JELSOFT SECURITY BULLETIN
http://www.vbulletin.com/
1st March 2007
* New vBulletin Versions Released: 3.5.8 and 3.6.5
* Additional Notes For vBulletin 3.6.5
* Your License Information
* Contact Us
---- NEW VBULLETIN VERSIONS RELEASED: 3.5.8 AND 3.6.5 ----
An exploit was recently reported which affects vBulletin versions 3.5.x and
3.6.x. Although the report is inaccurate and the published exploit does not work
as claimed unless a highly unlikely set of circumstances exist, it has
highlighted a potential security issue in these vBulletin versions.
Therefore, we have decided to release updated versions, these being vBulletin
3.5.8 and 3.6.5. We recommend that all customers running vBulletin 3.5.x or
3.6.x upgrade to the appropriate version or apply the supplied patch as soon as
possible.
It is worth noting that in order to exploit the problem highlighted by the
report, the attacking user must satisfy the following conditions:
* Must already have moderator privileges
* Must share the same IP address as an existing administrator who is currently
logged in to the Admin Control Panel
* Must know the Alt-IP and user agent (exact browser identification) of the
administrator OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report
is almost impossible to achieve.
We have posted instructions on the vBulletin.com announcements forum detailing
procedures to upgrade or patch each affected version. Please follow the
relevant links below.
Upgrade information and patch for 3.6.* series
http://www.vbulletin.com/go/365
Upgrade information and patch for 3.5.* series
http://www.vbulletin.com/go/358
---------- ADDITIONAL NOTES FOR VBULLETIN 3.6.5 -----------
As well as fixing the security flaw described above, version 3.6.5 also contains
fixes for a number of minor bugs affecting Safari cookies, IE7 compatibility,
infractions and recent FreeBSD PHP installations. Details of the bugs fixed can
be found via the URL listed above.
Please also note that the original intention for vBulletin 3.6.5 had been to
include a number of other bug fixes and improvements that have been reported
since 3.6.4.
Unfortunately, the necessity of bringing out a version quickly to fix the
exploit has meant that many of these fixes have not had sufficient time to be
fully tested to the extent that we would like and have therefore been kept back
for vBulletin 3.6.6.
We understand that this may be frustrating to our customers, and in order to
minimize the inconvenience caused by this update, we have ensured that this
vBulletin 3.6.5 release contains no template or phrase changes, which will
hopefully make upgrading as painless as possible.
---------------- YOUR LICENSE INFORMATION ----------------
You can use this information to log into the members' area to download
vBulletin, ImpEx and other vBulletin-related support materials:
Your Customer Number: 9999999999999999
If you have misplaced your customer password, you can request that it be re-sent
to your registered email address using the following form:
http://www.vbulletin.com/go/lostpw
The members' area is located here:
http://members.vbulletin.com/
-------------------- CONTACT US --------------------------
Please do not respond to this email directly. We will not receive your response.
Please use the links below.
Got a vBulletin technical query? Contact support:
http://www.vbulletin.com/go/techsupport
For all other queries, please visit this page:
http://www.vbulletin.com/go/contact
----------------------------------------------------------
This periodic email newsletter is delivered to all current vBulletin customers,
and contains information about new software versions and Jelsoft.com /
vBulletin.com web site features and content. If you have any questions or
comments about this mailing, please contact us via the links above.
This email sent to: ____
Copyright آ©2000-2006, Jelsoft Enterprises Limited