According to vBulletin.org and vBulletin.com, a bug has been reported that affects both vb 3.6.x and 3.5.x versions, and as a fast reaction to this bug, two new versions have been released, these versions are vBulletin 3.6.5 and vBulletin 3.5.8.
Although the bug reported can hardly affect forums and needs a lot of circumstances but it's adviced to upgrade now in order to make sure that your forum is safe.
The circumstances needed for this bug need the attacker to have:
- Must already have moderator privileges
- Must share the same IP address (or the number of IP octets specified in the Admin Control Panel for IP address matching) with an existing administrator who is currently logged in to the Admin Control Panel
- Must know the Alt-IP and user agent (exact browser identification) of the administrator
- OR must know the license number of the site being attacked
Given these requirements, the privilege escalation exploit claimed by the report is almost impossible to achieve.
And due to the early release, this version lacked some updates and fixes that were expected in vBulletin 3.6.5 but in the meanwhile it has a good number of fixes, which are:
Bugs Fixed in vBulletin 3.6.5
The Security FlawThe reported security flaw described in this announcement, which could potentially allow a SELECT query to be hijacked, has been addressed.
Safari CookiesA problem where users of the Apple browser Safari would be logged off the system prematurely when vBulletin runs on specific servers has been resolved.
[URL="http://www.vbulletin.com/forum/bugs36.php?do=view&bugid=1116"]More info...[/URL]
Internet Explorer 7 CompatabilityMuch has been said about Microsoft's decision to make the Javascript prompt() function throw a security warning whenever it is called. This change resulted in vBulletin's text editor system throwing security warnings whenever a user tried to insert an image or an email link. The use of prompt() for Internet Explorer 7 users has now been discontinued in favour of an alternative method of collecting user input.
[URL="http://www.vbulletin.com/forum/bugs36.php?do=view&bugid=1263"]More info...[/URL]
Additionally, improvements in Internet Explorer 7 mean that certain aspects of the vBulletin pop-up menu system, which were previously required to circumvent rendering issues, can now be bypassed. Most notable amongst these is the code that hides all <select> elements that would intersect with the menu when opened.
Fix for Infractions BugA problem where infraction expiration was not cleaned-up properly has been addressed.
[URL="http://www.vbulletin.com/forum/bugs36.php?do=view&bugid=1448"]More info...[/URL]
Workaround for a FreeBSD Regular Expression Error on LoginSome users running recent versions of PHP running on FreeBSD have encountered a bug in the regular expression engine that caused an error to be shown when logging in. We have worked around this problem. However, it may still appear in other areas, so we are trying to find a proper fix for the issue.
Updating your vBulletin to Fix the Potential Exploit
There are two ways in which you can fix the potential exploit in your version of vBulletin:
- Full Upgrade: The best way to fix the problem is to perform a full upgrade by downloading the complete 3.6.5 package from the [URL="http://members.vbulletin.com/"]vBulletin Members' Area[/URL] and following the regular [URL="http://www.vbulletin.com/docs/html/upgrade?manualversion=30602500"]upgrade instructions[/URL].
- Patch: A second option is to download the patch files discussed in this thread and upload them to your web server, overwriting the existing files. The patch is available from the [URL="http://members.vbulletin.com/patches.php"]Members' Area patch page[/URL] or you can find it attached to this thread.
Please note that vBulletin 3.6.5
requires at least
PHP 4.3.3 and
MySQL 4.0.16 or later.
vBulletin 3.6.5 - An early release
Linear Mode
