==================================================================== CERT-Renater Note d'Information No. 2012/VULN198 ____________________________________________________________________ DATE : 25/04/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running vBulletin for Suite & Forum versions 4.1.12, 4.1.2 up to and including 4.1.11, vBulletin 3.x MAPI Plugin. ====================================================================== https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security-Patch-for-vBulletin-4-1-12-for-Suite-amp-Forum-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400164-vBulletin-Security-Patch-for-vBulletin-4-1-2-4-1-11-for-Suite-amp-Forum-04-23-2012 https://www.vbulletin.com/forum/showthread.php/400162-vBulletin-3-x-MAPI-Plugin-1-4-3-released-with-security-patch-04-23-2012 ______________________________________________________________________ vBulletin Security Patch for vBulletin 4.1.12 for Suite & Forum - 04/23/2012 vBulletin has released a security patch to improve the security of the vBulletin 4 MAPI for 4.1.12 Suite & Forum as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible. The changes do not affect vBulletin 4.0.0 - 4.1.1. This patch has been issued for vBulletin 4.1.12. A separate set of patches have been issued for vBulletin 4.1.2 - 4.1.11. The MAPI security improvements have been added for vBulletin 3.x with the release of 3.x MAPI 1.4.3. To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/ In addition to the security improvements, we've resolved the following 4.1.12 issues. VBIV-14742 - Push notifications broken in FR 4.1.12 add-on. VBIV-14685 - Tag in static page cause Fatal error on page with General Search widget set to return Static Pages VBIV-14663 - Quoting doesn't work in the mobile style VBIV-14660 - Static HTML in CMS always displays all content VBIV-14754 - unset($VB_API_PARAMS_TO_VERIFY['vbseourl']) to match vB3 MAPI change. VBIV-14681 - HTML is stripped from article previews VBIV-14667 - Category pages do not load if using basic/advanced friendly URLs The upgrade process requires a few additional steps for this patch level release. Download PL1 for vBulletin 4.1.12 from https://members.vbulletin.com. Extract the vBulletin patch files from the zip file. Upload the patch files to your server, overwriting the old files. Run yourdomain.com/forumfolder/install/upgrade.php. (Required for 4.1.12.) Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.) Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. (This is only required if you have logging turned on for MAPI.) AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.) Advanced Users - Files updated in the patch are: /api.php /forumrunner/push.php /includes/class_friendly_url.php /includes/init.php /install/vbulletin-mobile-style-blog.xml /install/vbulletin-mobile-style.xml /packages/vbcms/content/phpeval.php /packages/vbcms/content/staticpage.php /packages/vbcms/item/content/article.php /packages/vbcms/item/content/phpeval.php /packages/vbcms/search/result/staticpage.php Please note that this issue and fix affects BOTH vBulletin 4 SUITE and FORUM. Discuss the security patch - HERE Discuss vBulletin 4.1.12 - HERE ______________________________________________________________________ vBulletin Security Patch for vBulletin 4.1.2 - 4.1.11 for Suite & Forum - 04/23/2012 vBulletin has released a security patch to improve the security of the vBulletin 4 MAPI (4.1.2 - 4.1.11 Suite & Forum) as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible. The changes do not affect vBulletin 4.0.0 - 4.1.1. This patch has been issued for vBulletin 4.1.2 through 4.1.11. A separate PL1 has been issued for vBulletin 4.1.12. These MAPI security improvements have been added for vBulletin 3.x with the release of 3.x MAPI 1.4.3. To improve the security of your vBulletin 4 installation, please download the patch from the members area of vBulletin: http://members.vbulletin.com/ The upgrade process requires a few additional steps for this patch level release. Download PL1 for vBulletin 4.1.12 from https://members.vbulletin.com. Extract the vBulletin patch files from the zip file. Upload the patch files to your server, overwriting the old files. Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.) Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. (This is only required if you have logging turned on for MAPI.) AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.) Advanced Users - Files updated in the patch are: includes/init.php Please note that this issue and fix affects BOTH vBulletin 4 SUITE and FORUM. Discuss the security patch - HERE ______________________________________________________________________ vBulletin 3.x MAPI Plugin 1.4.3 released with security patch - 04/23/2012 To support the upcoming release of vBulletin Mobile Suite 1.3, which contains vBulletin's iOS Mobile App 1.3 and Android Mobile App 1.3, we have released vBulletin 3.x MAPI Plugin 1.4.3. This release contains nine changes required to fix existing mobile app issues on forums running vBulletin 3. A security patch has been included to improve the security of the vBulletin 3.x MAPI plugin as the result of a recent internal security review. Although no exploits have been reported, we urge our customers to upgrade as soon as possible. vBulletin 3 customers should not upgrade unless they have the vBulletin Mobile Suite. vBulletin 3.x MAPI Plugin 1.4.3 is compatible with vBulletin 3.7.5+. vBulletin Blogs customers must have Blogs 2.0.4 installed before upgrading to 3.x MAPI Plugin 1.4.3. Please visit your vBulletin Members Area to download it. The following additional steps need to be taken after upgrade to vBulletin 3.x MAPI Plugin 1.4.3. Download the "API-Log-Clean.xml" attached to this thread. (Included in the do_not_upload folder for full installs.) Import "API-Log-Clean.xml" using the "Manage Products" interface in the "Plugins & Products" section of your Admin CP. The cleanup script will run on install. AdminCP -> Plugins & Products -> Manage Products -> Add/Import Product Delete "API-Log-Clean" using the "Product Manager" option in the "Plugins & Products" section of your Admin CP. (Optional. The product is automatically disabled after the script runs.) Discuss the vBulletin 3.x MAPI Plugin 1.4.3 release - HERE ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================