=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN479
_____________________________________________________________________

DATE                      : 22/11/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running vBulletin version 4.0.8, 4.0.8 PL1.

======================================================================
http://www.vbulletin.com/forum/showthread.php?367219-vBulletin-4.0.8-PL2-Released
______________________________________________________________________


vBulletin 4.0.8 PL2 Released

    Further to the issue that was rectified with vB 4.0.8 PL1, an
additional concern was identified that may affect users utilizing IE6.

    The flaw may enable users to upload a script to their own profile,
and viewers of that profile when utilizing IE6 may be exploited.

    This issue only affects vBulletin 4.0.8/vBulletin 4.0.8 PL1 where
User Profile Customization has been enabled by the administrator. No
other versions of vBulletin are affected. Versions of vBulletin 4.0.8/4.0.8 PL1
that do not have User Profile Customization enabled, or elect to disable
the User Profile Customization are also not affected.

    To rectify the issue please either download the patch from the
members area of vBulletin: http://members.vbulletin.com/
    Or disable user profile customization.


    Upgrading from 4.0.8
    If you are already running 4.0.8 or 4.0.8 PL1 the process you will
be required to undertake to make your board immune to this issue is the following:
    There is no need to run an upgrade script if you are already running 4.0.8.
    Visit the Patches section of the vBulletin Members' Area and download
the patch for 4.0.8/4.0.8 PL1, then extract the files from the archive you
downloaded, then upload the files to your board via FTP etc., overwriting
the existing files. This will update your version to the PL2 release.


    Upgrading from Versions Earlier than 4.0.8

    If you are not already running 4.0.8, we have updated the downloadable
version of our software, so you can download 4.0.8 from the Members' Area and
perform an upgrade as normal.

    Full instructions for upgrading vBulletin are available here.



    Download vBulletin 4.0.8 PL2
    As usual, the version released today is available for all customers with valid,
active licenses to download from the vBulletin Members' Area.
    vBulletin Members Area

    You can discuss this patch release in the existing 4.0.8 release discussion.



======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================