Go Back   Exetools > General > General Discussion


Thread Tools Display Modes
Old 01-10-2005, 00:15
SOLAR SOLAR is offline
Join Date: Aug 2004
Posts: 126
Rept. Given: 6
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 12
Thanks Rcvd at 6 Times in 6 Posts
SOLAR Reputation: 2
vBulletin 3.0.3 exploited, critical update

vBulletin 3.0.5

Critical Update

The discovery of a serious security vulnerability in versions of vBulletin 3 up to and including 3.0.4 has necessitated the immediate release of a version to plug the hole.

The vulnerability affects anyone running vBulletin 3 on PHP 4 with register_globals enabled in php.ini.

This is a CRITICAL update, and urge all affected customers to upgrade vBulletin with the utmost urgency.

vBulletin 3.0.5 includes all the updates recently released as part of vBulletin 3.0.4, including a long list of fixes for minor annoyances and bugs found since version 3.0.3.

If you are running vB 3.0.0, 3.0.1, 3.0.2, 3.0.3 or 3.0.4 and are unable to upgrade immediately, we recommend that you download the init.php file attached to this message and overwrite the init.php in the includes folder of your existing vBulletin installation. This will patch the flaw. If you are running a RC or Beta version of vB 3, you will need to upgrade to 3.0.5 now. Note that this version of init.php supercedes the init.php patch available with the 3.0.4 release.

Important Warning About Sensitive Data

Due to the nature of the vulnerability discovered in vBulletin 3, and as part of our ongoing effort to maximize security, we must assume that one or all of the vBulletin servers may have been compromised.

Therefore, we would STRONGLY RECOMMEND that any customers who may have submitted sensitive data; such as vBulletin admin control panel or server login details, to Jelsoft staff in the past should take steps to alter these details, so that any information that may have been accessed by an unauthorized party could not be used.

We would like to reassure our customers that Jelsoft keeps NO RECORD of credit card numbers used in transactions, making it impossible for these details to be discovered or abused.

Additionally, steps have been taken and are ongoing to ensure that any potentially leaked data does not contain sensitive data.

Security Issues in PHP 4.3.9, 5.0.2 and Older

As we have mentioned before, a security issue was detected in PHP versions up to and including 4.3.9 and 5.0.2. Updated versions have been released by the PHP team.

The internet is currently crawling with worms hunting for vulnerable servers, with many sites having fallen foul of these bugs already. We would therefore remind our customers to upgrade to the latest versions of PHP as soon as possible.

The updated PHP versions, which fix the vulnerability are:
PHP 4.3.10
PHP 5.0.3

Backing Up Your Forums

Please be sure to check your backups, that they are complete before continuing with an upgrade. We had reports that PHP was causing time out errors when creating the back up SQL, and this was causing for incomplete or corrupted backups. The safest way to do a backup is to use the mysqldump utility through SSH/Telnet, as it will not suffer from any such problems. Full instructions for backing up your database are available in the vBulletin 3 Manual.

go here for further details and get, if necessary, the init.php file.
3.0.5 Has been rlsed
Reply With Quote
Old 01-10-2005, 02:51
JMI JMI is offline
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199

Don't spread this around too much. Aaron has already made the initial update suggested by vBulletin and we are installing the full upgrade at RCE Forums.

Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
A CRITICAL Firefox Vuln - Violation and local file stealing via PDF reader TechLord General Discussion 3 08-15-2015 15:39
[Q]:writing vBulletin via MacOSX smo General Discussion 4 09-06-2004 22:28

All times are GMT +8. The time now is 02:34.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )