No announcement yet.

vBulletin Security Patch for vBulletin 4 Suite Only - 01/10/2012

  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin Security Patch for vBulletin 4 Suite Only - 01/10/2012

    A recent vBulletin 4 (Suite Only, all versions) report indicated that there is a potential permission exploit vector in the Blogs portion of the product. Once the cause of the issue was isolated, additional permissions checks were added to eliminate the reported threat.

    The issue does not affect vBulletin 3.x, or vBulletin 4 Forum Classic. It affects only the Blogs product.

    This patch has been issued for vBulletin versions 4.0.0 through 4.1.9. The code change has been included in 4.1.10, which will not need to be patched.

    To improve the security of your vBulletin 4 Suite installation please download the patch from the members area of vBulletin:
    We recommend you install this security patch as soon as possible.

    The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your web server, overwriting the existing files. There is no upgrade script required.

    (Advanced users: file updated is /blog_post.php)

    Please note that this issue and fix ONLY affects VBULLETIN SUITE. You may notice that vBulletin Forum Only Patch Level was incremented as well - you DO NOT have to patch or take any action for non-CMS sites.

  • #2
    Update: Customers running vBulletin 3 with Blogs can download an edited product file with the fix from this Jira. Follow the instructions in the Jira to install the fix.


    • #3
      Update: I forgot that some of the hardcore vB4 guys had taken a break from wrestling sharks, punching Hitler's ghost in the face, and being generally awesome in order to install the Alphas/Beta on their live sites. For those paragons of foolhardiness, HMBeaty has posted a thread on how to apply this patch to 4.1.10 Beta 1.


      • #4
        To reiterate, if you are already running 4.1.9, all you do is upload the files - you do NOT need to run the upgrade script.

        Running the upgrade script is only necessary if moving from 4.1.8 or earlier to 4.1.9PL1.

        Please also see this article on how to patch your site:
        Vote for:

        - *Admin Settable Paid Subscription Reminder Timeframe*
        *PM - Add ability to reply to originator only*
        - Add Admin ability to auto-subscribe users to specific channel(s)
        - "Quick Route" Interface...


        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.