Jackbee
02-03-2007, 07:06 PM
JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
1st March 2007
* New vBulletin Versions Released: 3.5.8 and 3.6.5
* Additional Notes For vBulletin 3.6.5
* Your License Information
* Contact Us
---- NEW VBULLETIN VERSIONS RELEASED: 3.5.8 AND 3.6.5 ----
An exploit was recently reported which affects vBulletin versions 3.5.x and 3.6.x. Although the report is inaccurate and the published exploit does not work as claimed unless a highly unlikely set of circumstances exist, it has highlighted a potential security issue in these vBulletin versions.
Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.
It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
* Must already have moderator privileges
* Must share the same IP address as an existing administrator who is currently logged in to the Admin Control Panel
* Must know the Alt-IP and user agent (exact browser identification) of the administrator OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.
We have posted instructions on the vBulletin.com announcements forum detailing procedures to upgrade or patch each affected version. Please follow the relevant links below.
Upgrade information and patch for 3.6.* series
http://www.vbulletin.com/go/365
Upgrade information and patch for 3.5.* series
http://www.vbulletin.com/go/358
---------- ADDITIONAL NOTES FOR VBULLETIN 3.6.5 -----------
As well as fixing the security flaw described above, version 3.6.5 also contains fixes for a number of minor bugs affecting Safari cookies, IE7 compatibility, infractions and recent FreeBSD PHP installations. Details of the bugs fixed can be found via the URL listed above.
Please also note that the original intention for vBulletin 3.6.5 had been to include a number of other bug fixes and improvements that have been reported since 3.6.4.
Unfortunately, the necessity of bringing out a version quickly to fix the exploit has meant that many of these fixes have not had sufficient time to be fully tested to the extent that we would like and have therefore been kept back for vBulletin 3.6.6.
We understand that this may be frustrating to our customers, and in order to minimize the inconvenience caused by this update, we have ensured that this vBulletin 3.6.5 release contains no template or phrase changes, which will hopefully make upgrading as painless as possible.
http://www.vbulletin.com/
1st March 2007
* New vBulletin Versions Released: 3.5.8 and 3.6.5
* Additional Notes For vBulletin 3.6.5
* Your License Information
* Contact Us
---- NEW VBULLETIN VERSIONS RELEASED: 3.5.8 AND 3.6.5 ----
An exploit was recently reported which affects vBulletin versions 3.5.x and 3.6.x. Although the report is inaccurate and the published exploit does not work as claimed unless a highly unlikely set of circumstances exist, it has highlighted a potential security issue in these vBulletin versions.
Therefore, we have decided to release updated versions, these being vBulletin 3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or 3.6.x upgrade to the appropriate version or apply the supplied patch as soon as possible.
It is worth noting that in order to exploit the problem highlighted by the report, the attacking user must satisfy the following conditions:
* Must already have moderator privileges
* Must share the same IP address as an existing administrator who is currently logged in to the Admin Control Panel
* Must know the Alt-IP and user agent (exact browser identification) of the administrator OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.
We have posted instructions on the vBulletin.com announcements forum detailing procedures to upgrade or patch each affected version. Please follow the relevant links below.
Upgrade information and patch for 3.6.* series
http://www.vbulletin.com/go/365
Upgrade information and patch for 3.5.* series
http://www.vbulletin.com/go/358
---------- ADDITIONAL NOTES FOR VBULLETIN 3.6.5 -----------
As well as fixing the security flaw described above, version 3.6.5 also contains fixes for a number of minor bugs affecting Safari cookies, IE7 compatibility, infractions and recent FreeBSD PHP installations. Details of the bugs fixed can be found via the URL listed above.
Please also note that the original intention for vBulletin 3.6.5 had been to include a number of other bug fixes and improvements that have been reported since 3.6.4.
Unfortunately, the necessity of bringing out a version quickly to fix the exploit has meant that many of these fixes have not had sufficient time to be fully tested to the extent that we would like and have therefore been kept back for vBulletin 3.6.6.
We understand that this may be frustrating to our customers, and in order to minimize the inconvenience caused by this update, we have ensured that this vBulletin 3.6.5 release contains no template or phrase changes, which will hopefully make upgrading as painless as possible.