A recent Yahoo! report indicated a potential SWF exploit vector involving the Yahoo! User Interface Library (YUI). Upon review, the vBulletin team has determined that the vBulletin 4 Asset Manager is affected. Once the issue was identified, updated YUI files were requested from Yahoo! to eliminate the reported threat.
This issue affects ALL vBulletin 4 SUITE and FORUM versions. vBulletin 3 and vBulletin 5 are not affected.
Security patches have been released for vBulletin 4.1.12 and vBulletin 4.2.
vBulletin 4 Customers Running 4.1.12 or 4.2:
Please install the patch immediately.
vBulletin 4 Customers Not Running 4.1.12 or 4.2:
Please upgrade to vBulletin 4.1.12 PL3 or vBulletin 4.2 PL3. If you do not wish to upgrade at this time, the potential exploit can be addressed by updating Server Settings and Optimization Options using the following steps:
As with all security-based releases, we recommend that all affected customers upgrade as soon as possible.
Advanced Users:
Files updated in vBulletin 4.1.12 PL3 and 4.2 PL3.
Yahoo!'s announcement regarding the potential YUI exploit can be found - HERE
Licensed customers can discuss the security patch - HERE
Instructions on how to patch your vBulletin 4.1.12 or 4.2 site can be found - HERE
More...[/B][/B][/B][/B][/B]
This issue affects ALL vBulletin 4 SUITE and FORUM versions. vBulletin 3 and vBulletin 5 are not affected.
Security patches have been released for vBulletin 4.1.12 and vBulletin 4.2.
vBulletin 4 Customers Running 4.1.12 or 4.2:
Please install the patch immediately.
- Download the patch for the version of vBulletin you're currently running fromhttps://members.vbulletin.com/patches.php.
- Extract the vBulletin patch files from the zip file.
- Upload the patch files to your server, overwriting the old files.
vBulletin 4 Customers Not Running 4.1.12 or 4.2:
Please upgrade to vBulletin 4.1.12 PL3 or vBulletin 4.2 PL3. If you do not wish to upgrade at this time, the potential exploit can be addressed by updating Server Settings and Optimization Options using the following steps:
- Log into your Admin CP.
- Expand the "Settings" menu in the leftnav.
- Click on the "Options" link.
- Select "Server Settings and Optimization Options" from the list and click the "Edit Settings" button.
- Make sure "Yahoo!" is selected in the "Use Remote YUI" section.
- Scroll to the bottom of the screen and click the "Save" button.
As with all security-based releases, we recommend that all affected customers upgrade as soon as possible.
Advanced Users:
Files updated in vBulletin 4.1.12 PL3 and 4.2 PL3.
- clienstcript/yui/uploader/assets/uploader.swf
- includes/version_vbulletin.php
Yahoo!'s announcement regarding the potential YUI exploit can be found - HERE
Licensed customers can discuss the security patch - HERE
Instructions on how to patch your vBulletin 4.1.12 or 4.2 site can be found - HERE
More...[/B][/B][/B][/B][/B]