Further to the issue that was rectified with vB 4.0.8 PL1, an additional concern was identified that may affect users utilizing IE6.
The flaw may enable users to upload a script to their own profile, and viewers of that profile when utilizing IE6 may be exploited.
This issue only affects vBulletin 4.0.8/vBulletin 4.0.8 PL1 where User Profile Customization has been enabled by the administrator. No other versions of vBulletin are affected. Versions of vBulletin 4.0.8/4.0.8 PL1 that do not have User Profile Customization enabled, or elect to disable the User Profile Customization are also not affected.
To rectify the issue please either download the patch from the members area of vBulletin: Please Log In
Or disable user profile customization.
Upgrading from 4.0.8
If you are already running 4.0.8 or 4.0.8 PL1 the process you will be required to undertake to make your board immune to this issue is the following:
There is no need to run an upgrade script if you are already running 4.0.8.
Visit the Patches section of the vBulletin Members' Area and download the patch for 4.0.8/4.0.8 PL1, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL2 release.
Upgrading from Versions Earlier than 4.0.8
If you are not already running 4.0.8, we have updated the downloadable version of our software, so you can download 4.0.8 from the Members' Area and perform an upgrade as normal.
Full instructions for upgrading vBulletin are available here.
Download vBulletin 4.0.8 PL2
As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.
vBulletin Members Area
You can discuss this patch release in the existing 4.0.8 release discussion.
More...
The flaw may enable users to upload a script to their own profile, and viewers of that profile when utilizing IE6 may be exploited.
This issue only affects vBulletin 4.0.8/vBulletin 4.0.8 PL1 where User Profile Customization has been enabled by the administrator. No other versions of vBulletin are affected. Versions of vBulletin 4.0.8/4.0.8 PL1 that do not have User Profile Customization enabled, or elect to disable the User Profile Customization are also not affected.
To rectify the issue please either download the patch from the members area of vBulletin: Please Log In
Or disable user profile customization.
Upgrading from 4.0.8
If you are already running 4.0.8 or 4.0.8 PL1 the process you will be required to undertake to make your board immune to this issue is the following:
There is no need to run an upgrade script if you are already running 4.0.8.
Visit the Patches section of the vBulletin Members' Area and download the patch for 4.0.8/4.0.8 PL1, then extract the files from the archive you downloaded, then upload the files to your board via FTP etc., overwriting the existing files. This will update your version to the PL2 release.
Upgrading from Versions Earlier than 4.0.8
If you are not already running 4.0.8, we have updated the downloadable version of our software, so you can download 4.0.8 from the Members' Area and perform an upgrade as normal.
Full instructions for upgrading vBulletin are available here.
Download vBulletin 4.0.8 PL2
As usual, the version released today is available for all customers with valid, active licenses to download from the vBulletin Members' Area.
vBulletin Members Area
You can discuss this patch release in the existing 4.0.8 release discussion.
More...