vBulletin Security Patch for 4.X and 3.X

Yahoo YUI Security Exploit

We have been notified of a potential, but unconfirmed exploit in vBulletin 3 and 4 (all versions) via the Yahoo YUI component library.
To rectify this issue we have released a patch for the latest version of vBulletin 3 and vBulletin 4, vBulletin 3.8.7 and vBulletin 4.1.3. Forthcoming vBulletin 4.1.4 will not be affected.
As such, we have released:

• vBulletin Publishing Suite 4.1.3 PL1
• vBulletin Forum Classic 4.1.3 PL1
• vBulletin Forum Classic 3.8.7 PL1

Upgrade Process
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.



New installations/upgrades
If you are upgrading your site, or installing a new copy of our software, the latest software packages include the patch. These can be downloaded from your Members Area



To manually fix versions prior to vBulletin 4.1.3 and 3.8.7

1. Edit one line in class_core.php file located in /includes/class_core.php ; find the following line “define('YUI_VERSION', '2.7.0'); // define the YUI version we bundle” ; replace this line with “define('YUI_VERSION', '2.9.0'); // define the YUI version we bundle”
2. In AdminCP; Go to “Options” => “Server Settings and Optimization Options” ; find “Use Remote YUI” option and in the dropdown switch to a server of your choice, Google or Yahoo.

Continue reading...

 

oopsies another security exploit, you'd think they'd make the effort to at least ensure any third party components were kept updated now would'nt you?

 

Indeed, and considering vb 3 has this than that means they were unaware of this for a Long time.

 

Yea, and if you look, they are two "minor/feature" release versions out, and is like 2+ years out of date...