vBulletin 4 Security Patch for Potential Yahoo! User Interface Library Exploit - 11/01/2012

Discussion in 'vBulletin Discussions' started by News Bot, Nov 1, 2012.

  1. News Bot

    News Bot Regular Member

    Joined:
    Apr 28, 2011
    Messages:
    429
    Likes Received:
    63
    Location:
    Cyber Space
    A recent Yahoo! report indicated a potential SWF exploit vector involving the Yahoo! User Interface Library (YUI). Upon review, the vBulletin team has determined that the vBulletin 4 Asset Manager is affected. Once the issue was identified, updated YUI files were requested from Yahoo! to eliminate the reported threat.

    This issue affects ALL vBulletin 4 SUITE and FORUM versions. vBulletin 3 and vBulletin 5 are not affected.

    Security patches have been released for vBulletin 4.1.12 and vBulletin 4.2.

    vBulletin 4 Customers Running 4.1.12 or 4.2:
    Please install the patch immediately.
    1. Download the patch for the version of vBulletin you're currently running from https://members.vbulletin.com/patches.php.
    2. Extract the vBulletin patch files from the zip file.
    3. Upload the patch files to your server, overwriting the old files.

    The upgrade.php script does not need to be run.

    vBulletin 4 Customers Not Running 4.1.12 or 4.2:
    Please upgrade to vBulletin 4.1.12 PL3 or vBulletin 4.2 PL3. If you do not wish to upgrade at this time, the potential exploit can be addressed by updating Server Settings and Optimization Options using the following steps:
    • Log into your Admin CP.
    • Expand the "Settings" menu in the leftnav.
    • Click on the "Options" link.
    • Select "Server Settings and Optimization Options" from the list and click the "Edit Settings" button.
    • Make sure "Yahoo!" is selected in the "Use Remote YUI" section.
    • Scroll to the bottom of the screen and click the "Save" button.

    This change will set your forum to use the latest YUI file hosted by Yahoo!. The potential exploit vector will be closed once you've performed this change. It is strongly recommended that you do so immediately.

    As with all security-based releases, we recommend that all affected customers upgrade as soon as possible.

    Advanced Users:
    Files updated in vBulletin 4.1.12 PL3 and 4.2 PL3.
    • clienstcript/yui/uploader/assets/uploader.swf
    • includes/version_vbulletin.php

    Please note that this list does not contain the files changed in any previous patches for these versions. Only the files changed in vBulletin 4.1.12 PL3 and 4.2 PL3 are listed.

    Yahoo!'s announcement regarding the potential YUI exploit can be found - HERE

    Licensed customers can discuss the security patch - HERE

    Instructions on how to patch your vBulletin 4.1.12 or 4.2 site can be found - HERE

    Continue reading...
     
  2. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    hmm, interesting
     
  3. cpvr

    cpvr Regular Member

    Joined:
    Aug 14, 2009
    Messages:
    3,219
    Likes Received:
    823
    Ya, we've been using Google for this all along. I was like "Well damn!"
     
    Iconic likes this.
  4. Brandon

    Brandon Regular Member

    Joined:
    Jun 1, 2009
    Messages:
    6,602
    Likes Received:
    1,707
    Location:
    Topeka, Kansas
    First Name:
    Brandon
    Yup, I should email some of my clients to let them know, hopefully I'll have time this weekend to do that.
     
    cpvr likes this.
  5. Alfa1

    Alfa1 Regular Member

    Joined:
    Jul 24, 2009
    Messages:
    303
    Likes Received:
    196
    It's not like this has sprung up out of the blue. YUI2 and especially YUI2.8 has been grossly outdated for ages. It is a miracle that worse exploits have not appeared in recent years.
     
    Brandon likes this.

Share This Page