=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN300
_____________________________________________________________________

DATE                      : 08/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running vBulletin version 4.X.

======================================================================
http://www.vbulletin.com/forum/showthread.php/376995-vBulletin-4.X-Security-Patch
______________________________________________________________________

vBulletin 4.X Security Patch

     vBulletin Publishing suite

         * 4.1.2 PL1
         * 4.1.1 PL1
         * 4.1.0 PL3
         * 4.0.8 PL3
         * 4.0.7 PL1
         * 4.0.6 PL1
         * 4.0.5 PL1
         * 4.0.4 PL2
         * 4.0.3 PL2
         * 4.0.2 PL5
         * 4.0.1 PL1
         * 4.0.0 PL2

     vBulletin Forum classic

         * 4.1.2 PL1
         * 4.1.1 PL1
         * 4.1.0 PL3
         * 4.0.8 PL3
         * 4.0.7 PL1
         * 4.0.6 PL2
         * 4.0.5 PL1
         * 4.0.4 PL2
         * 4.0.3 PL2
         * 4.0.2 PL5
         * 4.0.1 PL1
         * 4.0.0 PL2


     Has been released.

     A flaw within a side query that is used in the search UI has
recently been discovered. This flaw may enable malicious individuals
to inject sql that would allow you to run arbitrary queries on the db
via this exploit. To resolve this issue, it has been necessary to
release a patch level version on all versions of vBulletin 4.X. The
issue does not affect vBulletin 3.X to the best of our knowledge. We
are not aware of a website that has been compromised by this flaw.

     The upgrade process is the same as previous patch level releases -
simply download the patch from the Members Area, extract the files and
upload to your webserver, overwriting the existing files. There is no
upgrade script required.

     As with all security-based releases, we recommend that all customers
upgrade as soon as possible in order to prevent any potential damage
resulting from the flaw being exploited.


     Upgrading from 4.X

     If you are already running 4.X, the process you will be required to
follow to make your board immune to this flaw is very simple.

     Visit the Patches section of the vBulletin Members' Area and download
the patch for the version you are using, then extract the files from the
archive you downloaded, then upload the files to your board via FTP etc.,
overwriting the existing files. This will update your version to the PL1 release.

     Note: As many are undoubtedly aware, traditionally we would only
release a patch for the latest version. However given that fact that many
customers still have 3.x licenses and are running vB4 (usually older versions)
we have decided to break with that tradition and provide patches for all
current 4.x version. In addition the current downloads on each 4.x version
will be updated with the patch.




======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================