admin
26-03-2010, 05:10 PM
A potential XSS vulnerability has been identified in vBulletin 4.0.2 PL3 in relation to the CMS article editor. In addition, a bug was introduced in PL3 in regards to bbcode parsing in CMS articles. We are issuing a patch release to address these issues.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required if you are currently running 4.0.2 PL2 or PL3. If running 4.0.2 or 4.0.2 PL1 see the details below as the process is slightly different.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
There is no need to run an upgrade script if you are already running the latest version (4.0.2 PL3).
If you are running 4.0.2, or 4.0.2 PL1 you should follow these steps.
1) Download the 4.0.2 PL4 patch files.
2) Set your site to be offline.
3) Make sure your install directory still exists. If not, upload the install directory from your vBulletin package to your vBulletin directory, leaving out install/install.php.
4) Upload the patch files to your vBulletin directory.
5) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php (http://your.site.com/vBdirectory/install/upgrade_402_salt.php)
6) Set your site to be online.
This will address all PL fixes, including the fixes contained in 4.0.2 PL3 (http://www.vbulletin.com/forum/showthread.php?346761-Security-Patch-Release-4.0.2-PL3). It is not necessary to run any other scripts.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area (http://members.vbulletin.com/patches.php), extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required if you are currently running 4.0.2 PL2 or PL3. If running 4.0.2 or 4.0.2 PL1 see the details below as the process is slightly different.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
There is no need to run an upgrade script if you are already running the latest version (4.0.2 PL3).
If you are running 4.0.2, or 4.0.2 PL1 you should follow these steps.
1) Download the 4.0.2 PL4 patch files.
2) Set your site to be offline.
3) Make sure your install directory still exists. If not, upload the install directory from your vBulletin package to your vBulletin directory, leaving out install/install.php.
4) Upload the patch files to your vBulletin directory.
5) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php (http://your.site.com/vBdirectory/install/upgrade_402_salt.php)
6) Set your site to be online.
This will address all PL fixes, including the fixes contained in 4.0.2 PL3 (http://www.vbulletin.com/forum/showthread.php?346761-Security-Patch-Release-4.0.2-PL3). It is not necessary to run any other scripts.