PDA

View Full Version : vBulletin Security Patch for vBulletin 4 Suite Only - 01/10/2012


vB.Org System
10 Jan 2012, 20:00
A recent vBulletin 4 (Suite Only, all versions) report (http://tracker.vbulletin.com/browse/VBIV-13921) indicated that there is a potential permission exploit vector (https://www.vbulletin.com/forum/showthread.php/393806-Security-Breach-Unauthorized-Blogs-Being-Posted) in the Blogs portion of the product. Once the cause of the issue was isolated, additional permissions checks were added to eliminate the reported threat.

The issue does not affect vBulletin 3.x, or vBulletin 4 Forum Classic. It affects only the Blogs product.

This patch has been issued for vBulletin versions 4.0.0 through 4.1.9. The code change has been included in 4.1.10, which will not need to be patched.

To improve the security of your vBulletin 4 Suite installation please download the patch from the members area of vBulletin: http://members.vbulletin.com/
We recommend you install this security patch as soon as possible.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your web server, overwriting the existing files. There is no upgrade script required.

(Advanced users: file updated is /blog_post.php)

Please note that this issue and fix ONLY affects VBULLETIN SUITE. You may notice that vBulletin Forum Only Patch Level was incremented as well - you DO NOT have to patch or take any action for non-CMS sites.


More... (https://www.vbulletin.com/forum/showthread.php/394259-vBulletin-Security-Patch-for-vBulletin-4-Suite-Only-01-10-2012?goto=newpost)