vBulletin 4.1.3, 4.1.4 and 4.1.5 Security Patch

vBulletin Publishing suite and Forum Classic

• 4.1.5pl1
• 4.1.4pl3
• 4.1.3pl3

Has been released.

This patch strengthens the security of the AdminCP to prevent a reported XSS attack in vBulletin versions 4.1.3, 4.1.4 and 4.1.5. To resolve this issue, it has been necessary to release a patch level version for these three versions only. The issue is limited to certain browsers only, and does not affect versions of vBulletin prior to 4.1.3.

The patching process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required.

As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.


Patching Versions 4.1.3, 4.1.4 and 4.1.5

The process you will be required to follow to make your board immune to this flaw is very simple.

Visit the Patches section of the vBulletin Members' Area and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL release.


Upgrading from Versions Earlier than 4.1.3

If you are not already running 4.1.3+, we have updated the downloadable version of our software, so you can download version 4.1.3, 4.1.4 and 4.1.5 from the Members' Area and perform an upgrade as normal.

Full instructions for upgrading vBulletin are available here.


Continue reading...

 

more XSS issues, when will they learn?

 

Maybe when their own sites get hacked
I am glad they're fixing security exploits but it sure does keep people like me busy upgrading forums.. which is good because I need the money..lol

 

I never looked at it that way because in my opinion, if you don't know what you are doing with the software, then you shouldn't be using it as paying someone to do all the leg work is not the way to learn, it's just the quickest option to work with...

 

Although I do understand what you're saying, I have several highly professional clients that want to run a forum for one reason or anything and no nothing at all about the backend and setting everything up.

It like I like to drive my car but I wouldn't know the first thing (well actually I do, but you get my point) on rebuilding the car or modifying it. That's not going to stop me from driving a car.

 

Why am I saying that anyway Clients pay me to work on their phpBB3 sites as they know jack all about it, so I'm just as bad as you