Admin
Well-Known Member
Staff member
Administrator
A security issue has been found that affects all versions of vBulletin including 3.x, 4.x and 5.x. We have released security patches to account for this vulnerability. This includes patches for vBulletin 3.8.7, vBulletin 4.2.2 and all versions of vBulletin 5 (including Cloud accounts). The patch is also applied to vBulletin 5.1.0 RC1. It is imperative that you apply these patches as soon as possible.
Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately via http://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.
Patch for vBulletin 5.0.5 PL1
Patch for vBulletin 4.2.2 PL1
Patch for vBulletin 3.8.7 PL3
Patch for vBulletin 3.8.7 MAPI
Linked below are patch files so that you can manually update versions of vBulletin 3 and vBulletin 4 without a direct patch.
Please note, we have already applied this patch to all vBulletin Cloud sites.
Installing the Patch
Please install the patch for your version of vBulletin immediately.
If you're using an unpatched version of 3.X or 4.X, and you need to manually apply the DIFF patches please see these threads:
vBulletin 3.X
vBulletin 4.X
Frequently Asked Questions
Do I need to run the upgrade scripts?
No, you do not with this patch.
If I apply the patch to 3.8.7 or 4.2.2 do I need to mess with the DIFF files?
No, you do not.
How do I use the DIFF patch for my version?
Please see the thread linked above.
Will you release the details of this issue?
To allow our customers time to upgrade and apply the patch, we will not release any further details.
Due to functionality changes, the minimum PHP version for the patch is 5.2.0. This represents an increase for vBulletin 3. Alternatively customers can install the JSON functions separately via http://pecl.php.net/package/json in which case it will work with any compatible PHP version that their particular version of vBulletin supports. You will need to collaborate with your hosting provider or systems administrator to apply the changes to PHP.
Patch for vBulletin 5.0.5 PL1
Patch for vBulletin 4.2.2 PL1
Patch for vBulletin 3.8.7 PL3
Patch for vBulletin 3.8.7 MAPI
Linked below are patch files so that you can manually update versions of vBulletin 3 and vBulletin 4 without a direct patch.
Please note, we have already applied this patch to all vBulletin Cloud sites.
Installing the Patch
Please install the patch for your version of vBulletin immediately.
- Upgrade PHP to the minimum version or install the JSON PECL, if necessary.
- Download the patch from https://members.vbulletin.com/patches.php.
- Extract the vBulletin patches files from the Zip file.
- Upload the patch files to your server, overwriting the old files.
If you're using an unpatched version of 3.X or 4.X, and you need to manually apply the DIFF patches please see these threads:
vBulletin 3.X
vBulletin 4.X
Frequently Asked Questions
Do I need to run the upgrade scripts?
No, you do not with this patch.
If I apply the patch to 3.8.7 or 4.2.2 do I need to mess with the DIFF files?
No, you do not.
How do I use the DIFF patch for my version?
Please see the thread linked above.
Will you release the details of this issue?
To allow our customers time to upgrade and apply the patch, we will not release any further details.
