> Vendor status: notified 3/18/2; no response Correction: Our response was emailed 14 minutes after receiving initial notification: ------- Thank you for reporting this, I have flagged this for discussion among the developers. Please let me know if you require any further assistance. All the best, Chris Schreiber Support Team, vBulletin http://www.vbulletin.com/ mailto:support@vbulletin.com ------- It was very kind of Plato to be responsible and let the community know what is happening, but in the interests of the community we would have been a lot better off letting us provide a fix first. I am quite disappointed in Plato's actions here, and the only reason that I have not replied sooner is that I felt that I would be more reasonable if I waited and cooled off a little ;-) As of Saturday, we have finished an initial round of audits for these XSS issues and we are beginning more thorough checks. I would estimate a fix will be available some time Monday or Tuesday. > I believe the simplest fix would be to initialized letterbits($letterbits = > "";) at the top of memberlist.php. Yes that is correct. Add $letterbits = ''; right after the inital <?php Unfortunately a similar bug affects several other files too. We are trying to identify any remaining problems as quickly as possible. Regards, John Percival Product Manager, vBulletin Jelsoft Enterprises Ltd. http://www.vbulletin.com/ mailto:john@vbulletin.com "vBulletin: Community Instantly" Online support: mailto:support@vbulletin.com
