PDA

View Full Version : Security Patch Release 4.0.2 PL4


vB.Org System
26 Mar 2010, 05:30
A potential XSS vulnerability has been identified in vBulletin 4.0.2 PL3 in relation to the CMS article editor. In addition, a bug was introduced in PL3 in regards to bbcode parsing in CMS articles. We are issuing a patch release to address these issues.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required if you are currently running 4.0.2 PL2 or PL3. If running 4.0.2 or 4.0.2 PL1 see the details below as the process is slightly different.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

There is no need to run an upgrade script if you are already running the latest version (4.0.2 PL3).

If you are running 4.0.2, or 4.0.2 PL1 you should follow these steps.
1) Download the 4.0.2 PL4 patch files.
2) Set your site to be offline.
3) Make sure your install directory still exists. If not, upload the install directory from your vBulletin package to your vBulletin directory, leaving out install/install.php.
4) Upload the patch files to your vBulletin directory.
5) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php (http://your.site.com/vBdirectory/install/upgrade_402_salt.php)
6) Set your site to be online.
This will address all PL fixes, including the fixes contained in 4.0.2 PL3 (http://www.vbulletin.com/forum/showthread.php?346761-Security-Patch-Release-4.0.2-PL3). It is not necessary to run any other scripts.

Visit the Patches section of the vBulletin Members' Area (http://members.vbulletin.com/patches.php) and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the latest patch release.

Upgrading from an earlier version

If you are not already running 4.0.2, 4.0.2 PL1, 4.0.2 PL2, or 4.0.2 PL3 you should download the latest version (4.0.2 PL4) from the Members' Area (http://members.vbulletin.com/) and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here. (http://www.vbulletin.com/forum/../docs/html/upgrade)


Download vBulletin 4.0.2 PL4

As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area (http://members.vbulletin.com/)



More... (http://www.vbulletin.com/forum/showthread.php?346897-Security-Patch-Release-4.0.2-PL4&goto=newpost)