Originally Posted by Kremmen
I've been involved in IT for many years too, and I'd agree that people prefer slow access to no access, which is why we should have search even if it slows the board down, rather than no search, which amounts, in many respects, to no access.
What amazes me is that there are so many options to get around this, but none are being employed here: patch php, patch vbulletin, use the php fix issued on Jan 16 (see the bottom of the
php bug discussion), go back to a previous version (was there any real risk from the bug anyway? can the risk be circumvented by reducing some less important piece of functionality?), etc.
By far the simplest thing to do, if there is any real risk of the latest php versions being unstable (which seems unlikely), would be to run a new version of php in parallel with the current site.
www.flyertalk.com could have the current setup, unusable but stable, while ww2.flyertalk.com (or whatever) could have the latest vbulletin and latest php.
Hmmm.
And if there was a security problem in the cvs snapshot that led to the board being pwned and the database damaged, possibly emptied? How would you react to that?
We are using the latest vbulletin release, and it looks to me like vbulletin is not going to patch for the unserialize() problem. So that is not an option.
Rolling back to php 4.3.9.... 4.3.10 was released to address serious, published, security problems. Rolling back does not seem to be a good idea either.