PDA

View Full Version : vBulletin 4.0.8 PL1 Released


vB.Org System
17 Nov 2010, 06:30
An XSS flaw within the user profile customization was recently reported to us. On initial investigation it appeared that the flaw would only affect the user who attempted to perform the exploit when visiting their own profile page. Additional reports we have since received, confirm that certain visitors utilizing Internet Explorer 6 and specific variants of Internet Explorer 7 may be exposed to this exploit.
The exposure to other users that utilize IE6 and certain variants of IE7 has been rectified with this patch.

This issue only affects vBulletin 4.0.8 where User Profile Customization has been enabled by the administrator. No other versions of vBulletin are affected. Versions of vBulletin 4.0.8 that do not have User Profile Customization enabled, or elect to disable the User Profile Customization are also not affected.

To rectify the issue please either download the patch from the members area of vBulletin: http://members.vbulletin.com/
Or disable user profile customization.


Upgrading from 4.0.8

If you are already running 4.0.8, the process you will be required to undertake to make your board immune to this issue is the following:

There is no need to run an upgrade script if you are already running 4.0.8.

Visit the Patches section of the vBulletin Members' Area (http://members.vbulletin.com/patches.php) and download the patch for 4.0.8, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.


Upgrading from Versions Earlier than 4.0.8

If you are not already running 4.0.8, we have updated the downloadable version of our software, so you can download 4.0.8 from the Members' Area (http://members.vbulletin.com) and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here. (http://www.vbulletin.com/docs/html/upgrade)



Download vBulletin 4.0.8 PL1

As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.

vBulletin Members Area (http://members.vbulletin.com/)

You can discuss this patch release in the existing 4.0.8 release discussion (http://www.vbulletin.com/forum/showthread.php?t=364150).



We are currently in the process of e-mailing all customers, and updating our admin control panel news to inform all customers.


More... (http://www.vbulletin.com/forum/showthread.php?367021-vBulletin-4.0.8-PL1-Released&goto=newpost)