Re: memberlist.php of vBulletin

["John Percival" <johnnews () jelsoft com>]

> Vendor status: notified 3/18/2;  no response

Correction:
Our response was emailed 14 minutes after receiving initial notification:
-------
Thank you for reporting this, I have flagged this for discussion among the
developers.

Please let me know if you require any further assistance.

All the best,
Chris Schreiber
Support Team, vBulletin

http://www.vbulletin.com/
mailto:support () vbulletin com
-------

It was very kind of Plato to be responsible and let the community know what
is happening, but in the interests of the community we would have been a lot
better off letting us provide a fix first. I am quite disappointed in
Plato's actions here, and the only reason that I have not replied sooner is
that I felt  that I would be more reasonable if I waited and cooled off a
little ;-)

As of Saturday, we have finished an initial round of audits for these XSS
issues and we are beginning more thorough checks. I would estimate a fix
will be available some time Monday or Tuesday.

> I believe the simplest fix would be to initialized letterbits($letterbits
=
> "";) at the top of memberlist.php.

Yes that is correct.
Add $letterbits = ''; right after the inital <?php

Unfortunately a similar bug affects several other files too. We are trying
to identify any remaining problems as quickly as possible.


Regards,

John Percival
Product Manager, vBulletin
Jelsoft Enterprises Ltd.

http://www.vbulletin.com/
mailto:john () vbulletin com

"vBulletin: Community Instantly"
Online support: mailto:support () vbulletin com