An exploit in vBulletin 5.X has been reported by the "Romanian Security Team". We have repaired the issue reported and are releasing patches for the following versions:
5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5 and 5.1.0
The issue has also been fixed in vBulletin 5.1.1 RC1.
The issue is caused by improper handling of the Page object within vBulletin. This allowed some user supplied data to be elevated to the point where it cause problems. It also allowed javascript to be executed in certain situations. To resolve these issues we have:
1) Enhanced error checking on some values from the query string to avoid allowing them in the page array. This includes forbidding some commonly used strings.
2) Cleaning up a value in a route class that should have been forced to be an integer.
3) Increased reliance on vb:var.
4) Changed how we call jQuery in certain circumstances.
We recommend that everyone install the available patch. Running the latest version allows you to be the most secure. As this patch includes changes to templates, there are additional installation steps.
Installing the patch:
1) Upload all files included in your patch download.
2) Reload the Master style. This can be done in two different ways:
- Upload the core/install folder to your server and run /core/install/upgrade.php. This will import all the master XML files including the style.
- Go into the AdminCP and go to Styles & Templates -> Upload / Download Style and import the new style.xml file using the tools on this page.
You should either compare all templates with the new ones and make the highlighted changes or revert all templates and re-apply your customizations.
You can download the patch for your version at: https://members.vbulletin.com/patches.php
5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5 and 5.1.0
The issue has also been fixed in vBulletin 5.1.1 RC1.
The issue is caused by improper handling of the Page object within vBulletin. This allowed some user supplied data to be elevated to the point where it cause problems. It also allowed javascript to be executed in certain situations. To resolve these issues we have:
1) Enhanced error checking on some values from the query string to avoid allowing them in the page array. This includes forbidding some commonly used strings.
2) Cleaning up a value in a route class that should have been forced to be an integer.
3) Increased reliance on vb:var.
4) Changed how we call jQuery in certain circumstances.
We recommend that everyone install the available patch. Running the latest version allows you to be the most secure. As this patch includes changes to templates, there are additional installation steps.
Installing the patch:
1) Upload all files included in your patch download.
2) Reload the Master style. This can be done in two different ways:
- Upload the core/install folder to your server and run /core/install/upgrade.php. This will import all the master XML files including the style.
- Go into the AdminCP and go to Styles & Templates -> Upload / Download Style and import the new style.xml file using the tools on this page.
You should either compare all templates with the new ones and make the highlighted changes or revert all templates and re-apply your customizations.
You can download the patch for your version at: https://members.vbulletin.com/patches.php