Tweet
vBulletin 4.X Security Patch
vBulletin Publishing suite
vBulletin Forum classic
Has been released.
A flaw within a side query that is used in the search UI has recently been discovered. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. The issue does not affect vBulletin 3.X to the best of our knowledge. We are not aware of a website that has been compromised by this flaw.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
Upgrading from 4.X
If you are already running 4.X, the process you will be required to follow to make your board immune to this flaw is very simple.
Visit the Patches section of the vBulletin Members' Area and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.
Note: As many are undoubtedly aware, traditionally we would only release a patch for the latest version. However given that fact that many customers still have 3.x licenses and are running vB4 (usually older versions) we have decided to break with that tradition and provide patches for all current 4.x version. In addition the current downloads on each 4.x version will be updated with the patch.
- 4.1.2 PL1
- 4.1.1 PL1
- 4.1.0 PL3
- 4.0.8 PL3
- 4.0.7 PL1
- 4.0.6 PL1
- 4.0.5 PL1
- 4.0.4 PL2
- 4.0.3 PL2
- 4.0.2 PL5
- 4.0.1 PL1
- 4.0.0 PL2
vBulletin Forum classic
- 4.1.2 PL1
- 4.1.1 PL1
- 4.1.0 PL3
- 4.0.8 PL3
- 4.0.7 PL1
- 4.0.6 PL2
- 4.0.5 PL1
- 4.0.4 PL2
- 4.0.3 PL2
- 4.0.2 PL5
- 4.0.1 PL1
- 4.0.0 PL2
Has been released.
A flaw within a side query that is used in the search UI has recently been discovered. This flaw may enable malicious individuals to inject sql that would allow you to run arbitrary queries on the db via this exploit. To resolve this issue, it has been necessary to release a patch level version on all versions of vBulletin 4.X. The issue does not affect vBulletin 3.X to the best of our knowledge. We are not aware of a website that has been compromised by this flaw.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
Upgrading from 4.X
If you are already running 4.X, the process you will be required to follow to make your board immune to this flaw is very simple.
Visit the Patches section of the vBulletin Members' Area and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL1 release.
Note: As many are undoubtedly aware, traditionally we would only release a patch for the latest version. However given that fact that many customers still have 3.x licenses and are running vB4 (usually older versions) we have decided to break with that tradition and provide patches for all current 4.x version. In addition the current downloads on each 4.x version will be updated with the patch.
