View Full Version : vBulletin Security Patch for 4.X and 3.X

vB.Org System
31 May 2011, 21:40
Yahoo YUI Security Exploit

We have been notified of a potential, but unconfirmed exploit in vBulletin 3 and 4 (all versions) via the Yahoo YUI component library.
To rectify this issue we have released a patch for the latest version of vBulletin 3 and vBulletin 4, vBulletin 3.8.7 and vBulletin 4.1.3. Forthcoming vBulletin 4.1.4 will not be affected.
As such, we have released:
vBulletin Publishing Suite 4.1.3 PL1
vBulletin Forum Classic 4.1.3 PL1
vBulletin Forum Classic 3.8.7 PL1

Upgrade Process
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.

New installations/upgrades
If you are upgrading your site, or installing a new copy of our software, the latest software packages include the patch. These can be downloaded from your Members Area (http://members.vbulletin.com/)

To manually fix versions prior to vBulletin 4.1.3 and 3.8.7
Edit one line in class_core.php file located in /includes/class_core.php ; find the following line “define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle” ; replace this line with “define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle”
In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.

More... (http://www.vbulletin.com/forum/showthread.php/380885-vBulletin-Security-Patch-for-4.X-and-3.X?goto=newpost)