCP under Settings -> Options -> User Registration Options. Additionally, each Usergroup has a "Can Refer Users" permission. If this permission is set to No, users will not be able to generate a referral link.
If you would like to provide additional links for generating the referrals, you can do so on any standard HTML link by adding the js-refer-user CSS class to the link. For example:<a href="#" class="js-refer-user">Referal Link</a>
Notifications
The display of notices in the page header has been improved. The Notifications link is now a drop-down menu that lists the number of each type of notification. This list will also include Reported/Flagged and Unapproved posts for moderation purposes. When the user also has vBulletin Messenger active, this list will update automatically between page loads.
JavaScript Updates
Several JavaScript files have been extensively refactored in order to provide updated and more concise code. During the refactor, deprecated code may have been removed. If you experience issues after installing this version, you should refresh the browser cache to make sure that all files are updated properly. If the issues persist, please let us know by filing a bug report.
Additional Resolved Issues
Back End / AdminCP Changes
- Pagination for Social Group member lists have been fixed.
- Users can now select multiple emoji in the editor without having to reopen the panel for each one.
- The online/offline status icon has returned to the post bit.
- Resolved an issue that could cause publish dates on edited articles to advance by one month.
- Resolved an issue that prevented the merging of Photo Gallery posts.
- Improved date handling for non-English languages.
- The system now shows a proper error page if the user doesn't have permission to download an attachment.
- Private and Invisible Channels will no longer be displayed in search results. Private channels are channels the user does not have permission to view. Invisible Channels are those with a display order of 0.
- An option was added to the search module in order to filter Unapproved Posts from the results.
- The layout of all Message Center pages has been updated so they work better in Responsive mode.
- Resolved an issue so vBulletin Cloud administrators should no longer receive "Invalid Node ID" when accessing the Page Manager within Site Builder.
- Improved caching of phrases within local storage.
Privacy and Consent
The Privacy and Consent tools have been expanded to allow the Administrator to decide which countries and US states to accept consent from. To choose the regions that you want to accept privacy consent for visit Settings -> Locations. A new installation will have two locations defined: California and European Union.
Clicking on Add Location allows you to select from a list of countries and/or all 50 United States. In addition to the predefined regions, you can add your own custom regions on the locations screen. The values for custom regions would depend on the output from the GEOIP API being used.
Once you have selected your regions then set your Privacy Options as normal under Settings -> Options -> Privacy Options.
Node Tools
Resolved various issues that would prevent Move/Prune Nodes from working properly.
Language Locales
The French, German, and Spanish language packages will properly include the .utf8 suffix in the specified Locale. This will provide improved support for UTF-8 characters.
Upgrades from Legacy Versions
Upgrade steps used when upgrading from older versions of vBulletin 3.X have been updated to resolve potential errors that are caused from supporting older versions of PHP.
Early vBulletin 5.X upgrade steps have been updated to improve importing content when IDs are not consecutive. In addition to this, the feedback on various upgrade steps in the early 5.X series has been updated to be more concise while still providing progress updates.
Other Resolved Issues
vBulletin 5.5.6, 5.6.0, 5.6.1 Security Patch Level 1
- Resolved an issue where outgoing emails can have an incorrect language assigned.
- Resolved various issues to improve support for PHP 7.4.
- Obsolete Public Usergroup permissions have been removed.
- Resolved an issue that could result in premature cache deletion for search logs.
A security exploit has been reported within vBulletin 5.6.1 and earlier versions. To fix this issue, we have created a new security patch.
We have made patches available for the following versions of vBulletin Connect:
- 5.6.1 Patch Level 1
- 5.6.0 Patch Level 1
- 5.5.6 Patch Level 1
vBulletin 5.6.0 is now available for download customers. Owners of vBulletin Cloud sites will be notified about their upgrade soon.
Front End Changes
Login Refactor
The mechanics behind user login have changed. The system no longer utilizes a separate page loaded within an iFrame tag. The updated functionality uses AJAX and Javascript to login instead of an HTML form submission.
If you use the login template in a module, you need to update this to use the Display Template module and display the login_main template.
Event Highlights
Site Administrators can define Event Highlights. These allow you to display events on the calendars with a different background color in order to categorize events. Event Highlights work similarly to Topic Prefixes and are selected when a new event is created or edited.
Member List
A search form has been added to the Member List module. This will allow individuals to search the member list by username.
In addition to this, the following changes have been made:
Static HTML Module
- IPv6 display has been improved.
- The Private Message column has been removed.
- Private Message/vBulletin Messenger link is now consistent with other locations in the software.
We have made the language shortcodes available for use in Static HTML Modules. These shortcodes will allow you to insert variables into your HTML. These variables include: {sitename}, {userid}, {username}, {musername}, {registerurl}, {activationurl}, {helpurl}, {contacturl}, {homeurl}, {date}.
vBulletin 5.5.6 Changes and Updates
A preview release of vBulletin 5.5.6 is now available to download customers. This version contains updates to the content editor and security tools within the software. Pre-release software should not be used on production servers. It is made available for testing purposes only.
vBulletin 5.5.4 Changes and Updates
Front End Changes
Avatars as Status Icons
A new option has been added to show the user's avatar instead of the status icon in Topic Lists. This allows the system to be consistent with the responsive view. All views will display the same icons based on this option. You can access the option in the AdminCP under Settings -> Options -> Channel Display Options.
When displaying avatars as status icons, the avatar will link to the user's profile for consistency. Administrators and moderators will not be able to double-click on the status icon to open and close topics. If this functionality is important for your site, you will need to use the standard status icons.
Note: Previous versions of vBulletin 5 would always show avatars in Responsive View. In order to maintain consistency, Responsive View now follows this new setting.Semantic HTML
By using semantic HTML tags, we can provide additional information to search engines and accessibility tools (e.g. Screen Readers). Using these tags allows the system to signify which information is more important on the page.
We have converted the header, footer, and Channel Navigation Modules to better use Semantic HTML tags. The system is now using the <header>, <footer>, <nav>, and <main> tags where appropriate. Header elements are wrapped in the <header> tag instead of using the <div> tag. Footer elements on each page now use the <footer> tag. Menus and breadcrumbs are wrapped in the <nav> tag. The primary content of each page now uses the <main>. We have worked to make these changes backwards compatible and you should not see any difference in the rendering of your pages. However, if your custom CSS targets container.class (e.g. div.header) then you will need to update your CSS for these changes.
If you are using one of the provided styles, then you will not have to do anything to take advantage of this change.
Back End / AdminCP
Style Variable Validation
As a security measure, we have applied a series of validation rules to CSS attributes entered as Style Variable values and in User Profile Customization. These rules limit the amount of CSS that can be added to a variable and prevent users from adding their own attributes using third-party software to alter the page. As an Administrator, you can apply more complex CSS using the css_additional.css template for your style.
The following validation rules have been added to the system:
- Default
- Applies to all style variables unless specified below.
- Limited to less than 250 characters.
- Does not contain the characters "{}".
- URL and Image
- URLs must be quoted.
- Unescaped braces "{}" are not allowed.
- Base64 is allowed as long as there are no braces.
- Font Family
- No more than 20 font families listed.
- Font Family list is comma separated.
- Each font name is no more than 100 characters.
- Font names with spaces must be enclosed within quotation marks.
vBulletin 5.5.3 Release Candidate 2 is now available for testing. It is not recommended to run pre-release builds on production sites.
Front End Changes
Group Icons
We have resolved a few additional issues with Group Channels. These include:
Facebook Connect
- Group Icons can now be removed. Previously you could only replace them with a new icon.
- Icon management works properly on the Group Settings Page.
- Items will no longer break out of the Conversation Toolbar at different resolutions.
- Topics and Replies will be properly moderated before displaying if this group option is set.
A number of changes have been made to Facebook Connect to enable better operations due to changes in their API over the years. When a user registers with Facebook, the process is simplified. Facebook no longer allows the automated operations from vBulletin 4.X. We have worked to make the registration process as simple as possible. It is no longer possible to pre-fill custom profile fields with Facebook information. They have removed that functionality. We have also upgraded the Facebook API to the latest version.
Container Module
You can now add additional modules to the Container Module in the Blog Channel Sidebar. An issue that could cause all modules to be deleted when doing this has been resolved.
Accessibility
Code has been added to apply the aria-label attribute on form elements that currently do not have proper labels. This should improve general accessibility throughout the software. In addition to this, the jQuery Placeholder plugin has been removed from the system. The placeholder attribute is natively supported by browser engines today. This workaround was no longer needed.
Breadcrumbs
These have been reworked to display better on smaller screens. Breadcrumb text will no longer be abbreviated with the CSS .ellipsis class. Instead the breadcrumbs will wrap to the next line as necessary. In addition to this, the Home label has been replaced with an icon and appropriate label.
Back End / AdminCP
Improved Search Engine Performance
A number of performance issues relating to the search engine in vBulletin 5 have been resolved. These changes can significantly speed up your search results when using either keyword based search or the JSON powered search modules placed on pages.
Moderation Permissions
We have split the single "Skip Moderation Queue" permission into three different permissions. This was done to give you greater control over moderating new content similar to vBulletin 4.X. Setting these permissions to No will force content into moderation on a channel by channel basis. The three permissions are:
Proxy Support
- Skip Moderation for New Topics - This will enable you to moderate new topics started by different usergroups.
- Skip Moderation for Replies - This will enable you to moderate replies and comments on approved topics.
- Skip Moderation for Posts/Topics with Attachments - If set to no, this will automatically moderate any topic starter or post with attachments. This allows review of the attachments before they are made available to your users.
We have added support for Cloudflare and Sucuri proxies in the /core/includes/config.php file. These directives are commented out in the default file. Uncomment the block that you wish to use. Uncommenting will make them active. Only one can be active at a time.
.htaccess
Code has been added to the default .htaccess file to handle rewriting vBulletin 4.X Friendly URLs. This code is commented out by default.
AdminCP Home Page Statistics
These statistics have been updated so they are more accurate. In addition to this, the obsolete Profile Picture Statistic has been removed.
Mobile Apps
Push Notifications
Changes have been made to make push notifications more reliable in the mobile apps. A new option has been added to control the push notification timeout. This option can be found in the AdminCP under Settings -> Options -> vBulletin API and Mobile Application Options.
The new version of vBulletin v5.5.2 Connect with many changes, including: changes in the external interface, changing the type of groups, improving the search and corrected previously known errors