Potential XSS vulnerabilities has been identified in vBulletin 4.0.2 PL2 in relation to the CMS content type search widgets (recent threads, recent posts, and general search), and CMS article preview on section pages. We became aware of one XSS issue involving blog titles being displayed incorrectly in a general search widget set to search for recent blog posts. During the QA process testing that issue, we discovered other related vulnerabilities. This was the cause of the delay in an official announcement and patch release. We are issuing a patch release to address these issues.
The upgrade process is the same as previous patch level releases - simply download the patch from the Members Area, extract the files and upload to your webserver, overwriting the existing files. There is no upgrade script required if you are currently running 4.0.2 PL2. If running 4.0.2 or 4.0.2 PL1 see the details below as the process is slightly different.
As with all security-based releases, we recommend that all customers upgrade as soon as possible in order to prevent any potential damage resulting from the flaw being exploited.
There is no need to run an upgrade script if you are already running the latest version (4.0.2 PL2).
If you are running 4.0.2, or 4.0.2 PL1 you should follow these steps.
1) Download the 4.0.2 PL3 patch files.
2) Set your site to be offline.
3) Make sure your install directory still exists. If not, upload the install directory from your vBulletin package to your vBulletin directory, leaving out install/install.php.
4) Upload the patch files to your vBulletin directory.
5) Run the url http://your.site.com/vBdirectory/ins...e_402_salt.php
6) Set your site to be online.
This will address all PL fixes, including the fixes contained in 4.0.2 PL2. It is not necessary to run any other scripts.
Visit the Patches section of the vBulletin Members' Area and download the patch for the version you are using, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the latest patch release.
Upgrading from an earlier version
If you are not already running 4.0.2, 4.0.2 PL1, or 4.0.2 PL2, you should download the latest version (4.0.2 PL3) from the Members' Area and perform an upgrade as normal.
Full instructions for upgrading vBulletin are available here.
Download vBulletin 4.0.2 PL3
As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.
vBulletin Members Area