PDA

View Full Version : vBulletin Security Patch for vBulletin 4.1.12 for Suite & Forum - 04/23/2012


vB.Org System
04-23-2012, 10:40 PM
vBulletin has released a security patch to improve the security of the vBulletin 4 MAPI for 4.1.12 Suite & Forum as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible.

The changes do not affect vBulletin 4.0.0 - 4.1.1.

This patch has been issued for vBulletin 4.1.12. A separate set of patches have been issued for vBulletin 4.1.2 - 4.1.11.

The MAPI security improvements have been added for vBulletin 3.x with the release of 3.x MAPI 1.4.3.

To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/

In addition to the security improvements, we've resolved the following 4.1.12 issues.


VBIV-14742 (http://tracker.vbulletin.com/browse/VBIV-14742) - Push notifications broken in FR 4.1.12 add-on.
VBIV-14685 (http://tracker.vbulletin.com/browse/VBIV-14685) - Tag in static page cause Fatal error on page with General Search widget set to return Static Pages
VBIV-14663 (http://tracker.vbulletin.com/browse/VBIV-14663) - Quoting doesn't work in the mobile style
VBIV-14660 (http://tracker.vbulletin.com/browse/VBIV-14660) - Static HTML in CMS always displays all content
VBIV-14754 (http://tracker.vbulletin.com/browse/VBIV-14754) - unset($VB_API_PARAMS_TO_VERIFY['vbseourl']) to match vB3 MAPI change.
VBIV-14681 (http://tracker.vbulletin.com/browse/VBIV-14681) - HTML is stripped from article previews
VBIV-14667 (http://tracker.vbulletin.com/browse/VBIV-14667) - Category pages do not load if using basic/advanced friendly URLs

The upgrade process is slightly more complicated for this patch level release.



Download PL1 for vBulletin 4.1.12 from https://members.vbulletin.com.
Upload the patch do your server.
Unzip the patch to your vBulletin 4 install directory. (Ex. /var/www/html/myforum)
Run ./install/upgrade.php. (Required for 4.1.12.)
Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.)
Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product
Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.)

Advanced Users - Files updated in the patch are:


/api.php
/forumrunner/push.php
/includes/class_friendly_url.php
/includes/init.php
/install/vbulletin-mobile-style-blog.xml
/install/vbulletin-mobile-style.xml
/packages/vbcms/content/phpeval.php
/packages/vbcms/content/staticpage.php
/packages/vbcms/item/content/article.php
/packages/vbcms/item/content/phpeval.php
/packages/vbcms/search/result/staticpage.php
Please note that this issue and fix affects BOTH vBulletin 4 SUITE and FORUM.

Discuss the security patch - HERE (https://www.vbulletin.com/forum/showthread.php/400166-Discuss-the-MAPI-security-patch-for-vBulletin-4-1-2-4-1-12-Forum-amp-Suite?p=2286633#post2286633)

Discuss vBulletin 4.1.12 - HERE (https://www.vbulletin.com/forum/showthread.php/398902-4-1-12-Feedback-amp-Discussion)
Attached Files
https://www.vbulletin.com/forum/images/attach/xml.gif API-Log-Clean.xml‎ (https://www.vbulletin.com/forum/attachment.php?attachmentid=59044&d=1335223929) (1.9 KB)


More... (https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security-Patch-for-vBulletin-4-1-12-for-Suite-amp-Forum-04-23-2012?goto=newpost)