Announcement

Collapse
No announcement yet.

vBulletin Security Patch for vBulletin 4.1.4 - 4.1.11 for Suite & Forum - 03/23/2012

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vBulletin Security Patch for vBulletin 4.1.4 - 4.1.11 for Suite & Forum - 03/23/2012

    A recent vBulletin 4 (4.1.4 - 4.1.11 Suite & Forum) report indicated that there was a potential XSS exploit vector in the editor. Once the cause of the issue was isolated, code changes were made to eliminate the reported threat.

    The issue does not affect vBulletin 3.x and vBulletin 4.0 - 4.1.3.

    This patch has been issued for vBulletin 4.1.4 through 4.1.11.

    To improve the security of your vBulletin 4 Suite installation please download the patch from the members area of vBulletin: http://members.vbulletin.com/
    We recommend you install this security patch as soon as possible.

    The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your web server, overwriting the existing files. There is no upgrade script required.

    Advanced Users - Files updated in the patch are:
    • includes/version_vbulletin.php
    • clientscript/ckeplugins/bbcode/plugin.js (if js uncompressed)
    • clientscript/ckeditor/ckeditor.js (if js compressed)

    Please note that this issue and fix affects BOTH vBulletin SUITE and FORUM.

  • #2
    Please see this article for more detailed installation instructions:
    https://www.vbulletin.com/forum/cont...atch-Your-Site
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment


    • #3
      If you get this warning when upgrading to 4.1.11 PL1, just ignore it and continue.
      Code:
      Due to the following errors, the install/upgrade can not continue:
      The version of includes/md5_sums_vbulletin.php is '4.1.11 Patch Level 1' which does not match the upgrade version of '4.1.11'.
      Have all of the '4.1.11' files been uploaded?
      This should not occur during patching as patch does not require running the upgrade.php script.

      Comment


      • #4
        We're receiving a number of Support Tickets in relation to this Patch release so hopefully this will clarify things somewhat.

        Should I upgrade or Patch?

        If you're currently running 4.1.11 then you only need to patch your vBulletin files.

        If you're currently running a version between 4.1.4 and 4.1.10 inclusive, you have two choices:

        1. Patch the version you're currently running by downloading the patch FOR THAT VERSION

        2. Upgrade to 4.1.11 Patch Level 1 by downloading the full package (NOT via the Patches/Security Patches link!) and following the normal upgrade procedure


        How do I patch my site rather than upgrade?

        It's simple, if you're only patching and not upgrading, you only need to upload the files and that's it! See the link in Wayne's post above!


        I'm getting an error when I try to upgrade! What's gone wrong and what do I do?

        If the error looks is this:

        Due to the following errors, the install/upgrade can not continue:
        The version of includes/md5_sums_vbulletin.php is '4.1.11 Patch Level 1' which does not match the upgrade version of '4.1.11'. Have all of the '4.1.11' files been uploaded?
        ...then you can safely ignore this. Press the Ignore and Continue button and carry on.


        Simple Rules:

        If you're not changing your site's vBulletin version number (the 4.x.x part), you only need the patch files for the version you have, upload and that's it.

        If you ARE changing your site's vBulletin version number (the 4.x.x part), you need to download the full package, upload it and run the upgrade script.
        Vote for:

        - *Admin Settable Paid Subscription Reminder Timeframe*
        -
        *PM - Add ability to reply to originator only*
        - Add Admin ability to auto-subscribe users to specific channel(s)
        - "Quick Route" Interface...

        Comment

        widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
        Working...
        X